π§ Title: Add backup encryption key rotation support
π Description
backend/src/backup/manager.js encrypts backups with BACKUP_ENC_KEY. There is no mechanism to rotate this key, meaning a compromised key exposes all historical backups.
β
Acceptance Criteria
π§ Context: backend/src/backup/manager.js; backend/src/routes/backup.js.
π§ Title: Add backup encryption key rotation support
π Description
backend/src/backup/manager.jsencrypts backups withBACKUP_ENC_KEY. There is no mechanism to rotate this key, meaning a compromised key exposes all historical backups.β Acceptance Criteria
POST /api/backup/rotate-keyendpoint (admin only)BACKUP_ENC_KEY_PREVIOUSenv var for decrypting old backups during rotationπ§ Context:
backend/src/backup/manager.js;backend/src/routes/backup.js.