# frozen_string_literal: true # Warn self-hosted operators when ActiveRecord Encryption is NOT configured. # # This emits a clear startup warning so plaintext-at-rest is never silent. require Rails.root.join("lib/active_record_encryption_config").to_s Rails.application.config.after_initialize do app_mode = Rails.application.config.app_mode if app_mode.self_hosted? && !ActiveRecordEncryptionConfig.explicitly_configured? Rails.logger.warn(<<~WARN) [SECURITY] ActiveRecord Encryption is NOT configured. Sensitive data (API keys, provider/bank tokens, MFA secrets, and PII) are being stored UNENCRYPTED at rest. To enable encryption, set the following keys in your Rails credentials or environment variables: ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT Generate a set with: bin/rails db:encryption:init WARN end end