Added encryption_mode field to secrets supporting "standard" (server-side) and "lockbox" (client-side E2E) modes. Updated API to validate lockbox format (lockbox:v1:salt:ciphertext). Enhanced UI to display lock icons and badges for lockbox secrets. Lockbox secrets show locked state in web UI, requiring CLI/SDK for decryption.
Implemented master key migration to re-encrypt vault DEKs when the master key changes. Added support for migrating single repositories or instance-wide. Implemented DEK rotation for Enterprise licenses to periodically rotate data encryption keys. Added new UI templates and API endpoints for key management operations with comprehensive error handling.
Add GET /token/info API endpoint for vault token introspection. Allows clients to validate tokens and retrieve scope, permissions, and expiration info. Implement GetTokenInfo service method that validates tokens without checking specific permissions.
Add license limit enforcement when creating secrets and tokens. Pass license limits to service layer and return appropriate errors when tier limits are exceeded. Handle limit errors in both API and web routes with proper error messages prompting users to upgrade.
Add master key configuration check and display placeholder message when vault is not configured. Populate secret and user names in audit entries for better readability. Support never-expiring tokens by allowing "0" or empty TTL values.
Module path is now git.marketally.com/gitcaddy/gitcaddy-vault
to match the actual repository name.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Updates all imports and go.mod to use the new /v3 suffixed module path
for proper Go semantic versioning compliance.
Also updates CI workflows to use version tags (v3.x.x) instead of
pseudo-versions now that the server module has the proper /v3 suffix.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
