ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-17 03:10:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

[codex] Add routine env secrets support (#6212)

Browse source 
## Thinking Path

> - Paperclip orchestrates AI agents for zero-human companies.
> - Scheduled routines are the control-plane path for recurring agent
work.
> - Routines already had dispatch/history, but their runtime environment
did not carry routine-owned secret bindings through execution.
> - Operators need routine-specific secrets that can override
project/agent env without exposing secret values in history, logs, or
access events.
> - This pull request adds the routine env runtime contract, wires it
into execution, and makes the routine UI/history surfaces show safe
secret metadata.
> - The benefit is that routine executions can use scoped secret refs
predictably while preserving company boundaries and auditability.

## What Changed

- Added routine env persistence/runtime support, including
`routines.env`, `routine_runs.routine_revision_id`, revision snapshots,
and idempotent migration `0086_routine_env_runtime_contract`.
- Resolved routine env during heartbeat adapter config assembly with
precedence `agent < project < routine` and secret access events recorded
against the routine consumer.
- Added secret binding synchronization for routine create/update/restore
flows and guarded cross-company, missing, disabled, and deleted secret
cases.
- Added a Secrets tab to routine detail, env/secret history diff
rendering, and Storybook coverage for the new UI states.
- Added server/UI regression tests, including an embedded-Postgres QA
path for routine secret execution and restore behavior.
- Updated implementation/database docs for routine env and
secret-binding behavior.

## Verification

- `pnpm install --frozen-lockfile` after rebasing onto
`public-gh/master` to refresh workspace links for the newly-added
upstream Grok adapter package.
- `pnpm exec vitest run
server/src/__tests__/heartbeat-project-env.test.ts
server/src/__tests__/routines-service.test.ts
server/src/__tests__/secrets-service.test.ts
server/src/__tests__/qa-routine-secrets-e2e.test.ts
ui/src/components/RoutineHistoryTab.test.tsx` passed: 5 files, 92 tests.
- `pnpm -r typecheck` passed across the workspace.
- `pnpm build` passed. Vite emitted the existing
large-chunk/dynamic-import warnings.
- UI screenshots were captured locally during QA in
`artifacts/pap-9521/` and `artifacts/pap-9522/`; generated screenshots
are not committed to avoid adding binary artifacts to the repo.

## Risks

- Migration risk is limited by `IF NOT EXISTS` guards for the new
columns, FK, and index, and the migration is ordered as `0086`
immediately after upstream `0085`.
- Runtime behavior changes env precedence for routine executions by
adding routine env as the highest-precedence layer; tests cover
agent/project/routine precedence.
- Secret handling is security-sensitive; tests cover value-free
manifests/events/errors, disabled/missing/deleted secrets, and
cross-company rejection.
- UI history now renders routine env/secret diffs; tests and Storybook
stories cover the main rendering paths.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected — check the roadmap
first. See `CONTRIBUTING.md`.

## Model Used

- OpenAI Codex coding agent based on GPT-5, with shell/tool use and
medium reasoning effort.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Dotta 2026-05-17 16:30:34 -05:00 committed by GitHub
parent 3e6610fb93
commit 705c1b8d81
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 1736 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

60
ui/src/pages/RoutineDetail.tsx
View file

@ -8,6 +8,7 @@ import {
Clock3,
Copy,
History as HistoryIcon,
KeyRound,
Play,
RefreshCw,
Repeat,
@ -18,6 +19,8 @@ import {
} from "lucide-react";
import { ApiError } from "../api/client";
import { routinesApi, type RoutineTriggerResponse, type RotateRoutineTriggerResponse, type RestoreRoutineRevisionResponse } from "../api/routines";
import { secretsApi } from "../api/secrets";
import { EnvVarEditor } from "../components/EnvVarEditor";
import {
RoutineHistoryTab,
type RoutineHistoryDirtyFieldDescriptor,
@ -63,13 +66,19 @@ import {
} from "@/components/ui/select";
import { Tabs, TabsContent, TabsList, TabsTrigger } from "@/components/ui/tabs";
import { Badge } from "@/components/ui/badge";
import type { RoutineDetail as RoutineDetailType, RoutineTrigger, RoutineVariable } from "@paperclipai/shared";
import type {
EnvBinding,
RoutineDetail as RoutineDetailType,
RoutineEnvConfig,
RoutineTrigger,
RoutineVariable,
} from "@paperclipai/shared";
const concurrencyPolicies = ["coalesce_if_active", "always_enqueue", "skip_if_active"];
const catchUpPolicies = ["skip_missed", "enqueue_missed_with_cap"];
const triggerKinds = ["schedule", "webhook"];
const signingModes = ["bearer", "hmac_sha256", "github_hmac", "none"];
const routineTabs = ["triggers", "runs", "activity", "history"] as const;
const routineTabs = ["triggers", "runs", "activity", "secrets", "history"] as const;
const concurrencyPolicyDescriptions: Record<string, string> = {
coalesce_if_active: "Keep one follow-up run queued while an active run is still working.",
always_enqueue: "Queue every trigger occurrence, even if several runs stack up.",
@ -141,12 +150,14 @@ function buildRoutineMutationPayload(input: {
concurrencyPolicy: string;
catchUpPolicy: string;
variables: RoutineVariable[];
env: RoutineEnvConfig | null;
}) {
return {
...input,
description: input.description.trim() || null,
projectId: input.projectId || null,
assigneeAgentId: input.assigneeAgentId || null,
env: input.env && Object.keys(input.env).length > 0 ? input.env : null,
};
}
@ -304,6 +315,7 @@ export function RoutineDetail() {
concurrencyPolicy: string;
catchUpPolicy: string;
variables: RoutineVariable[];
env: RoutineEnvConfig | null;
}>({
title: "",
description: "",
@ -313,6 +325,7 @@ export function RoutineDetail() {
concurrencyPolicy: "coalesce_if_active",
catchUpPolicy: "skip_missed",
variables: [],
env: null,
});
const activeTab = useMemo(() => getRoutineTabFromSearch(location.search), [location.search]);
@ -366,6 +379,21 @@ export function RoutineDetail() {
queryFn: () => accessApi.listUserDirectory(selectedCompanyId!),
enabled: !!selectedCompanyId,
});
const { data: availableSecrets = [] } = useQuery({
queryKey: selectedCompanyId ? queryKeys.secrets.list(selectedCompanyId) : ["secrets", "none"],
queryFn: () => secretsApi.list(selectedCompanyId!),
enabled: Boolean(selectedCompanyId),
});
const createSecret = useMutation({
mutationFn: (input: { name: string; value: string }) => {
if (!selectedCompanyId) throw new Error("Select a company to create secrets");
return secretsApi.create(selectedCompanyId, input);
},
onSuccess: () => {
if (!selectedCompanyId) return;
queryClient.invalidateQueries({ queryKey: queryKeys.secrets.list(selectedCompanyId) });
},
});
const routineDefaults = useMemo(
() =>
@ -379,6 +407,7 @@ export function RoutineDetail() {
concurrencyPolicy: routine.concurrencyPolicy,
catchUpPolicy: routine.catchUpPolicy,
variables: routine.variables,
env: routine.env ?? null,
}
: null,
[routine],
@ -408,6 +437,9 @@ export function RoutineDetail() {
if (JSON.stringify(editDraft.variables) !== JSON.stringify(routineDefaults.variables)) {
result.push({ key: "variables", label: "the variables" });
}
if (JSON.stringify(editDraft.env ?? null) !== JSON.stringify(routineDefaults.env ?? null)) {
result.push({ key: "env", label: "the secrets" });
}
return result;
}, [editDraft, routineDefaults]);
const isEditDirty = dirtyFields.length > 0;
@ -1082,6 +1114,10 @@ export function RoutineDetail() {
<ActivityIcon className="h-3.5 w-3.5" />
Activity
</TabsTrigger>
<TabsTrigger value="secrets" className="gap-1.5">
<KeyRound className="h-3.5 w-3.5" />
Secrets
</TabsTrigger>
<TabsTrigger value="history" className="gap-1.5">
<HistoryIcon className="h-3.5 w-3.5" />
History
@ -1226,6 +1262,24 @@ export function RoutineDetail() {
)}
</TabsContent>
<TabsContent value="secrets" className="space-y-3">
<p className="text-xs text-muted-foreground">
Routine secrets apply to every issue this routine creates. They override matching keys in
project and agent env. <span className="font-mono">PAPERCLIP_*</span> variables are reserved.
</p>
<EnvVarEditor
value={(editDraft.env ?? {}) as Record<string, EnvBinding>}
secrets={availableSecrets}
onCreateSecret={async (name, value) => {
const created = await createSecret.mutateAsync({ name, value });
return created;
}}
onChange={(env) =>
setEditDraft((current) => ({ ...current, env: env ?? null }))
}
/>
</TabsContent>
<TabsContent value="history">
<RoutineHistoryTab
routine={routine}
@ -1241,6 +1295,7 @@ export function RoutineDetail() {
}}
agents={agentById}
projects={projectById}
secrets={availableSecrets}
onRestoreSecretMaterials={(response: RestoreRoutineRevisionResponse) => {
if (response.secretMaterials.length > 0) {
setSecretMessage({
@ -1277,6 +1332,7 @@ export function RoutineDetail() {
concurrencyPolicy: response.routine.concurrencyPolicy,
catchUpPolicy: response.routine.catchUpPolicy,
variables: response.routine.variables,
env: response.routine.env ?? null,
});
hydratedRoutineIdRef.current = response.routine.id;
}}