Added encryption_mode field to secrets supporting "standard" (server-side) and "lockbox" (client-side E2E) modes. Updated API to validate lockbox format (lockbox:v1:salt:ciphertext). Enhanced UI to display lock icons and badges for lockbox secrets. Lockbox secrets show locked state in web UI, requiring CLI/SDK for decryption.
Implemented master key migration to re-encrypt vault DEKs when the master key changes. Added support for migrating single repositories or instance-wide. Implemented DEK rotation for Enterprise licenses to periodically rotate data encryption keys. Added new UI templates and API endpoints for key management operations with comprehensive error handling.
Add master key configuration check and display placeholder message when vault is not configured. Populate secret and user names in audit entries for better readability. Support never-expiring tokens by allowing "0" or empty TTL values.
- Add new compare endpoint and template for viewing diffs between secret versions
- Display creator information (name and avatar) for each version
- Add locale strings for comparison UI, type filters, and view modes
- Enhance permission checks to include owner and access mode validation
- Add non-database fields to SecretVersion model for UI display
Updates all imports and go.mod to use the new /v3 suffixed module path
for proper Go semantic versioning compliance.
Also updates CI workflows to use version tags (v3.x.x) instead of
pseudo-versions now that the server module has the proper /v3 suffix.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
