feat(security): encrypt NotificationChannel.config secrets at rest

[TerrifiedBug]

Summary

• Add channel-secrets.ts service with per-type sensitive-field map (webhook: hmacSecret + headers; slack: webhookUrl; pagerduty: integrationKey; email: smtpPass)
• Encrypt sensitive sub-fields on createChannel and updateChannel (with rotation + PRESERVE_IF_ABSENT preservation)
• Decrypt in deliverToChannels dispatcher (both tracked + untracked paths) and testChannel
• Idempotent via v2: prefix detection — re-running encryption is a no-op
• One-shot backfill script: pnpm backfill:channel-secrets
• Drivers (webhook/slack/pagerduty/email) untouched; receive plaintext config as before

Closes the secret-encryption gap that persisted after the AlertWebhook → NotificationChannel migration (#197). Removes plaintext storage of webhook signing secrets, custom auth headers, PagerDuty routing keys, Slack webhook URLs (token in path), and SMTP passwords.

Out of scope

• Audit log redaction for these field names — filed as separate P1 follow-up. Pre-existing gap; encryption-at-rest still helps because audit log access is more privileged than DB read access.
• HKDF key cache — crypto.ts re-derives the key per encrypt/decrypt call. Hot-path concern for high-volume environments; out of scope for this change.

Test plan

• Unit: encrypt/decrypt round-trip per channel type (webhook with structured headers, slack, pagerduty, email)
• Unit: idempotency (no double-encrypt; decrypt is no-op on plaintext)
• Router: createChannel persists ciphertext; non-sensitive fields stay plaintext
• Router: updateChannel rotates secret to fresh ciphertext; preserves existing v2: ciphertext when input lacks the field
• Dispatcher: deliverToChannels decrypts before driver.deliver (both tracked and untracked paths)
• Router: testChannel decrypts before driver.test
• Type check + lint pass
• Manual smoke (after merge, in dev): create webhook channel via UI → DB row has v2: prefix on hmacSecret; trigger test delivery; update channel preserving secret
• Run pnpm backfill:channel-secrets against dev DB; re-run to confirm idempotent skip

Migration note

After merge, run the backfill script once against any environment with existing NotificationChannel rows to encrypt at-rest values. Idempotent — safe to re-run.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 95626947de

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Decrypt encrypted config fields before exposing edit config

Adding webhook.headers and slack.webhookUrl to the encrypted field map causes those values to be stored as v2: ciphertext, but listChannels still returns channel config values as-is for those keys. The UI edit flow reads them directly (formFromConfig) and then re-validates as URL/JSON-object on submit, so edited Slack channels and webhook channels with headers can fail updates unless users manually re-enter those values. This introduces a regression in the channel-edit workflow after encryption is enabled.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Replace prefix-only check for already-encrypted secrets

The isAlreadyEncrypted heuristic treats any string beginning with v2: as ciphertext, so legitimate plaintext secrets like v2:token are skipped during encryption and stored unencrypted. At delivery/test time, decryptChannelConfig attempts to decrypt those values and throws, which breaks channel test/delivery for affected configs. This should use a verifiable ciphertext format check (or explicit metadata) rather than a bare prefix test.

Useful? React with 👍 / 👎.