ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-19 20:10:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

[codex] Add routine env secrets support (#6212)

Browse source 
## Thinking Path

> - Paperclip orchestrates AI agents for zero-human companies.
> - Scheduled routines are the control-plane path for recurring agent
work.
> - Routines already had dispatch/history, but their runtime environment
did not carry routine-owned secret bindings through execution.
> - Operators need routine-specific secrets that can override
project/agent env without exposing secret values in history, logs, or
access events.
> - This pull request adds the routine env runtime contract, wires it
into execution, and makes the routine UI/history surfaces show safe
secret metadata.
> - The benefit is that routine executions can use scoped secret refs
predictably while preserving company boundaries and auditability.

## What Changed

- Added routine env persistence/runtime support, including
`routines.env`, `routine_runs.routine_revision_id`, revision snapshots,
and idempotent migration `0086_routine_env_runtime_contract`.
- Resolved routine env during heartbeat adapter config assembly with
precedence `agent < project < routine` and secret access events recorded
against the routine consumer.
- Added secret binding synchronization for routine create/update/restore
flows and guarded cross-company, missing, disabled, and deleted secret
cases.
- Added a Secrets tab to routine detail, env/secret history diff
rendering, and Storybook coverage for the new UI states.
- Added server/UI regression tests, including an embedded-Postgres QA
path for routine secret execution and restore behavior.
- Updated implementation/database docs for routine env and
secret-binding behavior.

## Verification

- `pnpm install --frozen-lockfile` after rebasing onto
`public-gh/master` to refresh workspace links for the newly-added
upstream Grok adapter package.
- `pnpm exec vitest run
server/src/__tests__/heartbeat-project-env.test.ts
server/src/__tests__/routines-service.test.ts
server/src/__tests__/secrets-service.test.ts
server/src/__tests__/qa-routine-secrets-e2e.test.ts
ui/src/components/RoutineHistoryTab.test.tsx` passed: 5 files, 92 tests.
- `pnpm -r typecheck` passed across the workspace.
- `pnpm build` passed. Vite emitted the existing
large-chunk/dynamic-import warnings.
- UI screenshots were captured locally during QA in
`artifacts/pap-9521/` and `artifacts/pap-9522/`; generated screenshots
are not committed to avoid adding binary artifacts to the repo.

## Risks

- Migration risk is limited by `IF NOT EXISTS` guards for the new
columns, FK, and index, and the migration is ordered as `0086`
immediately after upstream `0085`.
- Runtime behavior changes env precedence for routine executions by
adding routine env as the highest-precedence layer; tests cover
agent/project/routine precedence.
- Secret handling is security-sensitive; tests cover value-free
manifests/events/errors, disabled/missing/deleted secrets, and
cross-company rejection.
- UI history now renders routine env/secret diffs; tests and Storybook
stories cover the main rendering paths.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected — check the roadmap
first. See `CONTRIBUTING.md`.

## Model Used

- OpenAI Codex coding agent based on GPT-5, with shell/tool use and
medium reasoning effort.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Dotta 2026-05-17 16:30:34 -05:00 committed by GitHub
parent 3e6610fb93
commit 705c1b8d81
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 1736 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

257
ui/storybook/stories/routine-secrets.stories.tsx Normal file
View file

@ -0,0 +1,257 @@
import { useEffect, useState, type ReactNode } from "react";
import type { Meta, StoryObj } from "@storybook/react-vite";
import { useQueryClient } from "@tanstack/react-query";
import { KeyRound } from "lucide-react";
import type {
CompanySecret,
EnvBinding,
Routine,
RoutineEnvConfig,
RoutineRevision,
RoutineRevisionSnapshotV1,
} from "@paperclipai/shared";
import { EnvVarEditor } from "@/components/EnvVarEditor";
import { RoutineHistoryTab } from "@/components/RoutineHistoryTab";
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
import { useCompany } from "@/context/CompanyContext";
import { queryKeys } from "@/lib/queryKeys";
import { storybookCompanies, storybookSecrets } from "../fixtures/paperclipData";
const COMPANY_ID = "company-storybook";
if (typeof window !== "undefined") {
window.localStorage.setItem("paperclip.selectedCompanyId", COMPANY_ID);
}
function StorybookRoutineFixtures({
revisions,
children,
}: {
revisions: RoutineRevision[];
children: ReactNode;
}) {
const queryClient = useQueryClient();
queryClient.setQueryData(queryKeys.companies.all, { companies: storybookCompanies, unauthorized: false });
queryClient.setQueryData(queryKeys.secrets.list(COMPANY_ID), storybookSecrets);
queryClient.setQueryData(queryKeys.routines.revisions("routine-storybook"), revisions);
const { selectedCompanyId, setSelectedCompanyId } = useCompany();
useEffect(() => {
if (selectedCompanyId !== COMPANY_ID) {
setSelectedCompanyId(COMPANY_ID);
}
}, [selectedCompanyId, setSelectedCompanyId]);
if (selectedCompanyId !== COMPANY_ID) return null;
return <>{children}</>;
}
const meta: Meta = {
title: "Product/Routines · Secrets tab",
parameters: {
layout: "fullscreen",
a11y: { test: "off" },
},
};
export default meta;
type Story = StoryObj;
function SecretsTabSurface({
initial,
title,
}: {
initial: RoutineEnvConfig | null;
title: string;
}) {
const [env, setEnv] = useState<Record<string, EnvBinding>>(() => (initial ?? {}) as Record<string, EnvBinding>);
return (
<Card className="w-full max-w-2xl">
<CardHeader>
<CardTitle className="text-sm flex items-center gap-2">
<KeyRound className="h-3.5 w-3.5" />
{title}
</CardTitle>
<CardDescription className="text-xs">
The Secrets tab on a routine reuses the env-var editor and adds a one-line precedence helper.
</CardDescription>
</CardHeader>
<CardContent className="space-y-3">
<p className="text-xs text-muted-foreground">
Routine secrets apply to every issue this routine creates. They override matching keys in
project and agent env. <span className="font-mono">PAPERCLIP_*</span> variables are reserved.
</p>
<EnvVarEditor
value={env}
secrets={storybookSecrets as CompanySecret[]}
onCreateSecret={async (name) => ({
...storybookSecrets[0]!,
id: `secret-${Math.random().toString(36).slice(2, 8)}`,
name,
key: name.toLowerCase(),
description: `New routine secret ${name}`,
})}
onChange={(next) => setEnv((next ?? {}) as Record<string, EnvBinding>)}
/>
</CardContent>
</Card>
);
}
export const SecretsTabEmpty: Story = {
render: () => (
<div className="space-y-6 p-6">
<SecretsTabSurface
title="Empty — no routine secrets configured"
initial={null}
/>
</div>
),
};
export const SecretsTabConfigured: Story = {
render: () => (
<div className="space-y-6 p-6">
<SecretsTabSurface
title="Configured — mix of secret refs and plain values"
initial={{
OPENAI_API_KEY: { type: "secret_ref", secretId: "secret-openai", version: "latest" },
STAGE: { type: "plain", value: "production" },
GH_TOKEN: { type: "secret_ref", secretId: "secret-aws-prod", version: 2 },
}}
/>
</div>
),
};
export const SecretsTabDisabledOrMissing: Story = {
render: () => (
<div className="space-y-6 p-6">
<SecretsTabSurface
title="Bindings need attention — disabled secret + missing secret"
initial={{
OPENAI_API_KEY: { type: "secret_ref", secretId: "secret-openai", version: "latest" },
GITHUB_APP_PEM: { type: "secret_ref", secretId: "secret-github", version: "latest" },
ABANDONED: { type: "secret_ref", secretId: "missing-id", version: "latest" },
}}
/>
</div>
),
};
function makeSnapshot(env: RoutineEnvConfig | null): RoutineRevisionSnapshotV1 {
return {
version: 1,
routine: {
id: "routine-storybook",
companyId: COMPANY_ID,
projectId: null,
goalId: null,
parentIssueId: null,
title: "Nightly digest",
description: "Summarize agent activity each night.",
assigneeAgentId: null,
priority: "medium",
status: "active",
concurrencyPolicy: "coalesce_if_active",
catchUpPolicy: "skip_missed",
variables: [],
env,
},
triggers: [],
};
}
function makeRoutine(latestRevisionId: string, latestRevisionNumber: number): Routine {
return {
id: "routine-storybook",
companyId: COMPANY_ID,
projectId: null,
goalId: null,
parentIssueId: null,
title: "Nightly digest",
description: "Summarize agent activity each night.",
assigneeAgentId: null,
priority: "medium",
status: "active",
concurrencyPolicy: "coalesce_if_active",
catchUpPolicy: "skip_missed",
variables: [],
env: makeSnapshot({
OPENAI_API_KEY: { type: "secret_ref", secretId: "secret-openai", version: "latest" },
STAGE: { type: "plain", value: "production" },
}).routine.env,
latestRevisionId,
latestRevisionNumber,
createdByAgentId: null,
createdByUserId: "user-board",
updatedByAgentId: null,
updatedByUserId: "user-board",
lastTriggeredAt: null,
lastEnqueuedAt: null,
createdAt: new Date("2026-05-01T11:00:00.000Z"),
updatedAt: new Date("2026-05-04T12:00:00.000Z"),
};
}
export const HistoryDiffWithEnv: Story = {
name: "History diff — env keys added/removed/changed",
render: () => {
const revisions: RoutineRevision[] = [
{
id: "rev-2",
companyId: COMPANY_ID,
routineId: "routine-storybook",
revisionNumber: 2,
title: "Nightly digest",
description: "Summarize agent activity each night.",
snapshot: makeSnapshot({
OPENAI_API_KEY: { type: "secret_ref", secretId: "secret-openai", version: "latest" },
STAGE: { type: "plain", value: "production" },
}),
changeSummary: "Added STAGE plain value",
restoredFromRevisionId: null,
createdByAgentId: null,
createdByUserId: "user-board",
createdByRunId: null,
createdAt: new Date("2026-05-04T12:00:00.000Z"),
},
{
id: "rev-1",
companyId: COMPANY_ID,
routineId: "routine-storybook",
revisionNumber: 1,
title: "Nightly digest",
description: "Summarize agent activity each night.",
snapshot: makeSnapshot({
OPENAI_API_KEY: { type: "secret_ref", secretId: "secret-openai", version: 2 },
GH_TOKEN: { type: "plain", value: "legacy" },
}),
changeSummary: "Created routine",
restoredFromRevisionId: null,
createdByAgentId: null,
createdByUserId: "user-board",
createdByRunId: null,
createdAt: new Date("2026-05-01T11:00:00.000Z"),
},
];
return (
<StorybookRoutineFixtures revisions={revisions}>
<div className="space-y-6 p-6">
<RoutineHistoryTab
routine={makeRoutine("rev-2", 2)}
isEditDirty={false}
dirtyFields={[]}
onDiscardEdits={() => {}}
onSaveEdits={() => {}}
agents={new Map()}
projects={new Map()}
secrets={storybookSecrets as CompanySecret[]}
onRestoreSecretMaterials={() => {}}
/>
</div>
</StorybookRoutineFixtures>
);
},
};