kin: KIN-BIZ-007 Post-MVP: шифрование credentials в project_environments через Fernet

web/api.py

@@ -1088,8 +1088,8 @@ def _trigger_sysadmin_scan(conn, project_id: str, env: dict) -> str:
         "port": env["port"],
         "username": env["username"],
         "auth_type": env["auth_type"],
-        # auth_value is Fernet-encrypted. Stored in tasks.brief — treat as sensitive.
-        # Decrypt with _decrypt_auth() from core/models.py.
+        # auth_value is decrypted plaintext (get_environment decrypts via _decrypt_auth).
+        # Stored in tasks.brief — treat as sensitive.
         "auth_value_b64": env.get("auth_value"),
         "text": (
             f"Провести полный аудит среды '{env['name']}' на сервере {env['host']}.\n\n"
@@ -1258,8 +1258,11 @@ def delete_environment(project_id: str, env_id: int):
     if not p:
         conn.close()
         raise HTTPException(404, f"Project '{project_id}' not found")
-    existing = models.get_environment(conn, env_id)
-    if not existing or existing.get("project_id") != project_id:
+    # Check existence directly — no decryption needed for delete
+    row = conn.execute(
+        "SELECT project_id FROM project_environments WHERE id = ?", (env_id,)
+    ).fetchone()
+    if not row or dict(row)["project_id"] != project_id:
         conn.close()
         raise HTTPException(404, f"Environment #{env_id} not found")
     models.delete_environment(conn, env_id)
@@ -1270,6 +1273,9 @@ def delete_environment(project_id: str, env_id: int):
 @app.post("/api/projects/{project_id}/environments/{env_id}/scan", status_code=202)
 def scan_environment(project_id: str, env_id: int):
     """Manually re-trigger sysadmin env scan for an environment."""
+    import os as _os
+    if not _os.environ.get("KIN_SECRET_KEY"):
+        raise HTTPException(503, "Server misconfiguration: KIN_SECRET_KEY is not set. Contact admin.")
     conn = get_conn()
     p = models.get_project(conn, project_id)
     if not p: