feat(secrets): Fernet encrypt/decrypt helper for DB-stored operator secrets

decnet/web/db/secrets.py

@@ -0,0 +1,43 @@
+"""Symmetric encryption helper for operator secrets stored in the DB.
+
+``DECNET_SECRET_KEY`` must be a URL-safe base64-encoded 32-byte Fernet key
+(generate once with ``python -m decnet.web.db.secrets``).  The env var is
+read lazily — at the call site of ``encrypt_secret``/``decrypt_secret`` —
+so processes that never touch encrypted columns start up without it.
+
+Fail-closed: a missing or malformed key raises ``RuntimeError`` before any
+plaintext is encrypted or any ciphertext is decrypted.
+"""
+from __future__ import annotations
+
+import os
+
+from cryptography.fernet import Fernet, InvalidToken
+
+
+def _load_key() -> bytes:
+    key = os.environ.get("DECNET_SECRET_KEY", "")
+    if not key:
+        raise RuntimeError(
+            "DECNET_SECRET_KEY is not set — cannot encrypt/decrypt secrets. "
+            "Generate a key with: python -c \"from cryptography.fernet import Fernet; "
+            "print(Fernet.generate_key().decode())\""
+        )
+    return key.encode()
+
+
+def encrypt_secret(plaintext: str) -> str:
+    """Return a Fernet ciphertext token for *plaintext*."""
+    return Fernet(_load_key()).encrypt(plaintext.encode()).decode()
+
+
+def decrypt_secret(ciphertext: str) -> str:
+    """Decrypt a Fernet ciphertext token; raises ``InvalidToken`` if tampered."""
+    try:
+        return Fernet(_load_key()).decrypt(ciphertext.encode()).decode()
+    except InvalidToken:
+        raise
+
+
+if __name__ == "__main__":
+    print(Fernet.generate_key().decode())