ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-15 18:30:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

[codex] Add routine env secrets support (#6212)

Browse source 
## Thinking Path

> - Paperclip orchestrates AI agents for zero-human companies.
> - Scheduled routines are the control-plane path for recurring agent
work.
> - Routines already had dispatch/history, but their runtime environment
did not carry routine-owned secret bindings through execution.
> - Operators need routine-specific secrets that can override
project/agent env without exposing secret values in history, logs, or
access events.
> - This pull request adds the routine env runtime contract, wires it
into execution, and makes the routine UI/history surfaces show safe
secret metadata.
> - The benefit is that routine executions can use scoped secret refs
predictably while preserving company boundaries and auditability.

## What Changed

- Added routine env persistence/runtime support, including
`routines.env`, `routine_runs.routine_revision_id`, revision snapshots,
and idempotent migration `0086_routine_env_runtime_contract`.
- Resolved routine env during heartbeat adapter config assembly with
precedence `agent < project < routine` and secret access events recorded
against the routine consumer.
- Added secret binding synchronization for routine create/update/restore
flows and guarded cross-company, missing, disabled, and deleted secret
cases.
- Added a Secrets tab to routine detail, env/secret history diff
rendering, and Storybook coverage for the new UI states.
- Added server/UI regression tests, including an embedded-Postgres QA
path for routine secret execution and restore behavior.
- Updated implementation/database docs for routine env and
secret-binding behavior.

## Verification

- `pnpm install --frozen-lockfile` after rebasing onto
`public-gh/master` to refresh workspace links for the newly-added
upstream Grok adapter package.
- `pnpm exec vitest run
server/src/__tests__/heartbeat-project-env.test.ts
server/src/__tests__/routines-service.test.ts
server/src/__tests__/secrets-service.test.ts
server/src/__tests__/qa-routine-secrets-e2e.test.ts
ui/src/components/RoutineHistoryTab.test.tsx` passed: 5 files, 92 tests.
- `pnpm -r typecheck` passed across the workspace.
- `pnpm build` passed. Vite emitted the existing
large-chunk/dynamic-import warnings.
- UI screenshots were captured locally during QA in
`artifacts/pap-9521/` and `artifacts/pap-9522/`; generated screenshots
are not committed to avoid adding binary artifacts to the repo.

## Risks

- Migration risk is limited by `IF NOT EXISTS` guards for the new
columns, FK, and index, and the migration is ordered as `0086`
immediately after upstream `0085`.
- Runtime behavior changes env precedence for routine executions by
adding routine env as the highest-precedence layer; tests cover
agent/project/routine precedence.
- Secret handling is security-sensitive; tests cover value-free
manifests/events/errors, disabled/missing/deleted secrets, and
cross-company rejection.
- UI history now renders routine env/secret diffs; tests and Storybook
stories cover the main rendering paths.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected — check the roadmap
first. See `CONTRIBUTING.md`.

## Model Used

- OpenAI Codex coding agent based on GPT-5, with shell/tool use and
medium reasoning effort.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Dotta 2026-05-17 16:30:34 -05:00 committed by GitHub
parent 3e6610fb93
commit 705c1b8d81
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 1736 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

124
server/src/services/heartbeat.ts
View file

@ -18,6 +18,7 @@ import {
type IssueExecutionMonitorPolicy,
type IssueExecutionMonitorRecoveryPolicy,
type ModelProfileKey,
type RoutineRevisionSnapshotV1,
type RunLivenessState,
} from "@paperclipai/shared";
import {
@ -40,6 +41,9 @@ import {
issueWorkProducts,
projects,
projectWorkspaces,
routineRevisions,
routineRuns,
routines,
workspaceOperations,
} from "@paperclipai/db";
import { conflict, HttpError, notFound } from "../errors.js";
@ -327,19 +331,44 @@ type RuntimeConfigSecretResolver = Pick<
"resolveAdapterConfigForRuntime" | "resolveEnvBindings"
>;
function isPaperclipRuntimeEnvKey(key: string) {
return key.startsWith("PAPERCLIP_");
}
function stripPaperclipRuntimeEnvBindings(envValue: unknown): Record<string, unknown> | null {
const record = parseObject(envValue);
const filtered = Object.fromEntries(
Object.entries(record).filter(([key]) => !isPaperclipRuntimeEnvKey(key)),
);
return Object.keys(filtered).length > 0 ? filtered : null;
}
function stripPaperclipRuntimeEnvFromAdapterConfig(config: Record<string, unknown>): Record<string, unknown> {
if (!Object.prototype.hasOwnProperty.call(config, "env")) return config;
return {
...config,
env: stripPaperclipRuntimeEnvBindings(config.env) ?? {},
};
}
export async function resolveExecutionRunAdapterConfig(input: {
companyId: string;
agentId?: string | null;
issueId?: string | null;
heartbeatRunId?: string | null;
projectId?: string | null;
routineId?: string | null;
executionRunConfig: Record<string, unknown>;
projectEnv: unknown;
routineEnv?: unknown;
secretsSvc: RuntimeConfigSecretResolver;
}) {
const executionRunConfig = stripPaperclipRuntimeEnvFromAdapterConfig(input.executionRunConfig);
const projectEnv = stripPaperclipRuntimeEnvBindings(input.projectEnv);
const routineEnv = stripPaperclipRuntimeEnvBindings(input.routineEnv);
const { config: resolvedConfig, secretKeys, manifest } = await input.secretsSvc.resolveAdapterConfigForRuntime(
input.companyId,
input.executionRunConfig,
executionRunConfig,
input.agentId
? {
consumerType: "agent",
@ -351,10 +380,10 @@ export async function resolveExecutionRunAdapterConfig(input: {
}
: undefined,
);
const projectEnvResolution = input.projectEnv
const projectEnvResolution = projectEnv
? await input.secretsSvc.resolveEnvBindings(
input.companyId,
input.projectEnv,
projectEnv,
input.projectId
? {
consumerType: "project",
@ -376,10 +405,39 @@ export async function resolveExecutionRunAdapterConfig(input: {
secretKeys.add(key);
}
}
const routineEnvResolution = routineEnv
? await input.secretsSvc.resolveEnvBindings(
input.companyId,
routineEnv,
input.routineId
? {
consumerType: "routine",
consumerId: input.routineId,
actorType: "agent",
actorId: input.agentId ?? null,
issueId: input.issueId ?? null,
heartbeatRunId: input.heartbeatRunId ?? null,
}
: undefined,
)
: { env: {}, secretKeys: new Set<string>(), manifest: [] };
if (Object.keys(routineEnvResolution.env).length > 0) {
resolvedConfig.env = {
...parseObject(resolvedConfig.env),
...routineEnvResolution.env,
};
for (const key of routineEnvResolution.secretKeys) {
secretKeys.add(key);
}
}
return {
resolvedConfig,
secretKeys,
secretManifest: [...(manifest ?? []), ...(projectEnvResolution.manifest ?? [])],
secretManifest: [
...(manifest ?? []),
...(projectEnvResolution.manifest ?? []),
...(routineEnvResolution.manifest ?? []),
],
};
}
@ -2433,12 +2491,67 @@ export function heartbeatService(db: Db, options: HeartbeatServiceOptions = {})
assigneeAgentId: issues.assigneeAgentId,
assigneeAdapterOverrides: issues.assigneeAdapterOverrides,
executionWorkspaceSettings: issues.executionWorkspaceSettings,
originKind: issues.originKind,
originId: issues.originId,
originRunId: issues.originRunId,
})
.from(issues)
.where(and(eq(issues.id, issueId), eq(issues.companyId, companyId)))
.then((rows) => rows[0] ?? null);
}
async function getRoutineEnvForExecutionIssue(
companyId: string,
issueContext: Awaited<ReturnType<typeof getIssueExecutionContext>> | null,
) {
if (!issueContext || issueContext.originKind !== "routine_execution" || !issueContext.originId) {
return { routineId: null, env: null };
}
const routineRun = issueContext.originRunId
? await db
.select({
routineRevisionId: routineRuns.routineRevisionId,
})
.from(routineRuns)
.where(
and(
eq(routineRuns.id, issueContext.originRunId),
eq(routineRuns.companyId, companyId),
eq(routineRuns.routineId, issueContext.originId),
),
)
.then((rows) => rows[0] ?? null)
: null;
if (routineRun?.routineRevisionId) {
const revision = await db
.select({
snapshot: routineRevisions.snapshot,
})
.from(routineRevisions)
.where(
and(
eq(routineRevisions.id, routineRun.routineRevisionId),
eq(routineRevisions.companyId, companyId),
eq(routineRevisions.routineId, issueContext.originId),
),
)
.then((rows) => rows[0] ?? null);
const snapshot = revision?.snapshot as RoutineRevisionSnapshotV1 | undefined;
if (snapshot?.version === 1) {
return { routineId: issueContext.originId, env: snapshot.routine.env ?? null };
}
}
const routine = await db
.select({ env: routines.env })
.from(routines)
.where(and(eq(routines.id, issueContext.originId), eq(routines.companyId, companyId)))
.then((rows) => rows[0] ?? null);
return { routineId: issueContext.originId, env: routine?.env ?? null };
}
async function getRuntimeState(agentId: string) {
return db
.select()
@ -6870,6 +6983,7 @@ export function heartbeatService(db: Db, options: HeartbeatServiceOptions = {})
.where(and(eq(projects.id, executionProjectId), eq(projects.companyId, agent.companyId)))
.then((rows) => rows[0] ?? null)
: null;
const routineEnvContext = await getRoutineEnvForExecutionIssue(agent.companyId, issueContext);
const projectExecutionWorkspacePolicy = gateProjectExecutionWorkspacePolicy(
parseProjectExecutionWorkspacePolicy(projectContext?.executionWorkspacePolicy),
isolatedWorkspacesEnabled,
@ -7074,8 +7188,10 @@ export function heartbeatService(db: Db, options: HeartbeatServiceOptions = {})
issueId,
heartbeatRunId: run.id,
projectId: projectContext?.id ?? null,
routineId: routineEnvContext.routineId,
executionRunConfig,
projectEnv: projectContext?.env ?? null,
routineEnv: routineEnvContext.env,
secretsSvc,
});
if (secretManifest.length > 0) {

80
server/src/services/routines.ts
View file

@ -366,6 +366,8 @@ function createRoutineDispatchFingerprint(input: {
payload: Record<string, unknown> | null;
projectId: string | null;
assigneeAgentId: string | null;
routineRevisionId: string | null;
routineEnvFingerprint: string | null;
executionWorkspaceId?: string | null;
executionWorkspacePreference?: string | null;
executionWorkspaceSettings?: Record<string, unknown> | null;
@ -376,6 +378,11 @@ function createRoutineDispatchFingerprint(input: {
return crypto.createHash("sha256").update(canonical).digest("hex");
}
function createRoutineEnvFingerprint(env: unknown) {
const canonical = JSON.stringify(normalizeRoutineDispatchFingerprintValue(env ?? null));
return crypto.createHash("sha256").update(canonical).digest("hex");
}
function readManagedRoutineIssueTemplate(defaultsJson: Record<string, unknown> | null | undefined) {
const value = defaultsJson?.issueTemplate;
if (!isPlainRecord(value)) return null;
@ -406,6 +413,7 @@ function routineRevisionSnapshotRoutine(routine: RoutineRow): RoutineRevisionSna
concurrencyPolicy: routine.concurrencyPolicy as RoutineRevisionSnapshotV1["routine"]["concurrencyPolicy"],
catchUpPolicy: routine.catchUpPolicy as RoutineRevisionSnapshotV1["routine"]["catchUpPolicy"],
variables: routine.variables ?? [],
env: routine.env ?? null,
};
}
@ -686,6 +694,7 @@ export function routineService(
idempotencyKey: routineRuns.idempotencyKey,
triggerPayload: routineRuns.triggerPayload,
dispatchFingerprint: routineRuns.dispatchFingerprint,
routineRevisionId: routineRuns.routineRevisionId,
linkedIssueId: routineRuns.linkedIssueId,
coalescedIntoRunId: routineRuns.coalescedIntoRunId,
failureReason: routineRuns.failureReason,
@ -719,6 +728,7 @@ export function routineService(
idempotencyKey: row.idempotencyKey,
triggerPayload: row.triggerPayload as Record<string, unknown> | null,
dispatchFingerprint: row.dispatchFingerprint,
routineRevisionId: row.routineRevisionId,
linkedIssueId: row.linkedIssueId,
coalescedIntoRunId: row.coalescedIntoRunId,
failureReason: row.failureReason,
@ -1138,6 +1148,8 @@ export function routineService(
payload: triggerPayload,
projectId,
assigneeAgentId,
routineRevisionId: input.routine.latestRevisionId,
routineEnvFingerprint: createRoutineEnvFingerprint(input.routine.env),
executionWorkspaceId: input.executionWorkspaceId ?? null,
executionWorkspacePreference: input.executionWorkspacePreference ?? null,
executionWorkspaceSettings: input.executionWorkspaceSettings ?? null,
@ -1183,6 +1195,7 @@ export function routineService(
idempotencyKey: input.idempotencyKey ?? null,
triggerPayload,
dispatchFingerprint,
routineRevisionId: input.routine.latestRevisionId,
})
.returning();
@ -1430,6 +1443,7 @@ export function routineService(
idempotencyKey: routineRuns.idempotencyKey,
triggerPayload: routineRuns.triggerPayload,
dispatchFingerprint: routineRuns.dispatchFingerprint,
routineRevisionId: routineRuns.routineRevisionId,
linkedIssueId: routineRuns.linkedIssueId,
coalescedIntoRunId: routineRuns.coalescedIntoRunId,
failureReason: routineRuns.failureReason,
@ -1462,6 +1476,7 @@ export function routineService(
idempotencyKey: run.idempotencyKey,
triggerPayload: run.triggerPayload as Record<string, unknown> | null,
dispatchFingerprint: run.dispatchFingerprint,
routineRevisionId: run.routineRevisionId,
linkedIssueId: run.linkedIssueId,
coalescedIntoRunId: run.coalescedIntoRunId,
failureReason: run.failureReason,
@ -1508,13 +1523,19 @@ export function routineService(
await assertAssignableAgent(companyId, input.assigneeAgentId ?? null);
if (input.goalId) await assertGoal(companyId, input.goalId);
if (input.parentIssueId) await assertParentIssue(companyId, input.parentIssueId);
const env = input.env === undefined || input.env === null
? null
: await secretsSvc.normalizeEnvBindingsForPersistence(companyId, input.env, {
strictMode: process.env.PAPERCLIP_SECRETS_STRICT_MODE === "true",
fieldPath: "env",
});
const variables = syncRoutineVariablesWithTemplate(
[input.title, input.description],
sanitizeRoutineVariableInputs(input.variables),
);
assertRoutineVariableDefinitions(variables);
const status = normalizeDraftRoutineStatus(input.status, input.assigneeAgentId);
return db.transaction(async (tx) => {
const createdRoutine = await db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
const [created] = await txDb
.insert(routines)
@ -1531,6 +1552,7 @@ export function routineService(
concurrencyPolicy: input.concurrencyPolicy,
catchUpPolicy: input.catchUpPolicy,
variables,
env,
createdByAgentId: actor.agentId ?? null,
createdByUserId: actor.userId ?? null,
updatedByAgentId: actor.agentId ?? null,
@ -1540,8 +1562,17 @@ export function routineService(
const { routine } = await appendRoutineRevision(txDb, created, actor, {
changeSummary: "Created routine",
});
if (env) {
await secretsSvc.syncEnvBindingsForTarget(
companyId,
{ targetType: "routine", targetId: routine.id },
env,
{ db: tx },
);
}
return routine;
});
return createdRoutine;
},
update: async (id: string, patch: UpdateRoutine, actor: Actor): Promise<Routine | null> => {
@ -1551,6 +1582,14 @@ export function routineService(
const nextAssigneeAgentId = patch.assigneeAgentId === undefined ? existing.assigneeAgentId : patch.assigneeAgentId;
const nextTitle = patch.title ?? existing.title;
const nextDescription = patch.description === undefined ? existing.description : patch.description;
const nextEnv = patch.env === undefined
? existing.env
: patch.env === null
? null
: await secretsSvc.normalizeEnvBindingsForPersistence(existing.companyId, patch.env, {
strictMode: process.env.PAPERCLIP_SECRETS_STRICT_MODE === "true",
fieldPath: "env",
});
const requestedStatus = patch.status ?? existing.status;
if (patch.status === "active") {
assertRoutineCanEnable(patch.status, nextAssigneeAgentId);
@ -1582,7 +1621,7 @@ export function routineService(
if (enabledScheduleTriggers) {
assertScheduleCompatibleVariables(nextVariables);
}
return db.transaction(async (tx) => {
const updatedRoutine = await db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
await tx.execute(sql`select id from ${routines} where ${routines.id} = ${id} for update`);
const locked = await txDb
@ -1611,6 +1650,7 @@ export function routineService(
concurrencyPolicy: patch.concurrencyPolicy ?? locked.concurrencyPolicy,
catchUpPolicy: patch.catchUpPolicy ?? locked.catchUpPolicy,
variables: nextVariables,
env: nextEnv,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
};
@ -1633,6 +1673,14 @@ export function routineService(
)
.then((rows) => rows[0] ?? null);
if (latestRevision && snapshotsMatch(nextSnapshot, latestRevision.snapshot as RoutineRevisionSnapshotV1)) {
if (patch.env !== undefined) {
await secretsSvc.syncEnvBindingsForTarget(
locked.companyId,
{ targetType: "routine", targetId: locked.id },
candidate.env,
{ db: tx },
);
}
return locked;
}
}
@ -1651,6 +1699,7 @@ export function routineService(
concurrencyPolicy: candidate.concurrencyPolicy,
catchUpPolicy: candidate.catchUpPolicy,
variables: candidate.variables,
env: candidate.env,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
updatedAt: new Date(),
@ -1661,8 +1710,17 @@ export function routineService(
const { routine } = await appendRoutineRevision(txDb, updated, actor, {
changeSummary: "Updated routine",
});
if (patch.env !== undefined) {
await secretsSvc.syncEnvBindingsForTarget(
routine.companyId,
{ targetType: "routine", targetId: routine.id },
routine.env,
{ db: tx },
);
}
return routine;
});
return updatedRoutine;
},
createTrigger: async (
@ -1770,7 +1828,7 @@ export function routineService(
}
}
return db.transaction(async (tx) => {
const result = await db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
await tx.execute(sql`select id from ${routines} where ${routines.id} = ${existing.routineId} for update`);
const [updated] = await txDb
@ -1801,12 +1859,13 @@ export function routineService(
});
return { trigger: updated as RoutineTrigger, revision: appended.revision };
});
return result;
},
deleteTrigger: async (id: string, actor: Actor = {}): Promise<{ deleted: boolean; revision: RoutineRevision | null }> => {
const existing = await getTriggerById(id);
if (!existing) return { deleted: false, revision: null };
return db.transaction(async (tx) => {
const result = await db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
await tx.execute(sql`select id from ${routines} where ${routines.id} = ${existing.routineId} for update`);
await txDb.delete(routineTriggers).where(eq(routineTriggers.id, id));
@ -1821,6 +1880,7 @@ export function routineService(
});
return { deleted: true, revision: appended.revision };
});
return result;
},
rotateTriggerSecret: async (
@ -1912,7 +1972,7 @@ export function routineService(
const routineSnapshot = snapshot.routine;
await assertRestorableAssignee(existingRoutine.companyId, routineSnapshot.assigneeAgentId, actor);
return db.transaction(async (tx) => {
const result = await db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
await tx.execute(sql`select id from ${routines} where ${routines.id} = ${existingRoutine.id} for update`);
const locked = await txDb
@ -1964,6 +2024,7 @@ export function routineService(
concurrencyPolicy: routineSnapshot.concurrencyPolicy,
catchUpPolicy: routineSnapshot.catchUpPolicy,
variables: routineSnapshot.variables,
env: routineSnapshot.env,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
updatedAt: now,
@ -2033,6 +2094,12 @@ export function routineService(
changeSummary: `Restored from revision ${targetRevision.revisionNumber}`,
restoredFromRevisionId: targetRevision.id,
});
await secretsSvc.syncEnvBindingsForTarget(
locked.companyId,
{ targetType: "routine", targetId: locked.id },
routineSnapshot.env,
{ db: tx },
);
return {
routine: appended.routine,
revision: appended.revision,
@ -2041,6 +2108,7 @@ export function routineService(
secretMaterials: [...recreatedWebhookSecrets.values()].map((entry) => entry.secretMaterial),
};
});
return result;
},
runRoutine: async (id: string, input: RunRoutine, actor?: Actor) => {
@ -2172,6 +2240,7 @@ export function routineService(
idempotencyKey: routineRuns.idempotencyKey,
triggerPayload: routineRuns.triggerPayload,
dispatchFingerprint: routineRuns.dispatchFingerprint,
routineRevisionId: routineRuns.routineRevisionId,
linkedIssueId: routineRuns.linkedIssueId,
coalescedIntoRunId: routineRuns.coalescedIntoRunId,
failureReason: routineRuns.failureReason,
@ -2204,6 +2273,7 @@ export function routineService(
idempotencyKey: row.idempotencyKey,
triggerPayload: row.triggerPayload as Record<string, unknown> | null,
dispatchFingerprint: row.dispatchFingerprint,
routineRevisionId: row.routineRevisionId,
linkedIssueId: row.linkedIssueId,
coalescedIntoRunId: row.coalescedIntoRunId,
failureReason: row.failureReason,

85
server/src/services/secrets.ts
View file

@ -61,6 +61,8 @@ const COMING_SOON_SECRET_PROVIDERS: ReadonlySet<SecretProvider> = new Set([
"gcp_secret_manager",
"vault",
]);
type DbTransaction = Parameters<Parameters<Db["transaction"]>[0]>[0];
type SecretBindingDb = Pick<Db | DbTransaction, "select" | "delete" | "insert">;
function remoteProviderHttpError(error: unknown, context: {
companyId: string;
@ -195,6 +197,14 @@ type RuntimeSecretResolution = {
manifestEntry: RuntimeSecretManifestEntry;
};
type SecretResolutionErrorCode =
| "binding_missing"
| "secret_deleted"
| "secret_inactive"
| "version_missing"
| "version_inactive"
| "provider_error";
function asRecord(value: unknown): Record<string, unknown> | null {
if (typeof value !== "object" || value === null || Array.isArray(value)) return null;
return value as Record<string, unknown>;
@ -238,6 +248,33 @@ function defaultProviderConfigStatus(provider: SecretProvider): SecretProviderCo
return COMING_SOON_SECRET_PROVIDERS.has(provider) ? "coming_soon" : "ready";
}
function secretResolutionErrorCode(error: unknown): SecretResolutionErrorCode {
if (isSecretProviderClientError(error)) return "provider_error";
if (error instanceof HttpError) {
const details = asRecord(error.details);
switch (details?.code) {
case "binding_missing":
case "secret_deleted":
case "secret_inactive":
case "version_missing":
case "version_inactive":
case "provider_error":
return details.code;
}
if (error.message === "Secret is not active") return "secret_inactive";
if (error.message === "Secret version not found") return "version_missing";
if (error.message === "Secret version is not active") return "version_inactive";
if (
error.message === "Secret resolution requires a binding config path" ||
error.message.startsWith("Secret is not bound to ")
) {
return "binding_missing";
}
if (error.status >= 500) return "provider_error";
}
return "provider_error";
}
function assertSelectableProviderConfig(config: {
provider: string;
status: string;
@ -259,8 +296,8 @@ export function secretService(db: Db) {
fieldPath?: string;
};
async function getById(id: string) {
return db
async function getById(id: string, source: Pick<Db | DbTransaction, "select"> = db) {
return source
.select()
.from(companySecrets)
.where(eq(companySecrets.id, id))
@ -321,7 +358,7 @@ export function secretService(db: Db) {
) {
if (!context) return;
if (!context.configPath) {
throw unprocessable("Secret resolution requires a binding config path");
throw unprocessable("Secret resolution requires a binding config path", { code: "binding_missing" });
}
const binding = await getBinding({
companyId,
@ -333,6 +370,7 @@ export function secretService(db: Db) {
if (!binding) {
throw unprocessable(
`Secret is not bound to ${context.consumerType}:${context.consumerId} at ${context.configPath}`,
{ code: "binding_missing" },
);
}
}
@ -365,8 +403,12 @@ export function secretService(db: Db) {
});
}
async function assertSecretInCompany(companyId: string, secretId: string) {
const secret = await getById(secretId);
async function assertSecretInCompany(
companyId: string,
secretId: string,
source: Pick<Db | DbTransaction, "select"> = db,
) {
const secret = await getById(secretId, source);
if (!secret) throw notFound("Secret not found");
if (secret.status === "deleted") throw notFound("Secret not found");
if (secret.companyId !== companyId) throw unprocessable("Secret must belong to same company");
@ -495,19 +537,24 @@ export function secretService(db: Db) {
version: number | "latest",
context?: SecretConsumerContext,
): Promise<RuntimeSecretResolution> {
const secret = await assertSecretInCompany(companyId, secretId);
const secret = await getById(secretId);
if (!secret) throw notFound("Secret not found");
if (secret.companyId !== companyId) throw unprocessable("Secret must belong to same company");
const resolvedVersion = version === "latest" ? secret.latestVersion : version;
const providerId = secret.provider as SecretProvider;
const configPath = context?.configPath ?? null;
try {
if (secret.status === "deleted") {
throw new HttpError(404, "Secret not found", { code: "secret_deleted" });
}
if (secret.status !== "active") {
throw unprocessable("Secret is not active");
throw unprocessable("Secret is not active", { code: "secret_inactive" });
}
await assertBindingContext(companyId, secret.id, context);
const versionRow = await getSecretVersion(secret.id, resolvedVersion);
if (!versionRow) throw notFound("Secret version not found");
if (!versionRow) throw new HttpError(404, "Secret version not found", { code: "version_missing" });
if (versionRow.status === "disabled" || versionRow.status === "destroyed" || versionRow.revokedAt) {
throw unprocessable("Secret version is not active");
throw unprocessable("Secret version is not active", { code: "version_inactive" });
}
const provider = getSecretProvider(providerId);
const providerConfig = await getSelectableRuntimeProviderConfig({
@ -555,7 +602,7 @@ export function secretService(db: Db) {
},
};
} catch (err) {
const errorCode = err instanceof Error ? err.message.slice(0, 120) : "resolution_failed";
const errorCode = secretResolutionErrorCode(err);
await recordAccessEvent({
companyId,
secretId: secret.id,
@ -1984,6 +2031,7 @@ export function secretService(db: Db) {
companyId: string,
target: { targetType: SecretBindingTargetType; targetId: string; pathPrefix?: string },
envValue: unknown,
options?: { db?: SecretBindingDb },
) => {
const record = asRecord(envValue) ?? {};
const refs: Array<{
@ -1992,12 +2040,13 @@ export function secretService(db: Db) {
versionSelector: SecretVersionSelector;
}> = [];
const pathPrefix = target.pathPrefix ?? "env";
const bindingDb = options?.db ?? db;
for (const [key, rawBinding] of Object.entries(record)) {
const parsed = envBindingSchema.safeParse(rawBinding);
if (!parsed.success) continue;
const binding = canonicalizeBinding(parsed.data as EnvBinding);
if (binding.type !== "secret_ref") continue;
await assertSecretInCompany(companyId, binding.secretId);
await assertSecretInCompany(companyId, binding.secretId, bindingDb);
refs.push({
secretId: binding.secretId,
configPath: `${pathPrefix}.${key}`,
@ -2005,8 +2054,8 @@ export function secretService(db: Db) {
});
}
await db.transaction(async (tx) => {
await tx
const writeBindings = async (targetDb: SecretBindingDb) => {
await targetDb
.delete(companySecretBindings)
.where(
and(
@ -2017,7 +2066,7 @@ export function secretService(db: Db) {
),
);
if (refs.length === 0) return;
await tx.insert(companySecretBindings).values(
await targetDb.insert(companySecretBindings).values(
refs.map((ref) => ({
companyId,
secretId: ref.secretId,
@ -2028,7 +2077,13 @@ export function secretService(db: Db) {
required: true,
})),
);
});
};
if (options?.db) {
await writeBindings(options.db);
} else {
await db.transaction(async (tx) => writeBindings(tx));
}
return refs;
},