better-ccflare 3.3.22 → 3.3.25
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -0
- package/dist/better-ccflare +0 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -188,8 +188,19 @@ RETRY_BACKOFF=2 # Retry backoff multiplier
|
|
|
188
188
|
# Storage
|
|
189
189
|
STORE_PAYLOADS=false # Disable storing request/response bodies (reduces DB size and memory usage)
|
|
190
190
|
# Token counts, costs, model, status and timing are still recorded
|
|
191
|
+
|
|
192
|
+
# Payload encryption at rest (optional)
|
|
193
|
+
# When set, request/response payloads are encrypted with AES-256-GCM before
|
|
194
|
+
# being written to `request_payloads`. Existing plaintext rows remain readable.
|
|
195
|
+
# Generate with: openssl rand -hex 32
|
|
196
|
+
PAYLOAD_ENCRYPTION_KEY= # 64-character hex (32 bytes / AES-256). Unset = plaintext storage.
|
|
191
197
|
```
|
|
192
198
|
|
|
199
|
+
**Encryption notes**:
|
|
200
|
+
- Without a key, payloads are stored as plaintext (no behavior change from prior versions).
|
|
201
|
+
- Losing the key makes encrypted rows unreadable — payload reads throw rather than silently returning garbage. Back the key up alongside the database.
|
|
202
|
+
- The key is read once at process start (and once per Bun worker). Rotating it requires a re-encrypt migration; not yet built.
|
|
203
|
+
|
|
193
204
|
**Security Notes**:
|
|
194
205
|
- Use `BETTER_CCFLARE_HOST=127.0.0.1` to bind only to localhost for better security
|
|
195
206
|
- Never commit `.env` files containing sensitive values to version control
|
package/dist/better-ccflare
CHANGED
|
Binary file
|
package/package.json
CHANGED