feat(api): hash API keys at rest with SHA-256

- Keys stored as SHA-256 hashes instead of plaintext
- authenticate() uses timingSafeEqual for constant-time comparison
- Auto-migrates existing plaintext keys on first successful auth
- create-project stores hash, notes key is not recoverable after creation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: chapterjason

packages/api/src/auth/auth.js

@@ -1,8 +1,12 @@
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from "fs";
-import { randomBytes } from "crypto";
+import { randomBytes, createHash, timingSafeEqual } from "crypto";
 import { logger } from "@sourecode/agent-backlog-core/logger.js";
 import { API_DATA_DIR, API_DATA_KEYS_PATH } from "@sourecode/agent-backlog-core/config.js";
 
+export function hashKey(key) {
+  return createHash("sha256").update(key).digest("hex");
+}
+
 export function loadApiKeys() {
   if (!existsSync(API_DATA_KEYS_PATH)) return {};
   try {
@@ -26,8 +30,36 @@ export function authenticate(req) {
   const auth = req.headers.authorization;
   if (!auth || !auth.startsWith("Bearer ")) return null;
   const key = auth.slice(7);
+  const keyHash = hashKey(key);
+  const keyHashBuf = Buffer.from(keyHash, "hex");
+
   const keys = loadApiKeys();
-  const entry = keys[key];
-  if (!entry) return null;
-  return entry.slug;
+  let migrated = false;
+
+  for (const [stored, entry] of Object.entries(keys)) {
+    // Auto-migrate plaintext keys (they start with "sk-proj-")
+    if (stored.startsWith("sk-proj-")) {
+      const storedHash = hashKey(stored);
+      delete keys[stored];
+      keys[storedHash] = entry;
+      migrated = true;
+      logger.info("api-keys:migrated-plaintext-key", { slug: entry.slug });
+      if (storedHash === keyHash) return entry.slug;
+      continue;
+    }
+
+    // Constant-time comparison of hashes
+    try {
+      const storedBuf = Buffer.from(stored, "hex");
+      if (storedBuf.length === keyHashBuf.length && timingSafeEqual(storedBuf, keyHashBuf)) {
+        if (migrated) saveApiKeys(keys);
+        return entry.slug;
+      }
+    } catch {
+      // stored value is not valid hex — skip
+    }
+  }
+
+  if (migrated) saveApiKeys(keys);
+  return null;
 }

packages/api/src/cli/create-project.js

@@ -1,6 +1,6 @@
 import { mkdirSync } from "fs";
 import { join } from "path";
-import { loadApiKeys, saveApiKeys, generateApiKey } from "../auth/auth.js";
+import { loadApiKeys, saveApiKeys, generateApiKey, hashKey } from "../auth/auth.js";
 import { API_DATA_DB_DIR } from "@sourecode/agent-backlog-core/config.js";
 import { getStoreForSlug } from "../store/store.js";
 
@@ -17,16 +17,16 @@ if (!/^[a-z0-9-]+$/.test(slug)) {
 mkdirSync(API_DATA_DB_DIR, { recursive: true });
 const keys = loadApiKeys();
 
-for (const [key, entry] of Object.entries(keys)) {
+for (const [, entry] of Object.entries(keys)) {
   if (entry.slug === slug) {
     console.log(`Project "${slug}" already exists.`);
-    console.log(`API Key: ${key}`);
+    console.log(`(API key is hashed at rest and cannot be recovered. Delete and recreate the project to issue a new key.)`);
     process.exit(0);
   }
 }
 
 const apiKey = generateApiKey();
-keys[apiKey] = { slug, created: new Date().toISOString() };
+keys[hashKey(apiKey)] = { slug, created: new Date().toISOString() };
 saveApiKeys(keys);
 
 const store = getStoreForSlug(slug);