fix: fail-fast on missing or invalid DCR_ENCRYPTION_KEY

Previously, _encrypt_secret() silently generated an ephemeral Fernet key
when DCR_ENCRYPTION_KEY was not configured. Secrets encrypted with an
ephemeral key become permanently unrecoverable after a container restart.

- Raise RuntimeError in _encrypt_secret() when no Fernet cipher is
  available instead of generating an ephemeral key
- Raise ValueError in DCRService.__init__() when DCR_ENCRYPTION_KEY is
  missing on Cloud Run (K_SERVICE is set)
- Raise ValueError on invalid DCR_ENCRYPTION_KEY at construction time
  instead of logging and continuing with _fernet=None
- Add a stable Fernet key to test conftest so DCR tests have a valid
  encryption key available

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: luis5tb

src/lightspeed_agent/dcr/service.py

@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 import logging
+import os
 from typing import TYPE_CHECKING
 
 import httpx
@@ -73,13 +74,28 @@ def __init__(
         self._client_repository = client_repository or get_dcr_client_repository()
         self._settings = get_settings()
 
-        # Fernet cipher for encrypting client secrets
+        # Fernet cipher for encrypting client secrets.
+        # In production (Cloud Run), DCR_ENCRYPTION_KEY is required to prevent
+        # silent data loss from missing encryption configuration.
         self._fernet: Fernet | None = None
         if self._settings.dcr_encryption_key:
             try:
                 self._fernet = Fernet(self._settings.dcr_encryption_key.encode())
             except Exception as e:
-                logger.error("Invalid DCR encryption key: %s", e)
+                raise ValueError(
+                    f"Invalid DCR_ENCRYPTION_KEY: {e}. "
+                    "Generate a valid key with: "
+                    "python -c 'from cryptography.fernet import Fernet; "
+                    "print(Fernet.generate_key().decode())'"
+                ) from e
+        elif os.getenv("K_SERVICE"):
+            raise ValueError(
+                "DCR_ENCRYPTION_KEY is required in production "
+                f"(K_SERVICE={os.getenv('K_SERVICE')}). "
+                "Client secrets cannot be stored without an encryption key. "
+                "Generate a key with: python -c 'from cryptography.fernet import Fernet; "
+                "print(Fernet.generate_key().decode())'"
+            )
 
     def _get_gma_client(self) -> GMAClient:
         """Get the GMA client (lazy initialization)."""
@@ -95,10 +111,15 @@ def _encrypt_secret(self, secret: str) -> str:
 
         Returns:
             Encrypted secret as base64 string.
+
+        Raises:
+            RuntimeError: If DCR_ENCRYPTION_KEY is not configured.
         """
         if not self._fernet:
-            logger.warning("DCR_ENCRYPTION_KEY not set, using ephemeral key")
-            self._fernet = Fernet(Fernet.generate_key())
+            raise RuntimeError(
+                "Cannot encrypt client secret: DCR_ENCRYPTION_KEY is not configured. "
+                "Set DCR_ENCRYPTION_KEY to a valid Fernet key before performing DCR operations."
+            )
         return self._fernet.encrypt(secret.encode()).decode()
 
     def _decrypt_secret(self, encrypted_secret: str) -> str | None:

tests/conftest.py

@@ -18,6 +18,10 @@
 os.environ["DCR_ENABLED"] = "false"  # Use pre-seeded credentials for tests
 os.environ["RED_HAT_SSO_CLIENT_ID"] = "test-static-client-id"
 os.environ["RED_HAT_SSO_CLIENT_SECRET"] = "test-static-client-secret"
+# Stable Fernet key for tests — secrets encrypted in one test can be decrypted in another
+from cryptography.fernet import Fernet as _Fernet  # noqa: E402
+
+os.environ["DCR_ENCRYPTION_KEY"] = _Fernet.generate_key().decode()
 
 
 @pytest.fixture