mirror of
https://github.com/DeBrosOfficial/orama.git
synced 2026-06-17 02:34:12 +00:00
7165992b12
Second #837 root cause (the key-derivation fix was necessary but not sufficient): DBSecretsManager stored the AES-GCM ciphertext as a raw []byte parameter, but the rqlite client serializes []byte as base64 and reads it back as that base64 TEXT — never the original bytes. So decrypt() always received base64 ASCII instead of ciphertext and failed, making get_secret return empty for every stored secret (exactly the reported symptom). Encode the ciphertext to an explicit base64 string in Set and decode it in Get (with a raw fallback), making the round-trip symmetric and driver-independent. The test mock now emulates rqlite's blob->base64-text behavior so it's a real regression guard.