@wopr-network/platform-core 0.1.0

package/src/security/credential-vault/credential-repository.test.ts

@@ -0,0 +1,264 @@
+import type { PGlite } from "@electric-sql/pglite";
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import type { PlatformDb } from "../../db/index.js";
+import { createTestDb, truncateAllTables } from "../../test/db.js";
+import type { InsertCredentialRow } from "./credential-repository.js";
+import { DrizzleCredentialRepository } from "./credential-repository.js";
+
+function makeRow(overrides: Partial<InsertCredentialRow> = {}): InsertCredentialRow {
+  return {
+    id: overrides.id ?? "cred-001",
+    provider: overrides.provider ?? "anthropic",
+    keyName: overrides.keyName ?? "Production Key",
+    encryptedValue: overrides.encryptedValue ?? "enc::cipher::abc123",
+    authType: overrides.authType ?? "header",
+    authHeader: overrides.authHeader ?? "x-api-key",
+    createdBy: overrides.createdBy ?? "admin-1",
+    ...overrides,
+  };
+}
+
+describe("DrizzleCredentialRepository", () => {
+  let pool: PGlite;
+  let db: PlatformDb;
+  let repo: DrizzleCredentialRepository;
+
+  beforeAll(async () => {
+    ({ db, pool } = await createTestDb());
+  });
+
+  afterAll(async () => {
+    await pool.close();
+  });
+
+  beforeEach(async () => {
+    await truncateAllTables(pool);
+    repo = new DrizzleCredentialRepository(db);
+  });
+
+  // --- CRUD: insert + getFullById ---
+
+  describe("insert + getFullById", () => {
+    it("inserts a credential and reads it back", async () => {
+      const row = makeRow();
+      await repo.insert(row);
+
+      const result = await repo.getFullById("cred-001");
+      expect(result).not.toBeNull();
+      expect(result?.id).toBe("cred-001");
+      expect(result?.provider).toBe("anthropic");
+      expect(result?.keyName).toBe("Production Key");
+      expect(result?.encryptedValue).toBe("enc::cipher::abc123");
+      expect(result?.authType).toBe("header");
+      expect(result?.authHeader).toBe("x-api-key");
+      expect(result?.isActive).toBe(true);
+      expect(result?.createdBy).toBe("admin-1");
+      expect(result?.createdAt).toMatch(/^\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}:\d{2}/);
+    });
+
+    it("returns null for non-existent ID", async () => {
+      const result = await repo.getFullById("no-such-id");
+      expect(result).toBeNull();
+    });
+  });
+
+  // --- getSummaryById ---
+
+  describe("getSummaryById", () => {
+    it("returns summary without encryptedValue", async () => {
+      await repo.insert(makeRow());
+      const summary = await repo.getSummaryById("cred-001");
+
+      expect(summary).not.toBeNull();
+      expect(summary?.id).toBe("cred-001");
+      expect(summary?.provider).toBe("anthropic");
+      expect(summary !== null && "encryptedValue" in summary).toBe(false);
+    });
+
+    it("returns null for non-existent ID", async () => {
+      expect(await repo.getSummaryById("missing")).toBeNull();
+    });
+  });
+
+  // --- list ---
+
+  describe("list", () => {
+    it("lists all credentials as summaries", async () => {
+      await repo.insert(makeRow({ id: "c1", provider: "anthropic" }));
+      await repo.insert(makeRow({ id: "c2", provider: "openai" }));
+
+      const all = await repo.list();
+      expect(all).toHaveLength(2);
+      for (const s of all) {
+        expect("encryptedValue" in s).toBe(false);
+      }
+    });
+
+    it("filters by provider", async () => {
+      await repo.insert(makeRow({ id: "c1", provider: "anthropic" }));
+      await repo.insert(makeRow({ id: "c2", provider: "openai" }));
+
+      const filtered = await repo.list("openai");
+      expect(filtered).toHaveLength(1);
+      expect(filtered[0].provider).toBe("openai");
+    });
+
+    it("returns empty array when no credentials exist", async () => {
+      expect(await repo.list()).toEqual([]);
+    });
+  });
+
+  // --- listActiveForProvider ---
+
+  describe("listActiveForProvider", () => {
+    it("returns only active credentials for a provider", async () => {
+      await repo.insert(makeRow({ id: "c1", provider: "anthropic" }));
+      await repo.insert(makeRow({ id: "c2", provider: "anthropic" }));
+      await repo.setActive("c2", false);
+
+      const active = await repo.listActiveForProvider("anthropic");
+      expect(active).toHaveLength(1);
+      expect(active[0].id).toBe("c1");
+      expect(active[0].encryptedValue).toBe("enc::cipher::abc123");
+    });
+
+    it("does not return credentials from other providers", async () => {
+      await repo.insert(makeRow({ id: "c1", provider: "anthropic" }));
+      await repo.insert(makeRow({ id: "c2", provider: "openai" }));
+
+      const active = await repo.listActiveForProvider("anthropic");
+      expect(active).toHaveLength(1);
+      expect(active[0].id).toBe("c1");
+    });
+  });
+
+  // --- Encryption-at-rest verification ---
+
+  describe("encryption-at-rest", () => {
+    it("stores encryptedValue verbatim (round-trip fidelity)", async () => {
+      const encryptedValue = "ENCRYPTED::v1::abc123xyz";
+      await repo.insert(makeRow({ id: "enc-test", encryptedValue }));
+
+      const result = await repo.getFullById("enc-test");
+      expect(result?.encryptedValue).toBe(encryptedValue);
+    });
+
+    it("updateEncryptedValue changes the stored ciphertext", async () => {
+      await repo.insert(makeRow({ id: "rot-test", encryptedValue: "cipher-v1" }));
+
+      const updated = await repo.updateEncryptedValue("rot-test", "cipher-v2");
+      expect(updated).toBe(true);
+
+      const row = await repo.getFullById("rot-test");
+      expect(row?.encryptedValue).toBe("cipher-v2");
+      expect(row?.rotatedAt).toMatch(/^\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}:\d{2}/);
+    });
+  });
+
+  // --- Provider isolation (closest analog to tenant isolation) ---
+
+  describe("provider/creator isolation", () => {
+    it("list() with provider filter isolates results", async () => {
+      await repo.insert(makeRow({ id: "a1", provider: "anthropic", createdBy: "admin-A" }));
+      await repo.insert(makeRow({ id: "o1", provider: "openai", createdBy: "admin-B" }));
+
+      const anthropicCreds = await repo.list("anthropic");
+      expect(anthropicCreds).toHaveLength(1);
+      expect(anthropicCreds[0].id).toBe("a1");
+
+      const openaiCreds = await repo.list("openai");
+      expect(openaiCreds).toHaveLength(1);
+      expect(openaiCreds[0].id).toBe("o1");
+    });
+
+    it("getFullById only returns exact ID match", async () => {
+      await repo.insert(makeRow({ id: "a1", provider: "anthropic" }));
+      await repo.insert(makeRow({ id: "o1", provider: "openai" }));
+
+      expect(await repo.getFullById("a1")).not.toBeNull();
+      expect(await repo.getFullById("o1")).not.toBeNull();
+      expect(await repo.getFullById("a2")).toBeNull();
+    });
+  });
+
+  // --- deleteById ---
+
+  describe("deleteById", () => {
+    it("deletes an existing credential and returns true", async () => {
+      await repo.insert(makeRow({ id: "del-1" }));
+      expect(await repo.deleteById("del-1")).toBe(true);
+      expect(await repo.getFullById("del-1")).toBeNull();
+    });
+
+    it("returns false for non-existent ID", async () => {
+      expect(await repo.deleteById("no-such")).toBe(false);
+    });
+  });
+
+  // --- setActive ---
+
+  describe("setActive", () => {
+    it("deactivates an active credential", async () => {
+      await repo.insert(makeRow({ id: "sa-1" }));
+      expect(await repo.setActive("sa-1", false)).toBe(true);
+
+      const row = await repo.getFullById("sa-1");
+      expect(row?.isActive).toBe(false);
+    });
+
+    it("reactivates a deactivated credential", async () => {
+      await repo.insert(makeRow({ id: "sa-2" }));
+      await repo.setActive("sa-2", false);
+      expect(await repo.setActive("sa-2", true)).toBe(true);
+
+      const row = await repo.getFullById("sa-2");
+      expect(row?.isActive).toBe(true);
+    });
+
+    it("returns false for non-existent ID", async () => {
+      expect(await repo.setActive("missing", false)).toBe(false);
+    });
+  });
+
+  // --- markValidated ---
+
+  describe("markValidated", () => {
+    it("sets lastValidated timestamp", async () => {
+      await repo.insert(makeRow({ id: "mv-1" }));
+      expect(await repo.markValidated("mv-1")).toBe(true);
+
+      const row = await repo.getFullById("mv-1");
+      expect(row?.lastValidated).toMatch(/^\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}:\d{2}/);
+    });
+
+    it("returns false for non-existent ID", async () => {
+      expect(await repo.markValidated("missing")).toBe(false);
+    });
+  });
+
+  // --- Migration access ---
+
+  describe("listAllWithEncryptedValue", () => {
+    it("returns all IDs and encrypted values", async () => {
+      await repo.insert(makeRow({ id: "m1", encryptedValue: "ev1" }));
+      await repo.insert(makeRow({ id: "m2", encryptedValue: "ev2" }));
+
+      const rows = await repo.listAllWithEncryptedValue();
+      expect(rows).toHaveLength(2);
+      expect(rows.map((r) => r.id).sort()).toEqual(["m1", "m2"]);
+      expect(rows.find((r) => r.id === "m1")?.encryptedValue).toBe("ev1");
+    });
+  });
+
+  describe("updateEncryptedValueOnly", () => {
+    it("updates encrypted value without touching rotatedAt", async () => {
+      await repo.insert(makeRow({ id: "uev-1", encryptedValue: "old" }));
+
+      await repo.updateEncryptedValueOnly("uev-1", "new");
+
+      const row = await repo.getFullById("uev-1");
+      expect(row?.encryptedValue).toBe("new");
+      expect(row?.rotatedAt).toBeNull();
+    });
+  });
+});

package/src/security/credential-vault/credential-repository.ts

@@ -0,0 +1,233 @@
+import { and, desc, eq } from "drizzle-orm";
+import type { PlatformDb } from "../../db/index.js";
+import { providerCredentials, tenantApiKeys } from "../../db/schema/index.js";
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+/** A full credential row from the database — includes encrypted value. */
+export interface CredentialRow {
+  id: string;
+  provider: string;
+  keyName: string;
+  encryptedValue: string;
+  authType: string;
+  authHeader: string | null;
+  isActive: boolean;
+  lastValidated: string | null;
+  createdAt: string;
+  rotatedAt: string | null;
+  createdBy: string;
+}
+
+/** A credential row without the encrypted value — for listing. */
+export interface CredentialSummaryRow {
+  id: string;
+  provider: string;
+  keyName: string;
+  authType: string;
+  authHeader: string | null;
+  isActive: boolean;
+  lastValidated: string | null;
+  createdAt: string;
+  rotatedAt: string | null;
+  createdBy: string;
+}
+
+export interface InsertCredentialRow {
+  id: string;
+  provider: string;
+  keyName: string;
+  encryptedValue: string;
+  authType: string;
+  authHeader: string | null;
+  createdBy: string;
+}
+
+// ---------------------------------------------------------------------------
+// Interface
+// ---------------------------------------------------------------------------
+
+/** Pure storage repository for provider credentials. No encryption logic. */
+export interface ICredentialRepository {
+  insert(data: InsertCredentialRow): Promise<void>;
+  getFullById(id: string): Promise<CredentialRow | null>;
+  getSummaryById(id: string): Promise<CredentialSummaryRow | null>;
+  list(provider?: string): Promise<CredentialSummaryRow[]>;
+  listActiveForProvider(provider: string): Promise<CredentialRow[]>;
+  updateEncryptedValue(id: string, encryptedValue: string): Promise<boolean>;
+  setActive(id: string, isActive: boolean): Promise<boolean>;
+  markValidated(id: string): Promise<boolean>;
+  deleteById(id: string): Promise<boolean>;
+}
+
+/** Narrow interface for migration-only access to provider_credentials encrypted values. */
+export interface ICredentialMigrationAccess {
+  listAllWithEncryptedValue(): Promise<Array<{ id: string; encryptedValue: string }>>;
+  updateEncryptedValueOnly(id: string, encryptedValue: string): Promise<void>;
+}
+
+/** Narrow interface for tenant_api_keys migration access. */
+export interface IMigrationTenantKeyAccess {
+  listAll(): Promise<Array<{ id: string; tenantId: string; encryptedKey: string }>>;
+  updateEncryptedKey(id: string, encryptedKey: string): Promise<void>;
+}
+
+// ---------------------------------------------------------------------------
+// Implementation
+// ---------------------------------------------------------------------------
+
+export class DrizzleCredentialRepository implements ICredentialRepository, ICredentialMigrationAccess {
+  constructor(private readonly db: PlatformDb) {}
+
+  async insert(data: InsertCredentialRow): Promise<void> {
+    await this.db.insert(providerCredentials).values({
+      id: data.id,
+      provider: data.provider,
+      keyName: data.keyName,
+      encryptedValue: data.encryptedValue,
+      authType: data.authType,
+      authHeader: data.authHeader,
+      isActive: true,
+      createdBy: data.createdBy,
+    });
+  }
+
+  async getFullById(id: string): Promise<CredentialRow | null> {
+    const row = (await this.db.select().from(providerCredentials).where(eq(providerCredentials.id, id)))[0];
+    return row ? toFullRow(row) : null;
+  }
+
+  async getSummaryById(id: string): Promise<CredentialSummaryRow | null> {
+    const row = (
+      await this.db
+        .select({
+          id: providerCredentials.id,
+          provider: providerCredentials.provider,
+          keyName: providerCredentials.keyName,
+          authType: providerCredentials.authType,
+          authHeader: providerCredentials.authHeader,
+          isActive: providerCredentials.isActive,
+          lastValidated: providerCredentials.lastValidated,
+          createdAt: providerCredentials.createdAt,
+          rotatedAt: providerCredentials.rotatedAt,
+          createdBy: providerCredentials.createdBy,
+        })
+        .from(providerCredentials)
+        .where(eq(providerCredentials.id, id))
+    )[0];
+    return row ?? null;
+  }
+
+  async list(provider?: string): Promise<CredentialSummaryRow[]> {
+    const where = provider ? eq(providerCredentials.provider, provider) : undefined;
+    return this.db
+      .select({
+        id: providerCredentials.id,
+        provider: providerCredentials.provider,
+        keyName: providerCredentials.keyName,
+        authType: providerCredentials.authType,
+        authHeader: providerCredentials.authHeader,
+        isActive: providerCredentials.isActive,
+        lastValidated: providerCredentials.lastValidated,
+        createdAt: providerCredentials.createdAt,
+        rotatedAt: providerCredentials.rotatedAt,
+        createdBy: providerCredentials.createdBy,
+      })
+      .from(providerCredentials)
+      .where(where)
+      .orderBy(desc(providerCredentials.createdAt));
+  }
+
+  async listActiveForProvider(provider: string): Promise<CredentialRow[]> {
+    const rows = await this.db
+      .select()
+      .from(providerCredentials)
+      .where(and(eq(providerCredentials.provider, provider), eq(providerCredentials.isActive, true)));
+    return rows.map(toFullRow);
+  }
+
+  async updateEncryptedValue(id: string, encryptedValue: string): Promise<boolean> {
+    const result = await this.db
+      .update(providerCredentials)
+      .set({ encryptedValue, rotatedAt: new Date().toISOString() })
+      .where(eq(providerCredentials.id, id))
+      .returning({ id: providerCredentials.id });
+    return result.length > 0;
+  }
+
+  async setActive(id: string, isActive: boolean): Promise<boolean> {
+    const result = await this.db
+      .update(providerCredentials)
+      .set({ isActive })
+      .where(eq(providerCredentials.id, id))
+      .returning({ id: providerCredentials.id });
+    return result.length > 0;
+  }
+
+  async markValidated(id: string): Promise<boolean> {
+    const result = await this.db
+      .update(providerCredentials)
+      .set({ lastValidated: new Date().toISOString() })
+      .where(eq(providerCredentials.id, id))
+      .returning({ id: providerCredentials.id });
+    return result.length > 0;
+  }
+
+  async deleteById(id: string): Promise<boolean> {
+    const result = await this.db
+      .delete(providerCredentials)
+      .where(eq(providerCredentials.id, id))
+      .returning({ id: providerCredentials.id });
+    return result.length > 0;
+  }
+
+  async listAllWithEncryptedValue(): Promise<Array<{ id: string; encryptedValue: string }>> {
+    return this.db
+      .select({ id: providerCredentials.id, encryptedValue: providerCredentials.encryptedValue })
+      .from(providerCredentials);
+  }
+
+  async updateEncryptedValueOnly(id: string, encryptedValue: string): Promise<void> {
+    await this.db.update(providerCredentials).set({ encryptedValue }).where(eq(providerCredentials.id, id));
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Tenant key migration access (for migrate-plaintext.ts)
+// ---------------------------------------------------------------------------
+
+export class DrizzleMigrationTenantKeyAccess implements IMigrationTenantKeyAccess {
+  constructor(private readonly db: PlatformDb) {}
+
+  async listAll(): Promise<Array<{ id: string; tenantId: string; encryptedKey: string }>> {
+    return this.db
+      .select({ id: tenantApiKeys.id, tenantId: tenantApiKeys.tenantId, encryptedKey: tenantApiKeys.encryptedKey })
+      .from(tenantApiKeys);
+  }
+
+  async updateEncryptedKey(id: string, encryptedKey: string): Promise<void> {
+    await this.db.update(tenantApiKeys).set({ encryptedKey }).where(eq(tenantApiKeys.id, id));
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Row -> Domain mapper
+// ---------------------------------------------------------------------------
+
+function toFullRow(row: typeof providerCredentials.$inferSelect): CredentialRow {
+  return {
+    id: row.id,
+    provider: row.provider,
+    keyName: row.keyName,
+    encryptedValue: row.encryptedValue,
+    authType: row.authType,
+    authHeader: row.authHeader,
+    isActive: row.isActive,
+    lastValidated: row.lastValidated,
+    createdAt: row.createdAt,
+    rotatedAt: row.rotatedAt,
+    createdBy: row.createdBy,
+  };
+}

package/src/security/credential-vault/index.ts

@@ -0,0 +1,26 @@
+export type { SecretAuditEvent, ISecretAuditRepository } from "./audit-repository.js";
+export { DrizzleSecretAuditRepository } from "./audit-repository.js";
+export type {
+  CredentialRow,
+  CredentialSummaryRow,
+  InsertCredentialRow,
+  ICredentialMigrationAccess,
+  ICredentialRepository,
+  IMigrationTenantKeyAccess,
+} from "./credential-repository.js";
+export { DrizzleCredentialRepository, DrizzleMigrationTenantKeyAccess } from "./credential-repository.js";
+export type { RotationResult } from "./key-rotation.js";
+export { reEncryptAllCredentials } from "./key-rotation.js";
+export type { MigrationResult } from "./migrate-plaintext.js";
+export { migratePlaintextCredentials } from "./migrate-plaintext.js";
+export type { PlaintextFinding } from "./migration-check.js";
+export { auditCredentialEncryption } from "./migration-check.js";
+export type {
+  AuthType,
+  CreateCredentialInput,
+  CredentialSummary,
+  DecryptedCredential,
+  ICredentialVaultStore,
+  RotateCredentialInput,
+} from "./store.js";
+export { CredentialVaultStore, getVaultEncryptionKey } from "./store.js";

package/src/security/credential-vault/key-rotation.test.ts

@@ -0,0 +1,139 @@
+import { createHmac } from "node:crypto";
+import type { PGlite } from "@electric-sql/pglite";
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import type { PlatformDb } from "../../db/index.js";
+import { createTestDb, truncateAllTables } from "../../test/db.js";
+import { decrypt, encrypt } from "../encryption.js";
+import type { EncryptedPayload } from "../types.js";
+import { DrizzleCredentialRepository, DrizzleMigrationTenantKeyAccess } from "./credential-repository.js";
+import { reEncryptAllCredentials } from "./key-rotation.js";
+import { getVaultEncryptionKey } from "./store.js";
+
+const OLD_SECRET = "old-platform-secret-for-test";
+const NEW_SECRET = "new-platform-secret-for-test";
+
+const NOW_EPOCH = Math.floor(Date.now() / 1000);
+
+function deriveTenantKey(tenantId: string, secret: string): Buffer {
+  return createHmac("sha256", secret).update(`tenant:${tenantId}`).digest();
+}
+
+describe("reEncryptAllCredentials", () => {
+  let pool: PGlite;
+  let db: PlatformDb;
+
+  beforeAll(async () => {
+    ({ db, pool } = await createTestDb());
+  });
+
+  afterAll(async () => {
+    await pool.close();
+  });
+
+  beforeEach(async () => {
+    await truncateAllTables(pool);
+  });
+
+  it("re-encrypts provider credentials from old to new secret", async () => {
+    const oldKey = getVaultEncryptionKey(OLD_SECRET);
+    const encrypted = encrypt("sk-ant-real-key-12345", oldKey);
+    await pool.query(
+      "INSERT INTO provider_credentials (id, provider, key_name, encrypted_value, auth_type, created_by) VALUES ($1, $2, $3, $4, $5, $6)",
+      ["cred-1", "openrouter", "default", JSON.stringify(encrypted), "bearer", "test"],
+    );
+
+    const credAccess = new DrizzleCredentialRepository(db);
+    const tenantKeyAccess = new DrizzleMigrationTenantKeyAccess(db);
+    const result = await reEncryptAllCredentials(credAccess, tenantKeyAccess, OLD_SECRET, NEW_SECRET);
+    expect(result.providerCredentials.migrated).toBe(1);
+    expect(result.providerCredentials.errors).toHaveLength(0);
+
+    const row = await pool.query<{ encrypted_value: string }>(
+      "SELECT encrypted_value FROM provider_credentials WHERE id = $1",
+      ["cred-1"],
+    );
+    const newKey = getVaultEncryptionKey(NEW_SECRET);
+    const payload: EncryptedPayload = JSON.parse(row.rows[0].encrypted_value);
+    const decrypted = decrypt(payload, newKey);
+    expect(decrypted).toBe("sk-ant-real-key-12345");
+
+    const oldKey2 = getVaultEncryptionKey(OLD_SECRET);
+    expect(() => decrypt(payload, oldKey2)).toThrow();
+  });
+
+  it("re-encrypts tenant BYOK keys from old to new secret", async () => {
+    const oldTenantKey = deriveTenantKey("t1", OLD_SECRET);
+    const encrypted = encrypt("sk-openai-tenant-key", oldTenantKey);
+    await pool.query(
+      "INSERT INTO tenant_api_keys (id, tenant_id, provider, encrypted_key, created_at, updated_at) VALUES ($1, $2, $3, $4, $5, $6)",
+      ["tk-1", "t1", "openai", JSON.stringify(encrypted), NOW_EPOCH, NOW_EPOCH],
+    );
+
+    const credAccess = new DrizzleCredentialRepository(db);
+    const tenantKeyAccess = new DrizzleMigrationTenantKeyAccess(db);
+    const result = await reEncryptAllCredentials(credAccess, tenantKeyAccess, OLD_SECRET, NEW_SECRET);
+    expect(result.tenantKeys.migrated).toBe(1);
+    expect(result.tenantKeys.errors).toHaveLength(0);
+
+    const row = await pool.query<{ encrypted_key: string }>("SELECT encrypted_key FROM tenant_api_keys WHERE id = $1", [
+      "tk-1",
+    ]);
+    const newTenantKey = deriveTenantKey("t1", NEW_SECRET);
+    const payload: EncryptedPayload = JSON.parse(row.rows[0].encrypted_key);
+    expect(decrypt(payload, newTenantKey)).toBe("sk-openai-tenant-key");
+  });
+
+  it("handles mixed valid and invalid rows gracefully", async () => {
+    const oldKey = getVaultEncryptionKey(OLD_SECRET);
+    const encrypted = encrypt("valid-key", oldKey);
+    await pool.query(
+      "INSERT INTO provider_credentials (id, provider, key_name, encrypted_value, auth_type, created_by) VALUES ($1, $2, $3, $4, $5, $6)",
+      ["cred-1", "openrouter", "default", JSON.stringify(encrypted), "bearer", "test"],
+    );
+    await pool.query(
+      "INSERT INTO provider_credentials (id, provider, key_name, encrypted_value, auth_type, created_by) VALUES ($1, $2, $3, $4, $5, $6)",
+      ["cred-2", "openrouter", "default", "not-valid-json", "bearer", "test"],
+    );
+
+    const credAccess = new DrizzleCredentialRepository(db);
+    const tenantKeyAccess = new DrizzleMigrationTenantKeyAccess(db);
+    const result = await reEncryptAllCredentials(credAccess, tenantKeyAccess, OLD_SECRET, NEW_SECRET);
+    expect(result.providerCredentials.migrated).toBe(1);
+    expect(result.providerCredentials.errors).toHaveLength(1);
+    expect(result.providerCredentials.errors[0]).toContain("cred-2");
+  });
+
+  it("returns zero counts when tables are empty", async () => {
+    const credAccess = new DrizzleCredentialRepository(db);
+    const tenantKeyAccess = new DrizzleMigrationTenantKeyAccess(db);
+    const result = await reEncryptAllCredentials(credAccess, tenantKeyAccess, OLD_SECRET, NEW_SECRET);
+    expect(result.providerCredentials.migrated).toBe(0);
+    expect(result.tenantKeys.migrated).toBe(0);
+  });
+
+  it("re-encrypts multiple provider credentials", async () => {
+    const oldKey = getVaultEncryptionKey(OLD_SECRET);
+    for (let i = 1; i <= 3; i++) {
+      const encrypted = encrypt(`sk-key-${i}`, oldKey);
+      await pool.query(
+        "INSERT INTO provider_credentials (id, provider, key_name, encrypted_value, auth_type, created_by) VALUES ($1, $2, $3, $4, $5, $6)",
+        [`cred-${i}`, "openrouter", "default", JSON.stringify(encrypted), "bearer", "test"],
+      );
+    }
+
+    const credAccess = new DrizzleCredentialRepository(db);
+    const tenantKeyAccess = new DrizzleMigrationTenantKeyAccess(db);
+    const result = await reEncryptAllCredentials(credAccess, tenantKeyAccess, OLD_SECRET, NEW_SECRET);
+    expect(result.providerCredentials.migrated).toBe(3);
+
+    const newKey = getVaultEncryptionKey(NEW_SECRET);
+    for (let i = 1; i <= 3; i++) {
+      const row = await pool.query<{ encrypted_value: string }>(
+        "SELECT encrypted_value FROM provider_credentials WHERE id = $1",
+        [`cred-${i}`],
+      );
+      const payload: EncryptedPayload = JSON.parse(row.rows[0].encrypted_value);
+      expect(decrypt(payload, newKey)).toBe(`sk-key-${i}`);
+    }
+  });
+});