docs(workflow-executor): document FOREST_EXECUTOR_ENCRYPTION_KEY#1725
Conversation
Document the FOREST_EXECUTOR_ENCRYPTION_KEY environment variable in the workflow-executor README: what it encrypts, how to generate it, using the same value across instances sharing a database, its lazy behaviour, and that it has no managed rotation. Complements the .env.example entry. Refs: PRD-626 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
19a12d3 to
e3db719
Compare
|
Coverage Impact This PR will not change total coverage. 🚦 See full report on Qlty Cloud »🛟 Help
|
Scra3
left a comment
There was a problem hiding this comment.
Docs review (PRD-367 PR4). The section is accurate against the implementation; one small suggestion.
|
|
||
| | Variable | Description | | ||
| | --- | --- | | ||
| | `FOREST_EXECUTOR_ENCRYPTION_KEY` | At-rest encryption key (AES-256-GCM) for the OAuth credentials the executor stores. Generate with `openssl rand -hex 32`. Use a **separate** secret from `FOREST_AUTH_SECRET`. | |
There was a problem hiding this comment.
suggestion: unlike FOREST_ENV_SECRET, the key's length/format is not validated by the code — worth noting operators must use the exact openssl rand -hex 32 output, since a weak value is accepted silently.

What
Documents
FOREST_EXECUTOR_ENCRYPTION_KEYin the workflow-executor README — a new "OAuth-protected MCP connectors" section covering:openssl rand -hex 32) and to keep it separate fromFOREST_AUTH_SECRET503and those connectors stay unavailable; the executor still boots, with a startup warning)It complements the one-line entry already in
.env.example.Why
PRD-626 (the docs half of PRD-367): operators deploying the executor with OAuth-protected MCP connectors need a README reference for this variable.
Base / merge order
Based on the PRD-692 branch (
feature/prd-692-harden-executor-oauth-runtime-clear-idempotency-phase-on, #1724) — the top of the OAuth-MCP executor stack, whereFOREST_EXECUTOR_ENCRYPTION_KEYand the code that reads it already live. Targeting that branch keeps this diff to just the README change. Intended to merge last, once PR1 (#1619), PR2 (#1665) and PRD-692 (#1724) are in.Replaces docs-site PR ForestAdmin/docs#3 (now closed) — the executor's own README, next to the code and
.env.example, is the right home for an operator-facing deployment variable (and "executor" isn't a concept on the public docs site).Refs: PRD-626
🤖 Generated with Claude Code
Note
Document
FOREST_EXECUTOR_ENCRYPTION_KEYin workflow-executor READMEAdds a new 'OAuth-protected MCP connectors' section to README.md explaining how the executor encrypts OAuth credentials at rest using AES-256-GCM.
FOREST_EXECUTOR_ENCRYPTION_KEYenvironment variable, including generation guidance and the requirement to use a different value fromFOREST_AUTH_SECRET.Macroscope summarized e3db719.