farhoodlabs/paperclip
8
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d67347be77f33ecb8c23a12cb41b56864f5d32c3
paperclip/ui/storybook/stories/secrets.stories.tsx
T
Dotta d67347be77 [codex] Provider vault secrets UX (#6381) 
## Thinking Path

> - Paperclip orchestrates AI agents that need scoped, auditable access
to secrets
> - Hosted and external deployments need provider vault configuration
without exposing secret values in Paperclip metadata
> - AWS Secrets Manager vault setup previously required too much manual
operator knowledge
> - Provider vault discovery and removal belong together as an
independent secrets-management improvement
> - This pull request adds AWS provider vault discovery/prefill plus
vault removal flows
> - The benefit is a safer operator path for configuring external secret
storage before higher-level cloud workflows depend on it

## What Changed

- Added shared validators/types for AWS provider vault discovery
payloads and safe provider metadata.
- Implemented AWS provider vault discovery preview on the server.
- Added provider vault removal service/route behavior.
- Added Secrets page UI for discovery prefill, removal messaging, and
related rendering coverage.
- Added Storybook provider-vault fixtures and captured screenshots for
the new UX states.

## Verification

- `pnpm install --frozen-lockfile --ignore-scripts`
- `pnpm exec vitest run packages/shared/src/validators/secret.test.ts
server/src/__tests__/aws-secrets-manager-provider.test.ts
server/src/__tests__/secrets-routes.test.ts
server/src/__tests__/secrets-service.test.ts
ui/src/pages/Secrets.render.test.tsx`
- Result: 4 files passed, 1 embedded Postgres-backed file skipped on
this host because local Postgres init was unavailable.
- `pnpm --filter @paperclipai/ui exec vitest run
src/pages/Secrets.render.test.tsx`
- `pnpm --filter @paperclipai/ui typecheck`
- Storybook screenshot capture against `Product/Secrets` on
`http://127.0.0.1:60381/iframe.html?id=product-secrets--secrets-inventory&viewMode=story&globals=theme:dark`

## Screenshots

Provider vaults tab after this change:

![Provider vaults
tab](https://raw.githubusercontent.com/paperclipai/paperclip/pap-9861-provider-vault-secrets/doc/screenshots/pr-6381/provider-vaults-tab.png)

AWS discovery candidate flow:

![AWS discovery candidate
flow](https://raw.githubusercontent.com/paperclipai/paperclip/pap-9861-provider-vault-secrets/doc/screenshots/pr-6381/aws-discovery-candidates.png)

Provider vault removal confirmation:

![Provider vault removal
confirmation](https://raw.githubusercontent.com/paperclipai/paperclip/pap-9861-provider-vault-secrets/doc/screenshots/pr-6381/remove-provider-vault-confirmation.png)

## Risks

- Secret provider metadata handling must remain non-sensitive;
validators reject credential-bearing Vault URLs and sensitive AWS
discovery keys.
- AWS discovery depends on deployment credentials being configured
correctly outside Paperclip-managed company secrets.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected — check the roadmap
first. See `CONTRIBUTING.md`.

## Model Used

- OpenAI Codex, GPT-5-based coding agent with local shell/git/tool use.
Exact hosted model ID and context-window size are not exposed by the
local Paperclip adapter runtime.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-19 15:50:23 -05:00

229 lines
8.2 KiB
TypeScript
Raw Blame History

import { useEffect, useState, type ReactNode } from "react";
import type { Meta, StoryObj } from "@storybook/react-vite";
import { useQueryClient } from "@tanstack/react-query";
import { AlertCircle, KeyRound } from "lucide-react";
import type { CompanySecret, EnvBinding } from "@paperclipai/shared";
import { Secrets } from "@/pages/Secrets";
import { SecretBindingPicker, type SecretBindingValue } from "@/components/SecretBindingPicker";
import { EnvVarEditor } from "@/components/EnvVarEditor";
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
import { Badge } from "@/components/ui/badge";
import { useCompany } from "@/context/CompanyContext";
import { queryKeys } from "@/lib/queryKeys";
import { storybookCompanies, storybookSecrets } from "../fixtures/paperclipData";
const COMPANY_ID = "company-storybook";
// Seed localStorage before CompanyContext mounts so its `useState` initializer reads the right id.
if (typeof window !== "undefined") {
window.localStorage.setItem("paperclip.selectedCompanyId", COMPANY_ID);
}
function StorybookSecretsFixtures({ children }: { children: ReactNode }) {
const queryClient = useQueryClient();
// Seed query caches synchronously so children hydrate from cache on first render.
queryClient.setQueryData(queryKeys.secrets.list(COMPANY_ID), storybookSecrets);
const { selectedCompanyId, setSelectedCompanyId } = useCompany();
useEffect(() => {
if (selectedCompanyId !== COMPANY_ID) {
setSelectedCompanyId(COMPANY_ID);
}
}, [selectedCompanyId, setSelectedCompanyId]);
// Block render until the company id is the storybook fixture so the BindingPicker's
// useQuery never sees the production-like null state.
if (selectedCompanyId !== COMPANY_ID) {
return null;
}
return <>{children}</>;
}
const meta: Meta = {
title: "Product/Secrets",
parameters: {
layout: "fullscreen",
a11y: {
test: "off",
},
},
};
export default meta;
type Story = StoryObj;
function Section({ eyebrow, title, children }: { eyebrow: string; title: string; children: ReactNode }) {
return (
<section className="border-b border-border pb-8 last:border-b-0">
<header className="mb-3 px-6 pt-6">
<p className="text-[11px] uppercase tracking-wide text-muted-foreground">{eyebrow}</p>
<h2 className="text-lg font-semibold text-foreground">{title}</h2>
</header>
<div className="px-6">{children}</div>
</section>
);
}
export const SecretsInventory: Story = {
render: () => (
<StorybookSecretsFixtures>
<div className="h-screen w-full bg-background">
<Secrets />
</div>
</StorybookSecretsFixtures>
),
};
function BindingPickerSurface({
initial,
label,
}: {
initial: SecretBindingValue | null;
label: string;
}) {
const [value, setValue] = useState<SecretBindingValue | null>(initial);
return (
<Card className="w-96">
<CardHeader>
<CardTitle className="text-sm">{label}</CardTitle>
<CardDescription className="text-xs">
Picker can be reused across agent, project, environment, and plugin config surfaces.
</CardDescription>
</CardHeader>
<CardContent className="space-y-3">
<SecretBindingPicker value={value} onChange={setValue} />
<pre className="rounded bg-muted/40 p-2 text-[11px] font-mono">
{JSON.stringify(value, null, 2)}
</pre>
</CardContent>
</Card>
);
}
export const BindingPicker: Story = {
render: () => {
return (
<StorybookSecretsFixtures>
<div className="grid grid-cols-1 gap-6 p-6 md:grid-cols-2">
<BindingPickerSurface initial={null} label="Empty state" />
<BindingPickerSurface
initial={{ secretId: storybookSecrets[0]!.id, version: "latest" }}
label="Bound to active secret"
/>
<BindingPickerSurface
initial={{ secretId: storybookSecrets[2]!.id, version: "latest" }}
label="Bound but disabled"
/>
<BindingPickerSurface
initial={{ secretId: "missing-id", version: "latest" }}
label="Bound to missing secret"
/>
</div>
</StorybookSecretsFixtures>
);
},
};
export const EnvEditorWithSecrets: Story = {
render: () => {
function EditorDemo({ initial, label }: { initial: Record<string, EnvBinding>; label: string }) {
const [env, setEnv] = useState<Record<string, EnvBinding>>(initial);
return (
<Card className="w-full max-w-2xl">
<CardHeader>
<CardTitle className="text-sm flex items-center gap-2">
<KeyRound className="h-3.5 w-3.5" />
{label}
</CardTitle>
</CardHeader>
<CardContent>
<EnvVarEditor
value={env}
secrets={storybookSecrets as CompanySecret[]}
onCreateSecret={async (name, value) => ({
...storybookSecrets[0]!,
id: `secret-${Math.random().toString(36).slice(2, 8)}`,
name,
key: name.toLowerCase(),
description: `New secret with value len=${value.length}`,
})}
onChange={(next) => setEnv(next ?? {})}
/>
</CardContent>
</Card>
);
}
return (
<div className="space-y-6 p-6">
<EditorDemo
label="Healthy bindings"
initial={{
OPENAI_API_KEY: { type: "secret_ref", secretId: "secret-openai", version: "latest" },
STAGE: { type: "plain", value: "production" },
}}
/>
<EditorDemo
label="Mixed bindings (some need attention)"
initial={{
OPENAI_API_KEY: { type: "secret_ref", secretId: "secret-openai", version: 2 },
GITHUB_APP_PEM: { type: "secret_ref", secretId: "secret-github", version: "latest" },
ABANDONED: { type: "secret_ref", secretId: "missing-id", version: "latest" },
}}
/>
</div>
);
},
};
export const RunFailureCopy: Story = {
render: () => (
<div className="space-y-4 p-6">
<Section eyebrow="Run failure" title="Missing or disabled secret blocks the run">
<Card className="border-destructive/40 bg-destructive/5">
<CardHeader className="space-y-1">
<div className="flex items-center gap-2">
<AlertCircle className="h-4 w-4 text-destructive" />
<Badge variant="outline" className="border-destructive/40 text-destructive">
Run failed
</Badge>
<span className="text-xs font-mono text-muted-foreground">PAP-2350 · run-storybook</span>
</div>
<CardTitle className="text-sm">
Secret <span className="font-mono">OPENAI_API_KEY</span> is{" "}
<span className="font-medium text-destructive">disabled</span>
</CardTitle>
<CardDescription className="text-xs">
The agent tried to resolve <span className="font-mono">env.OPENAI_API_KEY</span> for{" "}
<span className="font-mono">agent:CodexCoder</span> but the secret is currently disabled. No value was
loaded, no run logs were emitted that contained secret material.
</CardDescription>
</CardHeader>
<CardContent className="space-y-2 text-xs">
<div>
<p className="text-muted-foreground">Next action</p>
<ul className="list-disc pl-4 space-y-0.5">
<li>
Re-enable the secret on{" "}
<a className="text-primary underline" href="/PAP/company/settings/secrets">
Company settings &gt; Secrets
</a>
</li>
<li>Or, rotate to a new value and pin v3 explicitly for this agent.</li>
<li>Or, swap the binding to a different secret with the binding picker.</li>
</ul>
</div>
<div>
<p className="text-muted-foreground">Audit</p>
<p className="font-mono text-[11px]">
secret_access_events.outcome=failure error=secret_disabled consumer=agent:CodexCoder
</p>
</div>
</CardContent>
</Card>
</Section>
</div>
),
};
Reference in New Issue View Git Blame Copy Permalink