April 18, 2026

Vault fixes and cleanup for stability

Login no longer silently reinitializes the vault when the stored DEK is absent, preventing an outage path that orphaned encrypted provider API keys

Login no longer silently reinitializes the vault when the stored DEK is absent, preventing an outage path that orphaned encrypted provider API keys. The auto-reinit path is now only for uninitialized vaults and stamps vault_config.reinitialized_at to warn the UI about unrecoverable data.

The provider_db_service no longer aborts the entire provider list when one row’s API key fails to decrypt; failures are now surfaced as decrypt_failed=True on the offending provider, displaying a warning badge.

Fernet fallback and the raw-bytes BLOB path in _unseal_api_key have been removed, standardizing on AES-GCM only.

The vault_config DDL is now directly in schema.sql, and existing databases receive a reinitialized_at backfill using an idempotent mechanism in database_service.

Numerous banned unit-style tests relying on hard-coded DDL or mocking have been deleted across several test files.

These were replaced with 6 feature tests in test_vault_fix.py, using a real Flask client, a real SQLite database built from schema.sql, and a real VaultService, with zero mocks.

Several dead folders were removed, including wrappers, listeners, config duplicates, and empty test/prompt directories.

  • Killed silent vault auto-init on missing DEK.

  • Provider list survives single decryption failures by flagging individual rows.

  • AES-GCM is enforced, removing Fernet fallback and raw-bytes BLOB path.

  • Vault config DDL moved to schema.sql with idempotent backfill for existing DBs.

  • Deleted banned unit tests in favor of 6 feature tests using real services.

  • Removed several stale and empty backend directories.