From 3d2d16d53e7a4372c2880870c54bda81b2fcb101 Mon Sep 17 00:00:00 2001
From: Sienna Meridian Satterwhite <sienna@sunbeam.pt>
Date: Tue, 24 Mar 2026 20:51:13 +0000
Subject: [PATCH] feat(secrets): add xchacha20-poly1305 cipher key seeding for
 Kratos

Add rand_alphanum() using OsRng for generating fixed-length
alphanumeric secrets. Seed secrets-cipher (32 chars) into the
kratos KV path for at-rest encryption of OIDC tokens.
---
 sunbeam-sdk/src/secrets/mod.rs     | 9 +++++++++
 sunbeam-sdk/src/secrets/seeding.rs | 6 ++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/sunbeam-sdk/src/secrets/mod.rs b/sunbeam-sdk/src/secrets/mod.rs
index f346e45..d6e596f 100644
--- a/sunbeam-sdk/src/secrets/mod.rs
+++ b/sunbeam-sdk/src/secrets/mod.rs
@@ -102,6 +102,15 @@ fn rand_token_n(n: usize) -> String {
     base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(buf)
 }
 
+/// Generate an alphanumeric random string of exactly `n` characters.
+/// Used for secrets that require a fixed character length (e.g. xchacha20-poly1305 cipher keys).
+pub(crate) fn rand_alphanum(n: usize) -> String {
+    use rand::rngs::OsRng;
+    use rand::Rng;
+    const CHARSET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+    (0..n).map(|_| CHARSET[OsRng.gen_range(0..CHARSET.len())] as char).collect()
+}
+
 // ── Port-forward helper ─────────────────────────────────────────────────────
 
 /// Port-forward guard — cancels the background forwarder on drop.
diff --git a/sunbeam-sdk/src/secrets/seeding.rs b/sunbeam-sdk/src/secrets/seeding.rs
index d6802fd..9a67bf1 100644
--- a/sunbeam-sdk/src/secrets/seeding.rs
+++ b/sunbeam-sdk/src/secrets/seeding.rs
@@ -11,8 +11,8 @@ use crate::openbao::BaoClient;
 use crate::output::{ok, warn};
 
 use super::{
-    gen_dkim_key_pair, gen_fernet_key, port_forward, rand_token, rand_token_n, scw_config,
-    wait_pod_running, delete_resource, GITEA_ADMIN_USER, SMTP_URI,
+    gen_dkim_key_pair, gen_fernet_key, port_forward, rand_alphanum, rand_token, rand_token_n,
+    scw_config, wait_pod_running, delete_resource, GITEA_ADMIN_USER, SMTP_URI,
 };
 
 /// Internal result from seed_openbao, used by cmd_seed.
@@ -238,12 +238,14 @@ pub async fn seed_openbao() -> Result<Option<SeedResult>> {
     .await?;
 
     let smtp_uri_fn = || SMTP_URI.to_string();
+    let cipher_fn = || rand_alphanum(32);
     let kratos = get_or_create(
         &bao,
         "kratos",
         &[
             ("secrets-default", &rand_token as &dyn Fn() -> String),
             ("secrets-cookie", &rand_token),
+            ("secrets-cipher", &cipher_fn),
             ("smtp-connection-uri", &smtp_uri_fn),
         ],
         &mut dirty_paths,