forked from farhoodlabs/paperclip
778e775c35
## Thinking Path > - Paperclip orchestrates AI-agent companies and needs secrets handling to work across local development, hosted operators, and governed agent execution. > - The affected subsystem is the company-scoped secrets control plane: database schema, server services/routes, CLI workflows, and the Secrets settings UI. > - The gap was that secrets were local-only and operators could not manage provider vaults or import existing remote references without exposing plaintext. > - This branch adds provider vault configuration plus an AWS Secrets Manager remote-import path while preserving company boundaries, binding context, and audit trails. > - I kept the PR to a single branch PR, removed unrelated lockfile/package drift, rebased the full branch onto the current `public-gh/master`, and addressed fresh Greptile findings. > - The benefit is a reviewable implementation of provider-backed secrets with focused tests covering provider selection, import conflicts, deleted secret reuse, rotation guards, and AWS signing behavior. ## What Changed - Added provider vault support for company secrets, including provider config storage, default vault handling, health checks, binding usage, access events, and remote import preview/commit. - Added an AWS Secrets Manager provider using SigV4 request signing, bounded request timeouts, namespace guardrails, cached runtime credential resolution, and external-reference linking without plaintext reads. - Added Secrets UI surfaces for vault management and remote import, plus CLI/API documentation for setup and operations. - Stabilized routine webhook secret binding paths and SSH environment-driver fixture bindings discovered during verification. - Addressed Greptile and CI findings: no lockfile/package drift, monotonic migration metadata, disabled-vault default races, soft-deleted secret hiding/recreate behavior, remove behavior with disabled vaults, soft-deleted external-reference re-import, non-active rotation guards, managed-secret soft deletion through PATCH, and per-call AWS SDK credential client churn. - Rebased this branch onto `public-gh/master` at `0e1a5828` and force-pushed with lease to keep this as the single PR for the branch. ## Verification - `git fetch public-gh master` - `git rebase public-gh/master` - `git diff --name-only public-gh/master...HEAD | grep '^pnpm-lock\.yaml$' || true` confirmed `pnpm-lock.yaml` is not in the PR diff. - Confirmed migration ordering: master ends at `0081_optimal_dormammu`; this PR adds `0082_dry_vision` and `0083_company_secret_provider_configs`. - Inspected migrations for repeat safety: new tables/indexes use `IF NOT EXISTS`; foreign keys are guarded by `DO $$ ... IF NOT EXISTS`; column additions use `ADD COLUMN IF NOT EXISTS`. - `pnpm -r typecheck` passed before the Greptile follow-up commits. - `pnpm test:run` ran the full stable Vitest path before the Greptile follow-up commits; it completed with 3 timing-related failures under parallel load: `codex-local-execute.test.ts`, `cursor-local-execute.test.ts`, and `environment-service.test.ts`. - `pnpm --filter @paperclipai/server exec vitest run src/__tests__/codex-local-execute.test.ts src/__tests__/cursor-local-execute.test.ts src/__tests__/environment-service.test.ts` passed on targeted rerun (`24/24`). - `pnpm build` passed before the Greptile follow-up commits. Vite reported existing chunk-size/dynamic-import warnings. - After Greptile follow-up commits: `pnpm --filter @paperclipai/server exec vitest run src/__tests__/secrets-service.test.ts` passed (`26/26`). - After Greptile follow-up commits: `pnpm --filter @paperclipai/server exec vitest run src/__tests__/aws-secrets-manager-provider.test.ts src/__tests__/secrets-service.test.ts` passed (`39/39`). - After Greptile follow-up commits: `pnpm --filter @paperclipai/server typecheck` passed. - Captured Storybook screenshots from `ui/storybook-static` for visual review. - Latest PR checks on `5ca3a5cf`: `policy`, serialized server suites 1/4-4/4, `Canary Dry Run`, `e2e`, `security/snyk`, and `Greptile Review` pass; aggregate `verify` is still registering the completed child checks. - Greptile review loop continued through the latest requested pass; all Greptile review threads are resolved and the latest `Greptile Review` check on `5ca3a5cf` passed with 0 comments added. ## Screenshots Before: the provider-vault and remote-import surfaces did not exist on `master`; these are after-state screenshots from the Storybook fixtures.    ## Risks - Migration risk: this adds new secret provider tables and extends existing secret rows. The migrations were checked for monotonic ordering and idempotent guards, but reviewers should still inspect upgrade behavior carefully. - Provider risk: AWS support uses direct SigV4 requests. Automated tests cover signing, request timeouts, vault-config selection, namespace guardrails, pending-version archival, sanitized provider errors, and service-level cleanup paths. A real-vault AWS smoke test remains deployment validation for an operator with AWS credentials rather than an unverified merge blocker in this local branch. - UI risk: the Secrets page and import dialog are large new surfaces; screenshots are included above for reviewer inspection. - Verification risk: the full local stable test command hit parallel-load timing failures, although the exact failed files passed when rerun directly. - Operational risk: remote import intentionally avoids plaintext reads; operators must understand that imported external references resolve at runtime and may fail if AWS permissions change. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5 coding agent with local shell/tool use in the Paperclip worktree. Exact context-window size was not exposed by the runtime. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [ ] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
391 lines
12 KiB
TypeScript
391 lines
12 KiB
TypeScript
import { useEffect, useState, type ReactNode } from "react";
|
|
import type { Preview } from "@storybook/react-vite";
|
|
import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
|
|
import { MemoryRouter } from "@/lib/router";
|
|
import { BreadcrumbProvider } from "@/context/BreadcrumbContext";
|
|
import { CompanyProvider } from "@/context/CompanyContext";
|
|
import { DialogProvider } from "@/context/DialogContext";
|
|
import { EditorAutocompleteProvider } from "@/context/EditorAutocompleteContext";
|
|
import { PanelProvider } from "@/context/PanelContext";
|
|
import { SidebarProvider } from "@/context/SidebarContext";
|
|
import { ThemeProvider } from "@/context/ThemeContext";
|
|
import { ToastProvider } from "@/context/ToastContext";
|
|
import { TooltipProvider } from "@/components/ui/tooltip";
|
|
import {
|
|
storybookAgents,
|
|
storybookApprovals,
|
|
storybookAuthSession,
|
|
storybookCompanies,
|
|
storybookDashboardSummary,
|
|
storybookIssues,
|
|
storybookLiveRuns,
|
|
storybookProjects,
|
|
storybookSecretAccessEvents,
|
|
storybookSecretBindings,
|
|
storybookSecretProviderHealth,
|
|
storybookSecretProviders,
|
|
storybookSecrets,
|
|
storybookSidebarBadges,
|
|
} from "../fixtures/paperclipData";
|
|
import "@mdxeditor/editor/style.css";
|
|
import "./tailwind-entry.css";
|
|
import "./styles.css";
|
|
|
|
// Install fetch monkeypatch eagerly so any module-load-time fetches (e.g. schema
|
|
// caches in adapter config renderers) hit our fixtures before they reach the
|
|
// network. Some renderers issue a fetch from useEffect on first paint, which
|
|
// can otherwise race the StorybookProviders mount.
|
|
installStorybookApiFixtures();
|
|
|
|
function installStorybookApiFixtures() {
|
|
if (typeof window === "undefined") return;
|
|
const currentWindow = window as typeof window & {
|
|
__paperclipStorybookFetchInstalled?: boolean;
|
|
};
|
|
if (currentWindow.__paperclipStorybookFetchInstalled) return;
|
|
|
|
const originalFetch = window.fetch.bind(window);
|
|
currentWindow.__paperclipStorybookFetchInstalled = true;
|
|
|
|
window.fetch = async (input: RequestInfo | URL, init?: RequestInit) => {
|
|
const rawUrl =
|
|
typeof input === "string"
|
|
? input
|
|
: input instanceof URL
|
|
? input.href
|
|
: input.url;
|
|
const url = new URL(rawUrl, window.location.origin);
|
|
|
|
if (url.pathname === "/api/auth/get-session") {
|
|
return Response.json(storybookAuthSession);
|
|
}
|
|
|
|
if (url.pathname === "/api/companies") {
|
|
return Response.json(storybookCompanies);
|
|
}
|
|
|
|
if (url.pathname === "/api/companies/company-storybook/user-directory") {
|
|
return Response.json({
|
|
users: [
|
|
{
|
|
principalId: "user-board",
|
|
status: "active",
|
|
user: {
|
|
id: "user-board",
|
|
email: "board@paperclip.local",
|
|
name: "Board Operator",
|
|
image: null,
|
|
},
|
|
},
|
|
{
|
|
principalId: "user-product",
|
|
status: "active",
|
|
user: {
|
|
id: "user-product",
|
|
email: "product@paperclip.local",
|
|
name: "Product Lead",
|
|
image: null,
|
|
},
|
|
},
|
|
],
|
|
});
|
|
}
|
|
|
|
if (url.pathname === "/api/instance/settings/experimental") {
|
|
return Response.json({
|
|
enableIsolatedWorkspaces: true,
|
|
autoRestartDevServerWhenIdle: false,
|
|
});
|
|
}
|
|
|
|
if (url.pathname === "/api/adapters") {
|
|
return Response.json([
|
|
{
|
|
type: "claude_local",
|
|
label: "Claude Local",
|
|
source: "builtin",
|
|
modelsCount: 2,
|
|
loaded: true,
|
|
disabled: false,
|
|
capabilities: {
|
|
supportsInstructionsBundle: true,
|
|
supportsSkills: true,
|
|
supportsLocalAgentJwt: true,
|
|
requiresMaterializedRuntimeSkills: false,
|
|
supportsModelProfiles: true,
|
|
},
|
|
},
|
|
{
|
|
type: "codex_local",
|
|
label: "Codex Local",
|
|
source: "builtin",
|
|
modelsCount: 3,
|
|
loaded: true,
|
|
disabled: false,
|
|
capabilities: {
|
|
supportsInstructionsBundle: true,
|
|
supportsSkills: true,
|
|
supportsLocalAgentJwt: true,
|
|
requiresMaterializedRuntimeSkills: false,
|
|
supportsModelProfiles: true,
|
|
},
|
|
},
|
|
]);
|
|
}
|
|
|
|
const adapterModelsMatch = url.pathname.match(
|
|
/^\/api\/companies\/[^/]+\/adapters\/([^/]+)\/(models|model-profiles)$/,
|
|
);
|
|
if (adapterModelsMatch) {
|
|
const [, , resource] = adapterModelsMatch;
|
|
if (resource === "models") {
|
|
return Response.json([
|
|
{ id: "claude-opus-4-7", label: "Claude Opus 4.7" },
|
|
{ id: "claude-sonnet-4-6", label: "Claude Sonnet 4.6" },
|
|
{ id: "claude-haiku-4-5", label: "Claude Haiku 4.5" },
|
|
]);
|
|
}
|
|
return Response.json([
|
|
{
|
|
key: "cheap",
|
|
label: "Cheap",
|
|
adapterConfig: { model: "claude-sonnet-4-6" },
|
|
source: "adapter_default",
|
|
},
|
|
]);
|
|
}
|
|
|
|
if (url.pathname === "/api/plugins/ui-contributions") {
|
|
return Response.json([]);
|
|
}
|
|
|
|
const adapterSchemaMatch = url.pathname.match(/^\/api\/adapters\/([^/]+)\/config-schema$/);
|
|
if (adapterSchemaMatch) {
|
|
const [, adapterType] = adapterSchemaMatch;
|
|
const schemas = (window as typeof window & {
|
|
__paperclipStorybookAdapterSchemas?: Record<string, unknown>;
|
|
}).__paperclipStorybookAdapterSchemas;
|
|
const schema = schemas?.[adapterType];
|
|
if (schema) return Response.json(schema);
|
|
}
|
|
|
|
const secretsListMatch = url.pathname.match(/^\/api\/companies\/([^/]+)\/secrets$/);
|
|
if (secretsListMatch) {
|
|
const [, companyId] = secretsListMatch;
|
|
return Response.json(companyId === "company-storybook" ? storybookSecrets : []);
|
|
}
|
|
|
|
const secretProvidersMatch = url.pathname.match(/^\/api\/companies\/([^/]+)\/secret-providers$/);
|
|
if (secretProvidersMatch) {
|
|
return Response.json(storybookSecretProviders);
|
|
}
|
|
|
|
const secretProviderHealthMatch = url.pathname.match(
|
|
/^\/api\/companies\/([^/]+)\/secret-providers\/health$/,
|
|
);
|
|
if (secretProviderHealthMatch) {
|
|
return Response.json(storybookSecretProviderHealth);
|
|
}
|
|
|
|
const secretUsageMatch = url.pathname.match(/^\/api\/secrets\/([^/]+)\/usage$/);
|
|
if (secretUsageMatch) {
|
|
const [, secretId] = secretUsageMatch;
|
|
return Response.json({
|
|
secretId,
|
|
bindings: storybookSecretBindings.filter((binding) => binding.secretId === secretId),
|
|
});
|
|
}
|
|
|
|
const secretEventsMatch = url.pathname.match(/^\/api\/secrets\/([^/]+)\/access-events$/);
|
|
if (secretEventsMatch) {
|
|
const [, secretId] = secretEventsMatch;
|
|
return Response.json(storybookSecretAccessEvents.filter((event) => event.secretId === secretId));
|
|
}
|
|
|
|
const companyResourceMatch = url.pathname.match(/^\/api\/companies\/([^/]+)\/([^/]+)$/);
|
|
if (companyResourceMatch) {
|
|
const [, companyId, resource] = companyResourceMatch;
|
|
if (resource === "agents") {
|
|
return Response.json(companyId === "company-storybook" ? storybookAgents : []);
|
|
}
|
|
if (resource === "projects") {
|
|
return Response.json(companyId === "company-storybook" ? storybookProjects : []);
|
|
}
|
|
if (resource === "approvals") {
|
|
return Response.json(companyId === "company-storybook" ? storybookApprovals : []);
|
|
}
|
|
if (resource === "dashboard") {
|
|
return Response.json({
|
|
...storybookDashboardSummary,
|
|
companyId,
|
|
});
|
|
}
|
|
if (resource === "heartbeat-runs") {
|
|
return Response.json([]);
|
|
}
|
|
if (resource === "live-runs") {
|
|
return Response.json(companyId === "company-storybook" ? storybookLiveRuns : []);
|
|
}
|
|
if (resource === "inbox-dismissals") {
|
|
return Response.json([]);
|
|
}
|
|
if (resource === "sidebar-badges") {
|
|
return Response.json(
|
|
companyId === "company-storybook"
|
|
? storybookSidebarBadges
|
|
: { inbox: 0, approvals: 0, failedRuns: 0, joinRequests: 0 },
|
|
);
|
|
}
|
|
if (resource === "join-requests") {
|
|
return Response.json([]);
|
|
}
|
|
if (resource === "issues") {
|
|
const query = url.searchParams.get("q")?.trim().toLowerCase();
|
|
const issues = companyId === "company-storybook" ? storybookIssues : [];
|
|
return Response.json(
|
|
query
|
|
? issues.filter((issue) =>
|
|
`${issue.identifier ?? ""} ${issue.title} ${issue.description ?? ""}`.toLowerCase().includes(query),
|
|
)
|
|
: issues,
|
|
);
|
|
}
|
|
}
|
|
|
|
if (url.pathname.startsWith("/api/invites/") && url.pathname.endsWith("/logo")) {
|
|
return new Response(null, { status: 204 });
|
|
}
|
|
|
|
return originalFetch(input, init);
|
|
};
|
|
}
|
|
|
|
// Install fetch fixtures at module load so React Query never sees a real network failure.
|
|
if (typeof window !== "undefined") {
|
|
installStorybookApiFixtures();
|
|
}
|
|
|
|
function applyStorybookTheme(theme: "light" | "dark") {
|
|
if (typeof document === "undefined") return;
|
|
document.documentElement.classList.toggle("dark", theme === "dark");
|
|
document.documentElement.style.colorScheme = theme;
|
|
}
|
|
|
|
function StorybookProviders({
|
|
children,
|
|
theme,
|
|
}: {
|
|
children: ReactNode;
|
|
theme: "light" | "dark";
|
|
}) {
|
|
const [queryClient] = useState(
|
|
() =>
|
|
new QueryClient({
|
|
defaultOptions: {
|
|
queries: {
|
|
retry: false,
|
|
staleTime: Number.POSITIVE_INFINITY,
|
|
},
|
|
},
|
|
}),
|
|
);
|
|
|
|
if (typeof window !== "undefined") {
|
|
installStorybookApiFixtures();
|
|
}
|
|
|
|
useEffect(() => {
|
|
applyStorybookTheme(theme);
|
|
}, [theme]);
|
|
|
|
return (
|
|
<QueryClientProvider client={queryClient}>
|
|
<ThemeProvider>
|
|
<MemoryRouter initialEntries={["/PAP/storybook"]}>
|
|
<CompanyProvider>
|
|
<EditorAutocompleteProvider>
|
|
<ToastProvider>
|
|
<TooltipProvider>
|
|
<BreadcrumbProvider>
|
|
<SidebarProvider>
|
|
<PanelProvider>
|
|
<DialogProvider>{children}</DialogProvider>
|
|
</PanelProvider>
|
|
</SidebarProvider>
|
|
</BreadcrumbProvider>
|
|
</TooltipProvider>
|
|
</ToastProvider>
|
|
</EditorAutocompleteProvider>
|
|
</CompanyProvider>
|
|
</MemoryRouter>
|
|
</ThemeProvider>
|
|
</QueryClientProvider>
|
|
);
|
|
}
|
|
|
|
const preview: Preview = {
|
|
decorators: [
|
|
(Story, context) => {
|
|
const theme = context.globals.theme === "light" ? "light" : "dark";
|
|
return (
|
|
<StorybookProviders key={theme} theme={theme}>
|
|
<Story />
|
|
</StorybookProviders>
|
|
);
|
|
},
|
|
],
|
|
globalTypes: {
|
|
theme: {
|
|
description: "Paperclip color mode",
|
|
defaultValue: "dark",
|
|
toolbar: {
|
|
title: "Theme",
|
|
icon: "mirror",
|
|
items: [
|
|
{ value: "dark", title: "Dark" },
|
|
{ value: "light", title: "Light" },
|
|
],
|
|
dynamicTitle: true,
|
|
},
|
|
},
|
|
},
|
|
parameters: {
|
|
actions: { argTypesRegex: "^on[A-Z].*" },
|
|
a11y: {
|
|
test: "error",
|
|
},
|
|
backgrounds: {
|
|
disable: true,
|
|
},
|
|
controls: {
|
|
expanded: true,
|
|
matchers: {
|
|
color: /(background|color)$/i,
|
|
date: /Date$/i,
|
|
},
|
|
},
|
|
docs: {
|
|
toc: true,
|
|
},
|
|
layout: "fullscreen",
|
|
viewport: {
|
|
viewports: {
|
|
mobile: {
|
|
name: "Mobile",
|
|
styles: { width: "390px", height: "844px" },
|
|
},
|
|
tablet: {
|
|
name: "Tablet",
|
|
styles: { width: "834px", height: "1112px" },
|
|
},
|
|
desktop: {
|
|
name: "Desktop",
|
|
styles: { width: "1440px", height: "960px" },
|
|
},
|
|
},
|
|
},
|
|
},
|
|
};
|
|
|
|
export default preview;
|