SIGHUP Sidecar Security Audit: Over-Privileged ENCRYPTION_KEY Access Poses V2 Multi-Tenancy Risk

A critical security audit of the SIGHUP sidecar component reveals a significant over-privileged access pattern. The sidecar, responsible for reloading social login configurations, is granted the full `ENCRYPTION_KEY` for the `ciam_settings` table. This master key does not just unlock the specific Google client secret it needs; it decrypts *all* encrypted settings stored in the table, including potentially sensitive credentials for other providers and configurations. The component's current design grants it a master key far exceeding its operational necessity.

While this risk is currently considered bounded and acceptable for the V1 deployment—where the sidecar operates within a controlled, single-tenant Podman compose environment where all services already share the same encryption key—it creates a dangerous precedent. The sidecar's architecture is not future-proof. Its broad decryption capability becomes a major security liability when scaled.

The identified flaw mandates a mandatory redesign before the planned V2 rollout, which introduces multi-tenancy and external integrations. The audit explicitly warns that the current model is incompatible with environments requiring independent credential sets for additional social providers or separate tenants. Failure to implement a more granular access control mechanism—such as a dedicated key or a narrowly scoped API—would expose all encrypted CIAM settings to a single, relatively low-level service component, creating a centralized point of failure and a substantial data exposure risk in a distributed architecture.