chore: sync prod state to master — vault, custom domains, magic links, kaniko, dpop, rbac

.gitignore

@@ -4,3 +4,4 @@ GeoLite2-*.mmdb
 .env
 .env.*
 !.env.example
+node_modules

e2e/fixtures/hello-app/Dockerfile

@@ -0,0 +1,13 @@
+# Minimal hello-world image for deploy E2E test.
+#
+# We use busybox httpd for three reasons:
+#   1. Smallest possible image (~1MB vs ~5MB alpine vs ~300MB Go) — fastest pull on local k3s
+#   2. No build step (unlike a Go binary) — fastest build on slow buildkit / kaniko
+#   3. Most reliable: busybox httpd has zero deps, runs as PID 1, handles SIGTERM cleanly
+#
+# Listens on 8080 so the deploy E2E can pass port=8080 and verify that the
+# container port is correctly wired through to the public URL.
+FROM busybox:1.36
+COPY index.html /index.html
+EXPOSE 8080
+CMD ["httpd", "-f", "-p", "8080", "-h", "/"]

e2e/fixtures/hello-app/index.html

@@ -0,0 +1,8 @@
+<!doctype html>
+<html lang="en">
+<head><meta charset="utf-8"><title>instanode hello</title></head>
+<body>
+<h1>hello from instanode</h1>
+<p>This page is served by the deploy E2E fixture (busybox httpd) at port 8080.</p>
+</body>
+</html>

e2e/helpers_test.go

@@ -48,6 +48,15 @@ func TestMain(m *testing.M) {
 	os.Exit(m.Run())
 }
 
+// e2eTestToken returns the shared secret used to override the production
+// fingerprint middleware's source-IP selection (see middleware/fingerprint.go).
+// When E2E_TEST_TOKEN is set on both the cluster (env) and the test runner,
+// the test runner's X-Forwarded-For is honored as the leftmost entry,
+// restoring per-test fingerprint isolation against the live cluster.
+func e2eTestToken() string {
+	return os.Getenv("E2E_TEST_TOKEN")
+}
+
 // ipSeq is an atomic counter incremented per uniqueSubnet/uniqueIP call.
 // It guarantees distinct /24 subnets within a single binary run.
 var ipSeq atomic.Int64
@@ -114,6 +123,15 @@ func getNoRedirect(t *testing.T, path string, headers ...string) *http.Response
 	for i := 0; i+1 < len(headers); i += 2 {
 		req.Header.Set(headers[i], headers[i+1])
 	}
+	if tok := e2eTestToken(); tok != "" && req.Header.Get("X-E2E-Test-Token") == "" {
+		req.Header.Set("X-E2E-Test-Token", tok)
+		// Mirror X-Forwarded-For onto X-E2E-Source-IP because ingress-nginx
+		// overwrites XFF by default. The bypass middleware reads X-E2E-Source-IP
+		// when the trust token is valid, so the test's chosen IP survives.
+		if xff := req.Header.Get("X-Forwarded-For"); xff != "" && req.Header.Get("X-E2E-Source-IP") == "" {
+			req.Header.Set("X-E2E-Source-IP", xff)
+		}
+	}
 	resp, err := noRedirectClient.Do(req)
 	if err != nil {
 		t.Fatalf("getNoRedirect %s: %v", path, err)
@@ -131,6 +149,15 @@ func get(t *testing.T, path string, headers ...string) *http.Response {
 	for i := 0; i+1 < len(headers); i += 2 {
 		req.Header.Set(headers[i], headers[i+1])
 	}
+	if tok := e2eTestToken(); tok != "" && req.Header.Get("X-E2E-Test-Token") == "" {
+		req.Header.Set("X-E2E-Test-Token", tok)
+		// Mirror X-Forwarded-For onto X-E2E-Source-IP because ingress-nginx
+		// overwrites XFF by default. The bypass middleware reads X-E2E-Source-IP
+		// when the trust token is valid, so the test's chosen IP survives.
+		if xff := req.Header.Get("X-Forwarded-For"); xff != "" && req.Header.Get("X-E2E-Source-IP") == "" {
+			req.Header.Set("X-E2E-Source-IP", xff)
+		}
+	}
 	resp, err := client.Do(req)
 	if err != nil {
 		t.Fatalf("get %s: %v", path, err)
@@ -163,6 +190,15 @@ func postCtx(t *testing.T, ctx context.Context, path string, body any, headers .
 	for i := 0; i+1 < len(headers); i += 2 {
 		req.Header.Set(headers[i], headers[i+1])
 	}
+	if tok := e2eTestToken(); tok != "" && req.Header.Get("X-E2E-Test-Token") == "" {
+		req.Header.Set("X-E2E-Test-Token", tok)
+		// Mirror X-Forwarded-For onto X-E2E-Source-IP because ingress-nginx
+		// overwrites XFF by default. The bypass middleware reads X-E2E-Source-IP
+		// when the trust token is valid, so the test's chosen IP survives.
+		if xff := req.Header.Get("X-Forwarded-For"); xff != "" && req.Header.Get("X-E2E-Source-IP") == "" {
+			req.Header.Set("X-E2E-Source-IP", xff)
+		}
+	}
 	resp, err := client.Do(req)
 	if err != nil {
 		if errors.Is(ctx.Err(), context.DeadlineExceeded) {

e2e/merged_surfaces_e2e_test.go

@@ -0,0 +1,146 @@
+//go:build e2e
+
+package e2e
+
+// merged_surfaces_e2e_test.go — Smoke tests covering the four-agent merge:
+//   Phase 1: Vault            (/api/v1/vault/...)
+//   Phase 2: Multi-env        (?env=staging on /db/new)
+//   Phase 3: Teams + RBAC     (/api/v1/teams/:id/invitations)
+//   Phase 5: MCP authz        (/.well-known/oauth-protected-resource)
+//
+// Each test is a 1-2 second probe of the new surface, designed to fail loudly
+// if the route is unmounted or returning the wrong status. They are NOT
+// exhaustive end-to-end exercises.
+
+import (
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/google/uuid"
+)
+
+// requestNoAuth issues an arbitrary-method request with no body and returns
+// the response. Used for asserting that protected routes return 401.
+func requestNoAuth(t *testing.T, method, path string) *http.Response {
+	t.Helper()
+	req, err := http.NewRequest(method, baseURL()+path, nil)
+	if err != nil {
+		t.Fatalf("NewRequest: %v", err)
+	}
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("Do: %v", err)
+	}
+	return resp
+}
+
+// TestMerged_WellKnown_OAuthProtectedResource verifies the MCP authorization
+// metadata document is served at the canonical path.
+func TestMerged_WellKnown_OAuthProtectedResource(t *testing.T) {
+	resp := get(t, "/.well-known/oauth-protected-resource")
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("want 200, got %d", resp.StatusCode)
+	}
+	var body struct {
+		Resource              string   `json:"resource"`
+		AuthorizationServers  []string `json:"authorization_servers"`
+		BearerMethodsSupported []string `json:"bearer_methods_supported"`
+	}
+	decodeJSON(t, resp, &body)
+	if body.Resource == "" {
+		t.Error("resource must be set")
+	}
+	if len(body.AuthorizationServers) == 0 {
+		t.Error("authorization_servers must be non-empty")
+	}
+	hasHeader := false
+	for _, m := range body.BearerMethodsSupported {
+		if m == "header" {
+			hasHeader = true
+		}
+	}
+	if !hasHeader {
+		t.Error("bearer_methods_supported must include \"header\"")
+	}
+}
+
+// TestMerged_Vault_RequiresAuth ensures vault routes are mounted and gated.
+func TestMerged_Vault_RequiresAuth(t *testing.T) {
+	cases := []struct{ method, path string }{
+		{"PUT", "/api/v1/vault/dev/RAZORPAY_KEY"},
+		{"GET", "/api/v1/vault/dev/RAZORPAY_KEY"},
+		{"GET", "/api/v1/vault/dev"},
+		{"DELETE", "/api/v1/vault/dev/RAZORPAY_KEY"},
+		{"POST", "/api/v1/vault/dev/RAZORPAY_KEY/rotate"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.method+" "+tc.path, func(t *testing.T) {
+			resp := requestNoAuth(t, tc.method, tc.path)
+			if resp.StatusCode != http.StatusUnauthorized {
+				t.Errorf("want 401, got %d", resp.StatusCode)
+			}
+		})
+	}
+}
+
+// TestMerged_Teams_InvitationsRequireAuth ensures team invitation routes are
+// mounted and gated by auth (RBAC fires after auth).
+func TestMerged_Teams_InvitationsRequireAuth(t *testing.T) {
+	teamID := uuid.NewString()
+	cases := []struct{ method, path string }{
+		{"POST", "/api/v1/teams/" + teamID + "/invitations"},
+		{"GET", "/api/v1/teams/" + teamID + "/invitations"},
+		{"DELETE", "/api/v1/teams/" + teamID + "/invitations/" + uuid.NewString()},
+	}
+	for _, tc := range cases {
+		t.Run(tc.method+" "+tc.path, func(t *testing.T) {
+			resp := requestNoAuth(t, tc.method, tc.path)
+			if resp.StatusCode != http.StatusUnauthorized {
+				t.Errorf("want 401, got %d", resp.StatusCode)
+			}
+		})
+	}
+}
+
+// TestMerged_Teams_AcceptInvitation_PublicWith404 ensures the public accept
+// route is mounted, requires no auth, and rejects unknown tokens with 404.
+func TestMerged_Teams_AcceptInvitation_PublicWith404(t *testing.T) {
+	resp := post(t, "/api/v1/invitations/nonexistent_token/accept", map[string]any{})
+	// Route exists → 404 (token not found). Route missing → 404 from the router
+	// with a different body. We accept either 404 or 400 — anything else is bad.
+	if resp.StatusCode != http.StatusNotFound &&
+		resp.StatusCode != http.StatusBadRequest &&
+		resp.StatusCode != http.StatusGone {
+		t.Errorf("want 404/400/410, got %d", resp.StatusCode)
+	}
+}
+
+// TestMerged_MultiEnv_QueryParamAccepted verifies the API accepts ?env=staging
+// on a provision request without 400ing on the unknown query param. Anonymous
+// callers do not get an env-scoped response, but the request must not fail.
+func TestMerged_MultiEnv_QueryParamAccepted(t *testing.T) {
+	resp := post(t, "/db/new?env=staging", map[string]any{})
+	// Anonymous provisioning may return 200 (dedup) or 201 (fresh). Anything
+	// else (especially 400 "unknown query param") is a regression.
+	if resp.StatusCode != http.StatusCreated && resp.StatusCode != http.StatusOK {
+		body := readBody(t, resp)
+		t.Errorf("env query param rejected: %d %s", resp.StatusCode, body)
+	}
+}
+
+// TestMerged_OpenAPIIncludesVaultRoutes verifies the OpenAPI spec advertises
+// the new vault endpoints. Catches the "route shipped but spec not regenerated"
+// case so dashboard / SDK consumers know the surface exists.
+func TestMerged_OpenAPIIncludesVaultRoutes(t *testing.T) {
+	resp := get(t, "/openapi.json")
+	body := readBody(t, resp)
+	// Light grep: we don't parse the OpenAPI YAML, just verify the strings
+	// appear. The spec is hand-maintained in handlers/openapi.go.
+	wanted := []string{"/vault/", "oauth-protected-resource", "invitations"}
+	for _, w := range wanted {
+		if !strings.Contains(body, w) {
+			t.Logf("openapi.json missing %q (non-fatal — spec is hand-maintained)", w)
+		}
+	}
+}

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/uuid v1.6.0
 	github.com/jackc/pgx/v5 v5.6.0
+	github.com/lestrrat-go/jwx/v2 v2.1.6
 	github.com/lib/pq v1.10.9
 	github.com/minio/madmin-go/v3 v3.0.110
 	github.com/oschwald/maxminddb-golang v1.13.0
@@ -42,6 +43,7 @@ require (
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
@@ -68,6 +70,11 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.3 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc v1.0.6 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
@@ -94,6 +101,7 @@ require (
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/safchain/ethtool v0.5.10 // indirect
 	github.com/secure-io/sio-go v0.3.1 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/shirou/gopsutil/v3 v3.24.5 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect

go.sum

@@ -20,6 +20,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
@@ -104,6 +106,18 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lestrrat-go/blackmagic v1.0.3 h1:94HXkVLxkZO9vJI/w2u1T0DAoprShFd13xtnSINtDWs=
+github.com/lestrrat-go/blackmagic v1.0.3/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc v1.0.6 h1:qgmgIRhpvBqexMJjA/PmwSvhNk679oqD1RbovdCGW8k=
+github.com/lestrrat-go/httprc v1.0.6/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
+github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
+github.com/lestrrat-go/jwx/v2 v2.1.6 h1:hxM1gfDILk/l5ylers6BX/Eq1m/pnxe9NBwW6lVfecA=
+github.com/lestrrat-go/jwx/v2 v2.1.6/go.mod h1:Y722kU5r/8mV7fYDifjug0r8FK8mZdw0K0GpJw/l8pU=
+github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
+github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 h1:PpXWgLPs+Fqr325bN2FD2ISlRRztXibcX6e8f5FR5Dc=
@@ -180,6 +194,8 @@ github.com/safchain/ethtool v0.5.10 h1:Im294gZtuf4pSGJRAOGKaASNi3wMeFaGaWuSaomed
 github.com/safchain/ethtool v0.5.10/go.mod h1:w9jh2Lx7YBR4UwzLkzCmWl85UY0W2uZdd7/DckVE5+c=
 github.com/secure-io/sio-go v0.3.1 h1:dNvY9awjabXTYGsTF1PiCySl9Ltofk9GA3VdWlo7rRc=
 github.com/secure-io/sio-go v0.3.1/go.mod h1:+xbkjDzPjwh4Axd07pRKSNriS9SCiYksWnZqdnfpQxs=
+github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
+github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
 github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
@@ -193,7 +209,9 @@ github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tinylib/msgp v1.2.5 h1:WeQg1whrXRFiZusidTQqzETkRpGjFjcIhW6uqWH09po=

internal/config/config.go

@@ -48,10 +48,11 @@ type Config struct {
 	R2BucketName             string // R2_BUCKET_NAME — shared R2 bucket name (default: instant-shared)
 	R2APIToken               string // R2_API_TOKEN — Cloudflare API token; if empty, R2 is not used
 	// MinIO S3-compatible storage (local dev backend for /storage/new)
-	MinioEndpoint     string // MINIO_ENDPOINT — host:port (e.g. minio.instant-data.svc.cluster.local:9000)
-	MinioRootUser     string // MINIO_ROOT_USER — admin access key
-	MinioRootPassword string // MINIO_ROOT_PASSWORD — admin secret key
-	MinioBucketName   string // MINIO_BUCKET_NAME — shared bucket (default: instant-shared)
+	MinioEndpoint       string // MINIO_ENDPOINT — host:port used internally for bucket/IAM admin (e.g. minio.instant-data.svc.cluster.local:9000)
+	MinioPublicEndpoint string // MINIO_PUBLIC_ENDPOINT — host:port returned to customers in connection_url/endpoint (e.g. s3.instanode.dev:9000). Empty = fall back to MinioEndpoint.
+	MinioRootUser       string // MINIO_ROOT_USER — admin access key
+	MinioRootPassword   string // MINIO_ROOT_PASSWORD — admin secret key
+	MinioBucketName     string // MINIO_BUCKET_NAME — shared bucket (default: instant-shared)
 	DeployDomain      string // DEPLOY_DOMAIN — base domain for container deployments (default: instant.dev)
 
 	// Compute provider for app hosting (Phase 6)
@@ -93,8 +94,8 @@ func Load() *Config {
 		DatabaseURL:              require("DATABASE_URL"),
 		CustomerDatabaseURL:      getenv("CUSTOMER_DATABASE_URL", ""),
 		RedisURL:                 getenv("REDIS_URL", "redis://localhost:6379"),
-		JWTSecret:                require("JWT_SECRET"),
-		AESKey:                   require("AES_KEY"),
+		JWTSecret:                strings.TrimSpace(require("JWT_SECRET")),
+		AESKey:                   strings.TrimSpace(require("AES_KEY")),
 		MaxMindLicenseKey:        os.Getenv("MAXMIND_LICENSE_KEY"),
 		GeoLite2DBPath:           getenv("GEOLITE2_DB_PATH", "./GeoLite2-City.mmdb"),
 		RazorpayKeyID:            os.Getenv("RAZORPAY_KEY_ID"),
@@ -129,6 +130,7 @@ func Load() *Config {
 	cfg.R2BucketName = getenv("R2_BUCKET_NAME", "instant-shared")
 	cfg.R2APIToken = os.Getenv("R2_API_TOKEN")
 	cfg.MinioEndpoint = os.Getenv("MINIO_ENDPOINT")
+	cfg.MinioPublicEndpoint = os.Getenv("MINIO_PUBLIC_ENDPOINT")
 	cfg.MinioRootUser = os.Getenv("MINIO_ROOT_USER")
 	cfg.MinioRootPassword = os.Getenv("MINIO_ROOT_PASSWORD")
 	cfg.MinioBucketName = getenv("MINIO_BUCKET_NAME", "instant-shared")
@@ -186,6 +188,7 @@ func logStartupConfig(cfg *Config) {
 		"r2_endpoint", cfg.R2Endpoint,
 		"r2_bucket_name", cfg.R2BucketName,
 		"minio_endpoint", cfg.MinioEndpoint,
+		"minio_public_endpoint", cfg.MinioPublicEndpoint,
 		"minio_bucket_name", cfg.MinioBucketName,
 		"deploy_domain", cfg.DeployDomain,
 		"compute_provider", cfg.ComputeProvider,

internal/db/migrations/008_vault.sql

@@ -0,0 +1,34 @@
+-- Migration: 008_vault
+-- Per-team encrypted secret storage.
+-- Secrets are versioned: writes always insert a new row. Reads return the latest version
+-- by default; specific historical versions are addressable via (team_id, env, key, version).
+-- Cross-team queries return zero rows: handlers map that to 404 (never 403) to avoid
+-- leaking existence of foreign secrets.
+
+CREATE TABLE IF NOT EXISTS vault_secrets (
+    id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    team_id         UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
+    env             TEXT NOT NULL DEFAULT 'production',
+    key             TEXT NOT NULL,
+    encrypted_value BYTEA NOT NULL,    -- AES-256-GCM(AES_KEY env var, plaintext, nonce)
+    version         INT NOT NULL DEFAULT 1,
+    created_by      UUID REFERENCES users(id) ON DELETE SET NULL,
+    created_at      TIMESTAMPTZ NOT NULL DEFAULT now(),
+    updated_at      TIMESTAMPTZ NOT NULL DEFAULT now(),
+    UNIQUE (team_id, env, key, version)
+);
+
+CREATE INDEX IF NOT EXISTS idx_vault_secrets_lookup ON vault_secrets (team_id, env, key);
+
+CREATE TABLE IF NOT EXISTS vault_audit_log (
+    id          BIGSERIAL PRIMARY KEY,
+    team_id     UUID NOT NULL,
+    user_id     UUID,
+    action      TEXT NOT NULL,             -- 'set' | 'get' | 'delete' | 'rotate' | 'list'
+    env         TEXT NOT NULL,
+    secret_key  TEXT NOT NULL,
+    ip          TEXT,
+    ts          TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS idx_vault_audit_team_ts ON vault_audit_log (team_id, ts DESC);