Skip to content

feat(java): add resolve token sealing to FlagResolverService#401

Draft
nicklasl wants to merge 2 commits into
mainfrom
nicklasl/java-resolve-token-sealing
Draft

feat(java): add resolve token sealing to FlagResolverService#401
nicklasl wants to merge 2 commits into
mainfrom
nicklasl/java-resolve-token-sealing

Conversation

@nicklasl
Copy link
Copy Markdown
Member

@nicklasl nicklasl commented May 11, 2026
edited
Loading

Summary

  • Adds ResolveTokenSealer — AES-256-GCM encryption for resolve tokens, preventing clients from inspecting raw resolve token
  • Wires sealing into FlagResolverService: resolve responses get sealed tokens, apply requests are transparently decrypted
  • Backward compatible — existing constructors without a sealer still work as before

Test plan

  • ResolveTokenSealerTest: round-trip, tamper detection, wrong-key rejection, short-handle rejection
  • FlagResolverServiceTest.TokenSealing: end-to-end seal/open via service, 400 on tampered/garbage tokens
  • Security review by agent (AES-GCM params, wire format, key handling, side channels)

🤖 Generated with Claude Code

nicklasl and others added 2 commits May 11, 2026 16:22
@nicklasl @claude
feat(java): add AES-256-GCM resolve token sealing to FlagResolverService
0333e7d 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl @claude
style(java): fix formatting in ResolveTokenSealerTest
a4ef3ad 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicklasl