Credentials and encryption

Upstream OAuth tokens and similar secrets are protected with AES-GCM helpers in server/utils/crypto.ts. A long random encryption key must be configured for the deployment; the exact mechanism is the same pattern as other Nuxt server secrets (see Runtime configuration).

Proxy keys are stored as hashes. Losing a proxy key means stored credentials may need to be reconnected through the dashboard because decryption material is gone.

Dashboard-only endpoints (including MCP mock calls) rely on session cookies and optional MFA—they must not be exposed as unauthenticated MCP entrypoints.

Audit and policy diagnostics truncate or redact sensitive tool-argument fields where maskToolArgs applies.