chore: test ENCRYPTION_SALT_KEYS multi-key and two-step rotation

[Piccirello]

Problem

We're rotating ENCRYPTION_SALT_KEYS. The key list is consumed by two independent implementations — Django (MultiFernet) and the Node.js services (fernet-nodejs) — and the rotation rolls out across apps that cannot be guaranteed to redeploy at the same moment. Before rotating, we want automated proof that the multi-key contract and the staged rollout behave safely in both implementations.

Changes

Tests only — no production code changes.

• Python (posthog/helpers/tests/test_encrypted_fields.py): cover the multi-key ENCRYPTION_SALT_KEYS contract and the two-step rotation.
• Node.js (nodejs/src/cdp/utils/encryption-utils.test.ts): matching coverage for the same contract.

Both suites assert the shared contract and the rollout safety property:

• the first key encrypts; every key is tried for decryption;
• modelling the rollout as [old] → [old,new] → [new,old], within each step's mixed-version window every coexisting app can decrypt whatever any other app writes;
• a direct one-step jump ([old] → [new,old]) would break an un-upgraded [old]-only app — the negative case that justifies doing it in two steps.

How did you test this code?

I'm an agent (Claude Code). No manual testing — only the automated tests below, run locally and passing:

• hogli test posthog/helpers/tests/test_encrypted_fields.py::TestEncryptedFieldsMultiKey and ::TestEncryptionKeyRotationTwoStep
• hogli test nodejs/src/cdp/utils/encryption-utils.test.ts (14 passed)

Both new suites are database-free (SimpleTestCase / jest unit tests).

Automatic notifications

• Publish to changelog?
• Alert Sales and Marketing teams?

Docs update

Tests only; no docs impact.

🤖 Agent context

Authored with Claude Code (Opus). The work verifies the encryption-key-rotation behavior in both implementations independently, since they're separate codebases that must honor the same first-key-encrypts / try-all-keys-to-decrypt contract. The rollout is expressed as coexisting app states (parameterized in Python, it.each in Node) so the safety invariant is asserted directly rather than described.

Scope decision: a companion re-encryption management command (and its database-backed tests) was developed alongside these tests but is intentionally excluded from this PR by request — this PR is the self-contained behavior tests only. Agent-authored; requires human review.

[github-actions]

Test-only additions covering multi-key encryption and two-step key rotation — no production code touched, no risk of regressions.

[greptile-apps]

_{Reviews (1): Last reviewed commit: "chore: test ENCRYPTION_SALT_KEYS multi-k..." | Re-trigger Greptile}

[github-actions]

🎭 Playwright report · View test results →

⚠️ 2 flaky tests:

• create experiment via wizard, add metrics, and launch (chromium)
• Can delete a person (chromium)

These issues are not necessarily caused by your changes.
Annoyed by this comment? Help fix flakies and failures and it'll disappear!

[deployment-status-posthog]

Deploy status

Environment	Status	Deployed At	Workflow
dev	✅ Deployed	2026-06-01 23:56 UTC	Run
prod-us	✅ Deployed	2026-06-02 10:18 UTC	Run
prod-eu	✅ Deployed	2026-06-02 10:20 UTC	Run