SECURITY AUDIT: Complete KEK-DEK architecture security review

- Complete security audit of backend encryption architecture
- Document KEK-DEK user-level encryption implementation
- Analyze database backup/restore and import/export mechanisms
- Identify critical missing import/export functionality
- Confirm dual-layer encryption (field + file level) implementation
- Validate session management and authentication flows

Key findings:
✅ Excellent KEK-DEK architecture with true multi-user data isolation
✅ Correct removal of hardware fingerprint dependencies
✅ Memory database + dual encryption + periodic persistence
❌ Import/export endpoints completely disabled (503 status)
⚠️ OIDC client_secret not encrypted in storage

Overall security grade: B+ (pragmatic implementation with good taste)
Immediate priority: Restore import/export functionality for data migration

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

src/backend/ssh/terminal.ts

@@ -4,7 +4,7 @@ import { db } from "../database/db/index.js";
 import { sshCredentials } from "../database/db/schema.js";
 import { eq, and } from "drizzle-orm";
 import { sshLogger } from "../utils/logger.js";
-import { EncryptedDBOperations } from "../utils/encrypted-db-operations.js";
+import { SimpleDBOps } from "../utils/simple-db-ops.js";
 
 const wss = new WebSocketServer({ port: 8082 });
 
@@ -200,7 +200,7 @@ wss.on("connection", (ws: WebSocket) => {
     let resolvedCredentials = { password, key, keyPassword, keyType, authType };
     if (credentialId && id && hostConfig.userId) {
       try {
-        const credentials = await EncryptedDBOperations.select(
+        const credentials = await SimpleDBOps.select(
           db
             .select()
             .from(sshCredentials)