Implement transit encryption engine with versioned key management

Add complete transit engine supporting symmetric encryption (AES-256-GCM, XChaCha20-Poly1305), asymmetric signing (Ed25519, ECDSA P-256/P-384), and HMAC (SHA-256/SHA-512) with versioned key rotation, min decryption version enforcement, key trimming, batch operations, and rewrap. Includes proto definitions, gRPC handlers, REST routes, and comprehensive tests covering all 18 operations, auth enforcement, and edge cases. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 19:45:56 -07:00
parent ac4577f778
commit cbd77c58e8
10 changed files with 6718 additions and 4 deletions
--- a/internal/engine/transit/transit.go
+++ b/internal/engine/transit/transit.go
--- a/internal/engine/transit/transit_test.go
+++ b/internal/engine/transit/transit_test.go
--- a/internal/engine/transit/types.go
+++ b/internal/engine/transit/types.go
@@ -0,0 +1,15 @@
+package transit
+
+// TransitConfig is the transit engine configuration stored in the barrier.
+type TransitConfig struct {
+	MaxKeyVersions int `json:"max_key_versions"`
+}
+
+// KeyConfig is per-key configuration stored in the barrier.
+type KeyConfig struct {
+	Name                 string `json:"name"`
+	Type                 string `json:"type"` // aes256-gcm, chacha20-poly, ed25519, ecdsa-p256, ecdsa-p384, hmac-sha256, hmac-sha512
+	CurrentVersion       int    `json:"current_version"`
+	MinDecryptionVersion int    `json:"min_decryption_version"`
+	AllowDeletion        bool   `json:"allow_deletion"`
+}