Automate field-level encryption key rotation for profiles table

[temma02]

Description

rotateProfileEncryptedColumns in key-rotation.ts is implemented but never called. There is no scheduled job or admin endpoint to trigger rotation. Stale encryption keys increase the blast radius of a key compromise.

Requirements and context

• Must be secure, tested, and documented where applicable
• Should stay reviewable and fit the current monorepo structure
• Relevant files: apps/backend/src/lib/crypto/key-rotation.ts, apps/backend/src/lib/crypto/field-encryption.ts, apps/backend/src/app/api/cron/purge-expired-tokens/route.ts

Suggested execution

• Create branch: issue-017-automate-encryption-key-rotation
• Keep changes scoped to the issue and reference the task IDs in the PR

Implement changes

• Create apps/backend/src/app/api/cron/rotate-encryption-keys/route.ts
• Call rotateProfileEncryptedColumns with the new key from env
• Guard the route with the existing CRON_SECRET auth pattern
• Register in vercel.json crons (weekly schedule)

Test and commit

• Add route tests: successful rotation, missing new key env var, partial failure
• Verify re-encrypted values can be decrypted with the new key
• Security note: old key must remain available until all rows are re-encrypted

Example commit message

feat(cron): add weekly encryption key rotation job

Guidelines

• Prefer small, reviewable PRs
• Keep naming and data contracts consistent with the spec docs

[wolfyres]

@wolfyres has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

Hello maintainer, I’d like to take on this issue ASAP.

I've had solid experience resolving similar issues with great feedbacks.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @wolfyres to this issue.

[drips-wave]

Congratulations, @wolfyres! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on April 29, 2026.

🧑‍💻 @wolfyres: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊