docker compose run --rm --no-deps server1 node --input-type=module - <<'NODE'
import mysql from 'mysql2/promise';
import { readFile } from 'fs/promises';
import { randomBytes, createCipheriv } from 'crypto';
import { KeyManagementServiceClient } from '@google-cloud/kms';

const kms = new KeyManagementServiceClient();
const wrapped = await readFile(process.env.DEK_PATH);
const [resp]  = await kms.decrypt({ name: process.env.KMS_KEY_NAME, ciphertext: wrapped });
const dek = resp.plaintext;

const iv  = randomBytes(12);
const c   = createCipheriv('aes-256-gcm', dek, iv);
const pt  = 'aptiva-canary-v1';
const ct  = Buffer.concat([c.update(pt, 'utf8'), c.final()]);
const tag = c.getAuthTag();
const gcm = 'gcm:' + Buffer.concat([iv, tag, ct]).toString('base64');

const pool = await mysql.createPool({
  host: process.env.DB_HOST, port: Number(process.env.DB_PORT),
  user: process.env.DB_USER, password: process.env.DB_PASSWORD,
  database: process.env.DB_NAME,
  ssl: { ca: process.env.DB_SSL_CA, cert: process.env.DB_SSL_CERT, key: process.env.DB_SSL_KEY,
         minVersion: 'TLSv1.2', rejectUnauthorized: false }
});
await pool.query('CREATE TABLE IF NOT EXISTS encryption_canary (id TINYINT PRIMARY KEY, value TEXT NOT NULL)');
await pool.query('INSERT INTO encryption_canary (id, value) VALUES (1, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [gcm]);
await pool.end();
console.log('✅ canary reseeded');
NODE