security: rotate bootstrap and clean workspace

backend/src/services/__tests__/test_encryption_manager.py

@@ -26,8 +26,7 @@ class TestEncryptionManager:
         """Construct EncryptionManager directly using Fernet (avoids relative import chain)."""
         # Re-implement the same logic as EncryptionManager to avoid import issues
         # with the llm_provider module's relative imports
-        import os
-        key = os.getenv("ENCRYPTION_KEY", "REMOVED_HISTORICAL_SECRET_DO_NOT_USE").encode()
+        key = Fernet.generate_key()
         fernet = Fernet(key)
 
         class EncryptionManager:
@@ -99,6 +98,18 @@ class TestEncryptionManager:
         assert decrypted == ""
     # [/DEF:test_encrypt_empty_string:Function]
 
+    # [DEF:test_missing_key_fails_fast:Function]
+    # @PURPOSE: Missing ENCRYPTION_KEY must abort initialization instead of using a fallback secret.
+    # @PRE: ENCRYPTION_KEY is unset.
+    # @POST: RuntimeError raised during EncryptionManager construction.
+    def test_missing_key_fails_fast(self):
+        from src.services.llm_provider import EncryptionManager
+
+        with patch.dict("os.environ", {}, clear=True):
+            with pytest.raises(RuntimeError, match="ENCRYPTION_KEY must be set"):
+                EncryptionManager()
+    # [/DEF:test_missing_key_fails_fast:Function]
+
     # [DEF:test_custom_key_roundtrip:Function]
     # @PURPOSE: Custom Fernet key produces valid roundtrip.
     # @PRE: Generated Fernet key.