Add secrets provider vaults and remote import (#5429)

## Thinking Path > - Paperclip orchestrates AI-agent companies and needs secrets handling to work across local development, hosted operators, and governed agent execution. > - The affected subsystem is the company-scoped secrets control plane: database schema, server services/routes, CLI workflows, and the Secrets settings UI. > - The gap was that secrets were local-only and operators could not manage provider vaults or import existing remote references without exposing plaintext. > - This branch adds provider vault configuration plus an AWS Secrets Manager remote-import path while preserving company boundaries, binding context, and audit trails. > - I kept the PR to a single branch PR, removed unrelated lockfile/package drift, rebased the full branch onto the current `public-gh/master`, and addressed fresh Greptile findings. > - The benefit is a reviewable implementation of provider-backed secrets with focused tests covering provider selection, import conflicts, deleted secret reuse, rotation guards, and AWS signing behavior. ## What Changed - Added provider vault support for company secrets, including provider config storage, default vault handling, health checks, binding usage, access events, and remote import preview/commit. - Added an AWS Secrets Manager provider using SigV4 request signing, bounded request timeouts, namespace guardrails, cached runtime credential resolution, and external-reference linking without plaintext reads. - Added Secrets UI surfaces for vault management and remote import, plus CLI/API documentation for setup and operations. - Stabilized routine webhook secret binding paths and SSH environment-driver fixture bindings discovered during verification. - Addressed Greptile and CI findings: no lockfile/package drift, monotonic migration metadata, disabled-vault default races, soft-deleted secret hiding/recreate behavior, remove behavior with disabled vaults, soft-deleted external-reference re-import, non-active rotation guards, managed-secret soft deletion through PATCH, and per-call AWS SDK credential client churn. - Rebased this branch onto `public-gh/master` at `0e1a5828` and force-pushed with lease to keep this as the single PR for the branch. ## Verification - `git fetch public-gh master` - `git rebase public-gh/master` - `git diff --name-only public-gh/master...HEAD | grep '^pnpm-lock\.yaml$' || true` confirmed `pnpm-lock.yaml` is not in the PR diff. - Confirmed migration ordering: master ends at `0081_optimal_dormammu`; this PR adds `0082_dry_vision` and `0083_company_secret_provider_configs`. - Inspected migrations for repeat safety: new tables/indexes use `IF NOT EXISTS`; foreign keys are guarded by `DO $$ ... IF NOT EXISTS`; column additions use `ADD COLUMN IF NOT EXISTS`. - `pnpm -r typecheck` passed before the Greptile follow-up commits. - `pnpm test:run` ran the full stable Vitest path before the Greptile follow-up commits; it completed with 3 timing-related failures under parallel load: `codex-local-execute.test.ts`, `cursor-local-execute.test.ts`, and `environment-service.test.ts`. - `pnpm --filter @paperclipai/server exec vitest run src/__tests__/codex-local-execute.test.ts src/__tests__/cursor-local-execute.test.ts src/__tests__/environment-service.test.ts` passed on targeted rerun (`24/24`). - `pnpm build` passed before the Greptile follow-up commits. Vite reported existing chunk-size/dynamic-import warnings. - After Greptile follow-up commits: `pnpm --filter @paperclipai/server exec vitest run src/__tests__/secrets-service.test.ts` passed (`26/26`). - After Greptile follow-up commits: `pnpm --filter @paperclipai/server exec vitest run src/__tests__/aws-secrets-manager-provider.test.ts src/__tests__/secrets-service.test.ts` passed (`39/39`). - After Greptile follow-up commits: `pnpm --filter @paperclipai/server typecheck` passed. - Captured Storybook screenshots from `ui/storybook-static` for visual review. - Latest PR checks on `5ca3a5cf`: `policy`, serialized server suites 1/4-4/4, `Canary Dry Run`, `e2e`, `security/snyk`, and `Greptile Review` pass; aggregate `verify` is still registering the completed child checks. - Greptile review loop continued through the latest requested pass; all Greptile review threads are resolved and the latest `Greptile Review` check on `5ca3a5cf` passed with 0 comments added. ## Screenshots Before: the provider-vault and remote-import surfaces did not exist on `master`; these are after-state screenshots from the Storybook fixtures. ![Secrets inventory](https://raw.githubusercontent.com/paperclipai/paperclip/PAP-2339-secrets-make-a-plan/doc/pr/5429/secrets-inventory.png) ![Secret binding picker](https://raw.githubusercontent.com/paperclipai/paperclip/PAP-2339-secrets-make-a-plan/doc/pr/5429/secret-binding-picker.png) ![Environment editor with secrets](https://raw.githubusercontent.com/paperclipai/paperclip/PAP-2339-secrets-make-a-plan/doc/pr/5429/env-editor-with-secrets.png) ## Risks - Migration risk: this adds new secret provider tables and extends existing secret rows. The migrations were checked for monotonic ordering and idempotent guards, but reviewers should still inspect upgrade behavior carefully. - Provider risk: AWS support uses direct SigV4 requests. Automated tests cover signing, request timeouts, vault-config selection, namespace guardrails, pending-version archival, sanitized provider errors, and service-level cleanup paths. A real-vault AWS smoke test remains deployment validation for an operator with AWS credentials rather than an unverified merge blocker in this local branch. - UI risk: the Secrets page and import dialog are large new surfaces; screenshots are included above for reviewer inspection. - Verification risk: the full local stable test command hit parallel-load timing failures, although the exact failed files passed when rerun directly. - Operational risk: remote import intentionally avoids plaintext reads; operators must understand that imported external references resolve at runtime and may fail if AWS permissions change. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5 coding agent with local shell/tool use in the Paperclip worktree. Exact context-window size was not exposed by the runtime. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [ ] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-09 18:22:17 -05:00
parent 06e6ee25cd
commit 778e775c35
103 changed files with 16971 additions and 509 deletions
@@ -0,0 +1,8 @@
+import { SECRET_PROVIDERS, type SecretProvider } from "@paperclipai/shared";
+
+export function getConfiguredSecretProvider(): SecretProvider {
+  const configuredProvider = process.env.PAPERCLIP_SECRETS_PROVIDER;
+  return configuredProvider && SECRET_PROVIDERS.includes(configuredProvider as SecretProvider)
+    ? configuredProvider as SecretProvider
+    : "local_encrypted";
+}
@@ -1,23 +1,78 @@
 import { unprocessable } from "../errors.js";
-import type { SecretProviderModule } from "./types.js";
+import type { PreparedSecretVersion, SecretProviderModule } from "./types.js";
+import { createHash } from "node:crypto";

 function unavailableProvider(
  id: "aws_secrets_manager" | "gcp_secret_manager" | "vault",
  label: string,
 ): SecretProviderModule {
+  function externalFingerprint(externalRef: string, providerVersionRef: string | null): string {
+    return createHash("sha256")
+      .update(`${id}:${externalRef}:${providerVersionRef ?? ""}`)
+      .digest("hex");
+  }
+
+  function prepareExternalReference(input: {
+    externalRef: string;
+    providerVersionRef?: string | null;
+  }): PreparedSecretVersion {
+    const externalRef = input.externalRef.trim();
+    const providerVersionRef = input.providerVersionRef?.trim() || null;
+    const fingerprint = externalFingerprint(externalRef, providerVersionRef);
+    return {
+      material: {
+        scheme: "external_reference_v1",
+        provider: id,
+        externalRef,
+        providerVersionRef,
+      },
+      valueSha256: fingerprint,
+      fingerprintSha256: fingerprint,
+      externalRef,
+      providerVersionRef,
+    };
+  }
+
  return {
    id,
-    descriptor: {
-      id,
-      label,
-      requiresExternalRef: true,
+    descriptor() {
+      return {
+        id,
+        label,
+        requiresExternalRef: true,
+        supportsManagedValues: false,
+        supportsExternalReferences: true,
+        configured: false,
+      };
+    },
+    async validateConfig() {
+      return { ok: false, warnings: [`${id} provider is not configured in this deployment`] };
+    },
+    async createSecret() {
+      throw unprocessable(`${id} provider is not configured for Paperclip-managed values`);
    },
    async createVersion() {
-      throw unprocessable(`${id} provider is not configured in this deployment`);
+      throw unprocessable(`${id} provider is not configured for Paperclip-managed values`);
+    },
+    async linkExternalSecret(input) {
+      return prepareExternalReference(input);
    },
    async resolveVersion() {
      throw unprocessable(`${id} provider is not configured in this deployment`);
    },
+    async deleteOrArchive() {
+      // External references are metadata-only in Paperclip for unconfigured providers.
+    },
+    async healthCheck() {
+      return {
+        provider: id,
+        status: "warn",
+        message: `${id} provider is available for external references but not configured for runtime resolution`,
+        warnings: [
+          "Linked external references can be stored as metadata, but runtime resolution will fail until this provider is configured.",
+        ],
+      };
+    },
  };
 }

@@ -1,7 +1,14 @@
 import { createCipheriv, createDecipheriv, createHash, randomBytes } from "node:crypto";
-import { mkdirSync, readFileSync, writeFileSync, existsSync, chmodSync } from "node:fs";
+import { chmodSync, existsSync, mkdirSync, readFileSync, statSync, writeFileSync } from "node:fs";
 import path from "node:path";
-import type { SecretProviderModule, StoredSecretVersionMaterial } from "./types.js";
+import { resolveDefaultSecretsKeyFilePath } from "../home-paths.js";
+import type {
+  PreparedSecretVersion,
+  SecretProviderHealthCheck,
+  SecretProviderModule,
+  SecretProviderValidationResult,
+  StoredSecretVersionMaterial,
+} from "./types.js";
 import { badRequest } from "../errors.js";

 interface LocalEncryptedMaterial extends StoredSecretVersionMaterial {
@@ -14,7 +21,7 @@ interface LocalEncryptedMaterial extends StoredSecretVersionMaterial {
 function resolveMasterKeyFilePath() {
  const fromEnv = process.env.PAPERCLIP_SECRETS_MASTER_KEY_FILE;
  if (fromEnv && fromEnv.trim().length > 0) return path.resolve(fromEnv.trim());
-  return path.resolve(process.cwd(), "data/secrets/master.key");
+  return resolveDefaultSecretsKeyFilePath();
 }

 function decodeMasterKey(raw: string): Buffer | null {
@@ -52,6 +59,7 @@ function loadOrCreateMasterKey(): Buffer {

  const keyPath = resolveMasterKeyFilePath();
  if (existsSync(keyPath)) {
+    enforceKeyFilePermissionsBestEffort(keyPath);
    const raw = readFileSync(keyPath, "utf8");
    const decoded = decodeMasterKey(raw);
    if (!decoded) {
@@ -72,10 +80,118 @@ function loadOrCreateMasterKey(): Buffer {
  return generated;
 }

+function enforceKeyFilePermissionsBestEffort(keyPath: string) {
+  try {
+    const mode = statSync(keyPath).mode & 0o777;
+    if ((mode & 0o077) !== 0) {
+      chmodSync(keyPath, 0o600);
+    }
+  } catch {
+    // best effort only; health checks surface persistent permission problems.
+  }
+}
+
 function sha256Hex(value: string): string {
  return createHash("sha256").update(value).digest("hex");
 }

+function prepareManagedVersion(value: string): PreparedSecretVersion {
+  const masterKey = loadOrCreateMasterKey();
+  const valueSha256 = sha256Hex(value);
+  return {
+    material: encryptValue(masterKey, value),
+    valueSha256,
+    fingerprintSha256: valueSha256,
+    externalRef: null,
+  };
+}
+
+async function inspectLocalEncryptedHealth(): Promise<SecretProviderHealthCheck> {
+  const envKeyRaw = process.env.PAPERCLIP_SECRETS_MASTER_KEY;
+  if (envKeyRaw && envKeyRaw.trim().length > 0) {
+    if (!decodeMasterKey(envKeyRaw)) {
+      return {
+        provider: "local_encrypted",
+        status: "error",
+        message:
+          "PAPERCLIP_SECRETS_MASTER_KEY is invalid; expected 32-byte base64, 64-char hex, or raw 32-char string",
+      };
+    }
+    return {
+      provider: "local_encrypted",
+      status: "ok",
+      message: "Local encrypted provider is using PAPERCLIP_SECRETS_MASTER_KEY",
+      backupGuidance: [
+        "Back up the configured master key separately from the database.",
+        "A restore needs both the database metadata and the same master key.",
+      ],
+      details: { keySource: "env" },
+    };
+  }
+
+  const keyPath = resolveMasterKeyFilePath();
+  if (!existsSync(keyPath)) {
+    return {
+      provider: "local_encrypted",
+      status: "warn",
+      message: `Secrets key file does not exist yet: ${keyPath}`,
+      warnings: ["The first managed secret write will create this key file with 0600 permissions."],
+      backupGuidance: [
+        "Back up the key file together with database backups.",
+        "The database alone cannot restore local encrypted secret values.",
+      ],
+      details: { keySource: "file", keyFilePath: keyPath },
+    };
+  }
+
+  let mode: number | null = null;
+  try {
+    mode = statSync(keyPath).mode & 0o777;
+  } catch (err) {
+    return {
+      provider: "local_encrypted",
+      status: "error",
+      message: `Could not stat secrets key file: ${err instanceof Error ? err.message : String(err)}`,
+      details: { keySource: "file", keyFilePath: keyPath },
+    };
+  }
+
+  try {
+    const raw = readFileSync(keyPath, "utf8");
+    if (!decodeMasterKey(raw)) {
+      return {
+        provider: "local_encrypted",
+        status: "error",
+        message: `Invalid key material in ${keyPath}`,
+        details: { keySource: "file", keyFilePath: keyPath },
+      };
+    }
+  } catch (err) {
+    return {
+      provider: "local_encrypted",
+      status: "error",
+      message: `Could not read secrets key file: ${err instanceof Error ? err.message : String(err)}`,
+      details: { keySource: "file", keyFilePath: keyPath },
+    };
+  }
+
+  const warnings =
+    mode !== null && (mode & 0o077) !== 0
+      ? [`Secrets key file permissions are ${mode.toString(8)}; run chmod 600 ${keyPath}`]
+      : [];
+  return {
+    provider: "local_encrypted",
+    status: warnings.length > 0 ? "warn" : "ok",
+    message: `Local encrypted provider configured with key file ${keyPath}`,
+    warnings,
+    backupGuidance: [
+      "Back up the key file together with database backups.",
+      "The database alone cannot restore local encrypted secret values.",
+    ],
+    details: { keySource: "file", keyFilePath: keyPath },
+  };
+}
+
 function encryptValue(masterKey: Buffer, value: string): LocalEncryptedMaterial {
  const iv = randomBytes(12);
  const cipher = createCipheriv("aes-256-gcm", masterKey, iv);
@@ -115,21 +231,45 @@ function asLocalEncryptedMaterial(value: StoredSecretVersionMaterial): LocalEncr

 export const localEncryptedProvider: SecretProviderModule = {
  id: "local_encrypted",
-  descriptor: {
-    id: "local_encrypted",
-    label: "Local encrypted (default)",
-    requiresExternalRef: false,
+  descriptor() {
+    return {
+      id: "local_encrypted",
+      label: "Local encrypted (default)",
+      requiresExternalRef: false,
+      supportsManagedValues: true,
+      supportsExternalReferences: false,
+      configured: true,
+    };
+  },
+  async validateConfig(input): Promise<SecretProviderValidationResult> {
+    const warnings: string[] = [];
+    if (input?.deploymentMode === "authenticated" && input.strictMode !== true) {
+      warnings.push("Strict secret mode should be enabled for authenticated deployments");
+    }
+    const health = await inspectLocalEncryptedHealth();
+    if (health.status === "error") {
+      throw badRequest(health.message);
+    }
+    warnings.push(...(health.warnings ?? []));
+    return { ok: true, warnings };
+  },
+  async createSecret(input) {
+    return prepareManagedVersion(input.value);
  },
  async createVersion(input) {
-    const masterKey = loadOrCreateMasterKey();
-    return {
-      material: encryptValue(masterKey, input.value),
-      valueSha256: sha256Hex(input.value),
-      externalRef: null,
-    };
+    return prepareManagedVersion(input.value);
+  },
+  async linkExternalSecret() {
+    throw badRequest("local_encrypted does not support external reference secrets");
  },
  async resolveVersion(input) {
    const masterKey = loadOrCreateMasterKey();
    return decryptValue(masterKey, asLocalEncryptedMaterial(input.material));
  },
+  async deleteOrArchive() {
+    // Secret metadata deletion is handled in Paperclip DB; the local key is shared and must remain.
+  },
+  async healthCheck() {
+    return inspectLocalEncryptedHealth();
+  },
 };
@@ -1,11 +1,11 @@
 import type { SecretProvider, SecretProviderDescriptor } from "@paperclipai/shared";
+import { awsSecretsManagerProvider } from "./aws-secrets-manager-provider.js";
 import { localEncryptedProvider } from "./local-encrypted-provider.js";
 import {
-  awsSecretsManagerProvider,
  gcpSecretManagerProvider,
  vaultProvider,
 } from "./external-stub-providers.js";
-import type { SecretProviderModule } from "./types.js";
+import type { SecretProviderHealthCheck, SecretProviderModule } from "./types.js";
 import { unprocessable } from "../errors.js";

 const providers: SecretProviderModule[] = [
@@ -26,5 +26,9 @@ export function getSecretProvider(id: SecretProvider): SecretProviderModule {
 }

 export function listSecretProviders(): SecretProviderDescriptor[] {
-  return providers.map((provider) => provider.descriptor);
+  return providers.map((provider) => provider.descriptor());
+}
+
+export async function checkSecretProviders(): Promise<SecretProviderHealthCheck[]> {
+  return Promise.all(providers.map((provider) => provider.healthCheck()));
 }
@@ -1,22 +1,180 @@
 import type { SecretProvider, SecretProviderDescriptor } from "@paperclipai/shared";
+import type { DeploymentMode } from "@paperclipai/shared";

 export interface StoredSecretVersionMaterial {
  [key: string]: unknown;
 }

+export type SecretProviderHealthStatus = "ok" | "warn" | "error";
+
+export interface SecretProviderHealthCheck {
+  provider: SecretProvider;
+  status: SecretProviderHealthStatus;
+  message: string;
+  warnings?: string[];
+  backupGuidance?: string[];
+  details?: Record<string, unknown>;
+}
+
+export interface SecretProviderValidationResult {
+  ok: boolean;
+  warnings: string[];
+}
+
+export interface PreparedSecretVersion {
+  material: StoredSecretVersionMaterial;
+  valueSha256: string;
+  fingerprintSha256?: string;
+  externalRef: string | null;
+  providerVersionRef?: string | null;
+}
+
+export interface RemoteSecretListEntry {
+  externalRef: string;
+  name: string;
+  providerVersionRef?: string | null;
+  metadata?: Record<string, unknown> | null;
+}
+
+export interface RemoteSecretListResult {
+  secrets: RemoteSecretListEntry[];
+  nextToken?: string | null;
+}
+
+export type SecretProviderClientErrorCode =
+  | "access_denied"
+  | "throttled"
+  | "not_found"
+  | "conflict"
+  | "invalid_request"
+  | "provider_unavailable"
+  | "provider_error";
+
+export interface SecretProviderClientErrorOptions {
+  code: SecretProviderClientErrorCode;
+  provider: SecretProvider;
+  operation: string;
+  message: string;
+  status?: number;
+  rawMessage?: string | null;
+  cause?: unknown;
+}
+
+const SECRET_PROVIDER_CLIENT_ERROR_STATUS: Record<SecretProviderClientErrorCode, number> = {
+  access_denied: 403,
+  throttled: 429,
+  not_found: 404,
+  conflict: 409,
+  invalid_request: 422,
+  provider_unavailable: 503,
+  provider_error: 502,
+};
+
+export class SecretProviderClientError extends Error {
+  readonly code: SecretProviderClientErrorCode;
+  readonly provider: SecretProvider;
+  readonly operation: string;
+  readonly status: number;
+  readonly rawMessage: string | null;
+
+  constructor(options: SecretProviderClientErrorOptions) {
+    super(options.message);
+    this.name = "SecretProviderClientError";
+    this.code = options.code;
+    this.provider = options.provider;
+    this.operation = options.operation;
+    this.status = options.status ?? SECRET_PROVIDER_CLIENT_ERROR_STATUS[options.code];
+    this.rawMessage = options.rawMessage ?? null;
+    if (options.cause !== undefined) {
+      Object.defineProperty(this, "cause", {
+        value: options.cause,
+        enumerable: false,
+        configurable: true,
+      });
+    }
+  }
+}
+
+export function isSecretProviderClientError(error: unknown): error is SecretProviderClientError {
+  return error instanceof SecretProviderClientError;
+}
+
+export interface SecretProviderRuntimeContext {
+  companyId: string;
+  secretId: string;
+  secretKey: string;
+  version: number;
+}
+
+export interface SecretProviderVaultRuntimeConfig {
+  id: string;
+  provider: SecretProvider;
+  status: string;
+  config: Record<string, unknown>;
+}
+
+export interface SecretProviderWriteContext {
+  companyId: string;
+  secretKey: string;
+  secretName: string;
+  version: number;
+}
+
 export interface SecretProviderModule {
  id: SecretProvider;
-  descriptor: SecretProviderDescriptor;
+  descriptor(): SecretProviderDescriptor;
+  validateConfig(input?: {
+    deploymentMode?: DeploymentMode;
+    strictMode?: boolean;
+    providerConfig?: SecretProviderVaultRuntimeConfig | null;
+  }): Promise<SecretProviderValidationResult>;
+  createSecret(input: {
+    value: string;
+    externalRef?: string | null;
+    context?: SecretProviderWriteContext;
+    providerConfig?: SecretProviderVaultRuntimeConfig | null;
+  }): Promise<PreparedSecretVersion>;
  createVersion(input: {
    value: string;
-    externalRef: string | null;
-  }): Promise<{
-    material: StoredSecretVersionMaterial;
-    valueSha256: string;
-    externalRef: string | null;
-  }>;
+    externalRef?: string | null;
+    context?: SecretProviderWriteContext;
+    providerConfig?: SecretProviderVaultRuntimeConfig | null;
+  }): Promise<PreparedSecretVersion>;
+  linkExternalSecret(input: {
+    externalRef: string;
+    providerVersionRef?: string | null;
+    context?: SecretProviderWriteContext;
+    providerConfig?: SecretProviderVaultRuntimeConfig | null;
+  }): Promise<PreparedSecretVersion>;
+  listRemoteSecrets?(input: {
+    providerConfig?: SecretProviderVaultRuntimeConfig | null;
+    query?: string | null;
+    nextToken?: string | null;
+    pageSize?: number;
+  }): Promise<RemoteSecretListResult>;
  resolveVersion(input: {
    material: StoredSecretVersionMaterial;
    externalRef: string | null;
+    providerVersionRef?: string | null;
+    context?: SecretProviderRuntimeContext;
+    providerConfig?: SecretProviderVaultRuntimeConfig | null;
  }): Promise<string>;
+  rotate?(input: {
+    material: StoredSecretVersionMaterial;
+    externalRef: string | null;
+    providerVersionRef?: string | null;
+    providerConfig?: SecretProviderVaultRuntimeConfig | null;
+  }): Promise<PreparedSecretVersion>;
+  deleteOrArchive(input: {
+    material?: StoredSecretVersionMaterial | null;
+    externalRef: string | null;
+    context?: SecretProviderWriteContext;
+    mode: "archive" | "delete";
+    providerConfig?: SecretProviderVaultRuntimeConfig | null;
+  }): Promise<void>;
+  healthCheck(input?: {
+    deploymentMode?: DeploymentMode;
+    strictMode?: boolean;
+    providerConfig?: SecretProviderVaultRuntimeConfig | null;
+  }): Promise<SecretProviderHealthCheck>;
 }