Skip to content

docs(workflow-executor): document FOREST_EXECUTOR_ENCRYPTION_KEY#1725

Open
hercemer42 wants to merge 1 commit into
feature/prd-692-harden-executor-oauth-runtime-clear-idempotency-phase-onfrom
docs/prd-367-pr4-executor-encryption-key
Open

docs(workflow-executor): document FOREST_EXECUTOR_ENCRYPTION_KEY#1725
hercemer42 wants to merge 1 commit into
feature/prd-692-harden-executor-oauth-runtime-clear-idempotency-phase-onfrom
docs/prd-367-pr4-executor-encryption-key

Conversation

@hercemer42

@hercemer42 hercemer42 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What

Documents FOREST_EXECUTOR_ENCRYPTION_KEY in the workflow-executor README — a new "OAuth-protected MCP connectors" section covering:

  • what it encrypts (the OAuth credentials the executor stores, AES-256-GCM at rest)
  • how to generate it (openssl rand -hex 32) and to keep it separate from FOREST_AUTH_SECRET
  • using the same value across instances that share a database
  • its lazy behaviour (while unset, credential storage returns 503 and those connectors stay unavailable; the executor still boots, with a startup warning)
  • no managed rotation — changing it forces affected users to reconnect

It complements the one-line entry already in .env.example.

Why

PRD-626 (the docs half of PRD-367): operators deploying the executor with OAuth-protected MCP connectors need a README reference for this variable.

Base / merge order

Based on the PRD-692 branch (feature/prd-692-harden-executor-oauth-runtime-clear-idempotency-phase-on, #1724) — the top of the OAuth-MCP executor stack, where FOREST_EXECUTOR_ENCRYPTION_KEY and the code that reads it already live. Targeting that branch keeps this diff to just the README change. Intended to merge last, once PR1 (#1619), PR2 (#1665) and PRD-692 (#1724) are in.

Replaces docs-site PR ForestAdmin/docs#3 (now closed) — the executor's own README, next to the code and .env.example, is the right home for an operator-facing deployment variable (and "executor" isn't a concept on the public docs site).

Refs: PRD-626

🤖 Generated with Claude Code

Note

Document FOREST_EXECUTOR_ENCRYPTION_KEY in workflow-executor README

Adds a new 'OAuth-protected MCP connectors' section to README.md explaining how the executor encrypts OAuth credentials at rest using AES-256-GCM.

  • Documents the FOREST_EXECUTOR_ENCRYPTION_KEY environment variable, including generation guidance and the requirement to use a different value from FOREST_AUTH_SECRET.
  • Clarifies when the key is required, that all instances sharing a database must use the same value, and that key rotation is not managed (with consequences noted).

Macroscope summarized e3db719.

@linear-code

linear-code Bot commented Jun 30, 2026

Copy link
Copy Markdown

PRD-367

PRD-626

Document the FOREST_EXECUTOR_ENCRYPTION_KEY environment variable in the workflow-executor README: what it encrypts, how to generate it, using the same value across instances sharing a database, its lazy behaviour, and that it has no managed rotation. Complements the .env.example entry.

Refs: PRD-626
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@hercemer42 hercemer42 force-pushed the docs/prd-367-pr4-executor-encryption-key branch from 19a12d3 to e3db719 Compare June 30, 2026 10:02
@qltysh

qltysh Bot commented Jun 30, 2026

Copy link
Copy Markdown

Qlty


Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help
  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@Scra3 Scra3 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs review (PRD-367 PR4). The section is accurate against the implementation; one small suggestion.


| Variable | Description |
| --- | --- |
| `FOREST_EXECUTOR_ENCRYPTION_KEY` | At-rest encryption key (AES-256-GCM) for the OAuth credentials the executor stores. Generate with `openssl rand -hex 32`. Use a **separate** secret from `FOREST_AUTH_SECRET`. |

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: unlike FOREST_ENV_SECRET, the key's length/format is not validated by the code — worth noting operators must use the exact openssl rand -hex 32 output, since a weak value is accepted silently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants