fix: seed security defaults during init

[mikemechanic1337]

Summary

• Closes #5075
• auto-generate the security app encryption key and root client credentials when fides init runs so fresh configs boot without manual edits
• backfill these credentials if an existing config still contains legacy empty defaults
• add control-plane tests to cover newly generated values and the backfill path

Testing

• nox -s pytest -- ctl-unit

Manual Verification

1. Ensure Docker Desktop is running and copy example.env to .env if needed.
2. Start the dev stack via nox and open a shell in the API container: nox -s dev -- shell.
3. Inside the container, create a clean workspace and run init:
   • rm -rf /tmp/init-defaults && mkdir -p /tmp/init-defaults && cd /tmp/init-defaults
   • fides init (press Enter to decline analytics when prompted)
   • grep app_encryption_key .fides/fides.toml
   • grep oauth_root_client_id .fides/fides.toml
   • grep oauth_root_client_secret .fides/fides.toml Each command should show a non-empty value.
4. Simulate upgrading an older config with empty credentials:
   • printf '[security]\napp_encryption_key = "" # string\noauth_root_client_id = "" # string\noauth_root_client_secret = "" # string\n' > .fides/fides.toml
   • fides init (again answer the analytics prompt)
   • Re-run the three grep commands to confirm the blanks were replaced.
5. Exit the shell (exit) and stop the stack: nox -s teardown -- volumes.

[vercel[bot]]

Someone is attempting to deploy a commit to the Ethyca Team on Vercel.

A member of the Team first needs to authorize it.

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
fides-privacy-center	Ignored			Sep 24, 2025 1:14am