feat(v1.1.7-secrets): secrets SDK + table + admin API + dashboard

Encrypted per-app secrets, reachable from scripts as secrets::{get,set,delete,list}(name) and managed from the dashboard Secrets tab. Values are AES-256-GCM-sealed with the process master key (picloud_shared::crypto) before they touch Postgres; the repo only ever sees ciphertext + nonce. JSON round-trip preserves Rhai types. - migration 0023_secrets.sql (PRIMARY KEY (app_id, name)). - SecretsService trait (picloud-shared) + SecretsServiceImpl + repo (manager-core), wired into the Services bundle and Rhai engine. - Capability::AppSecretsRead/Write (→ script:read / script:write); no new Scope variants (seven-scope commitment). - Admin API GET/POST/DELETE /apps/{id}/secrets (list returns names + updated_at, never values). - build_app now takes a MasterKey, sourced from PICLOUD_SECRET_KEY in main.rs; test callers pass a fixed test key. - 64 KB value cap (PICLOUD_SECRET_MAX_VALUE_BYTES); no ServiceEvent emission (secret writes don't fire triggers, by design). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 21:37:17 +02:00
parent dc2e4fa01f
commit 2d11090d1a
28 changed files with 1959 additions and 35 deletions
--- a/crates/executor-core/tests/module_redaction_logging.rs
+++ b/crates/executor-core/tests/module_redaction_logging.rs
@@ -101,6 +101,7 @@ async fn original_backend_error_is_logged_at_error_level() {
        Arc::new(NoopHttpService),
        Arc::new(picloud_shared::NoopFilesService),
        Arc::new(picloud_shared::NoopPubsubService),
+        Arc::new(picloud_shared::NoopSecretsService),
    );
    let engine = Engine::new(Limits::default(), services);

--- a/crates/executor-core/tests/modules.rs
+++ b/crates/executor-core/tests/modules.rs
@@ -99,6 +99,7 @@ fn services_with(modules: Arc<dyn ModuleSource>) -> Services {
        Arc::new(NoopHttpService),
        Arc::new(picloud_shared::NoopFilesService),
        Arc::new(picloud_shared::NoopPubsubService),
+        Arc::new(picloud_shared::NoopSecretsService),
    )
 }

--- a/crates/executor-core/tests/sdk_docs.rs
+++ b/crates/executor-core/tests/sdk_docs.rs
@@ -230,6 +230,7 @@ fn make_engine() -> Arc<Engine> {
        Arc::new(NoopHttpService),
        Arc::new(picloud_shared::NoopFilesService),
        Arc::new(picloud_shared::NoopPubsubService),
+        Arc::new(picloud_shared::NoopSecretsService),
    );
    Arc::new(Engine::new(Limits::default(), services))
 }
--- a/crates/executor-core/tests/sdk_files.rs
+++ b/crates/executor-core/tests/sdk_files.rs
@@ -167,6 +167,7 @@ fn make_engine() -> Arc<Engine> {
        Arc::new(NoopHttpService),
        Arc::new(InMemoryFiles::default()),
        Arc::new(picloud_shared::NoopPubsubService),
+        Arc::new(picloud_shared::NoopSecretsService),
    );
    Arc::new(Engine::new(Limits::default(), services))
 }
--- a/crates/executor-core/tests/sdk_http.rs
+++ b/crates/executor-core/tests/sdk_http.rs
@@ -90,6 +90,7 @@ fn engine_with(http: Arc<dyn HttpService>) -> Arc<Engine> {
        http,
        Arc::new(picloud_shared::NoopFilesService),
        Arc::new(picloud_shared::NoopPubsubService),
+        Arc::new(picloud_shared::NoopSecretsService),
    );
    Arc::new(Engine::new(Limits::default(), services))
 }
--- a/crates/executor-core/tests/sdk_kv.rs
+++ b/crates/executor-core/tests/sdk_kv.rs
@@ -109,6 +109,7 @@ fn make_engine() -> Arc<Engine> {
        Arc::new(NoopHttpService),
        Arc::new(picloud_shared::NoopFilesService),
        Arc::new(picloud_shared::NoopPubsubService),
+        Arc::new(picloud_shared::NoopSecretsService),
    );
    Arc::new(Engine::new(Limits::default(), services))
 }
--- a/crates/executor-core/tests/sdk_pubsub.rs
+++ b/crates/executor-core/tests/sdk_pubsub.rs
@@ -47,6 +47,7 @@ fn make_engine(svc: Arc<RecordingPubsub>) -> Arc<Engine> {
        Arc::new(NoopHttpService),
        Arc::new(NoopFilesService),
        svc,
+        Arc::new(picloud_shared::NoopSecretsService),
    );
    Arc::new(Engine::new(Limits::default(), services))
 }
--- a/crates/executor-core/tests/sdk_secrets.rs
+++ b/crates/executor-core/tests/sdk_secrets.rs
@@ -0,0 +1,212 @@
+//! `secrets::` SDK bridge integration tests — runs a real Rhai engine
+//! against an in-memory `SecretsService` impl. Mirrors `sdk_kv.rs`: the
+//! engine runs under `spawn_blocking` so the bridge's `block_on` has a
+//! reachable runtime.
+//!
+//! This exercises the Rhai⇄JSON plumbing + the static `secrets` module
+//! (set/get/delete/list, the missing→() contract, and the
+//! String/Map/Array type round-trip). Encryption + authz + the
+//! cross-app boundary are unit-tested at the service layer in
+//! `manager-core::secrets_service`.
+
+use std::collections::BTreeMap;
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits};
+use picloud_shared::{
+    AppId, ExecutionId, NoopDeadLetterService, NoopDocsService, NoopEventEmitter, NoopHttpService,
+    NoopKvService, NoopModuleSource, RequestId, ScriptId, ScriptSandbox, SdkCallCx, SecretsError,
+    SecretsListPage, SecretsService, Services,
+};
+use serde_json::{json, Value};
+use tokio::sync::Mutex;
+
+/// In-memory secrets store keyed by `(app_id, name)`. Stores the JSON
+/// value directly — the bridge test only cares about the Rhai plumbing,
+/// not the at-rest encryption (which the service layer owns).
+#[derive(Default)]
+struct InMemorySecrets {
+    data: Mutex<BTreeMap<(AppId, String), Value>>,
+}
+
+#[async_trait]
+impl SecretsService for InMemorySecrets {
+    async fn get(&self, cx: &SdkCallCx, name: &str) -> Result<Option<Value>, SecretsError> {
+        picloud_shared::validate_secret_name(name)?;
+        Ok(self
+            .data
+            .lock()
+            .await
+            .get(&(cx.app_id, name.to_string()))
+            .cloned())
+    }
+
+    async fn set(&self, cx: &SdkCallCx, name: &str, value: Value) -> Result<(), SecretsError> {
+        picloud_shared::validate_secret_name(name)?;
+        self.data
+            .lock()
+            .await
+            .insert((cx.app_id, name.to_string()), value);
+        Ok(())
+    }
+
+    async fn delete(&self, cx: &SdkCallCx, name: &str) -> Result<bool, SecretsError> {
+        picloud_shared::validate_secret_name(name)?;
+        Ok(self
+            .data
+            .lock()
+            .await
+            .remove(&(cx.app_id, name.to_string()))
+            .is_some())
+    }
+
+    async fn list(
+        &self,
+        cx: &SdkCallCx,
+        cursor: Option<&str>,
+        limit: u32,
+    ) -> Result<SecretsListPage, SecretsError> {
+        let data = self.data.lock().await;
+        let mut names: Vec<String> = data
+            .iter()
+            .filter(|((a, _), _)| *a == cx.app_id)
+            .map(|((_, n), _)| n.clone())
+            .filter(|n| cursor.is_none_or(|c| n.as_str() > c))
+            .collect();
+        names.sort();
+        let take = if limit == 0 {
+            usize::MAX
+        } else {
+            limit as usize
+        };
+        let next_cursor = if names.len() > take {
+            names.truncate(take);
+            names.last().cloned()
+        } else {
+            None
+        };
+        Ok(SecretsListPage { names, next_cursor })
+    }
+}
+
+fn make_engine() -> Arc<Engine> {
+    let services = Services::new(
+        Arc::new(NoopKvService),
+        Arc::new(NoopDocsService),
+        Arc::new(NoopDeadLetterService),
+        Arc::new(NoopEventEmitter),
+        Arc::new(NoopModuleSource),
+        Arc::new(NoopHttpService),
+        Arc::new(picloud_shared::NoopFilesService),
+        Arc::new(picloud_shared::NoopPubsubService),
+        Arc::new(InMemorySecrets::default()),
+    );
+    Arc::new(Engine::new(Limits::default(), services))
+}
+
+fn baseline_request(app_id: AppId) -> ExecRequest {
+    let execution_id = ExecutionId::new();
+    ExecRequest {
+        execution_id,
+        request_id: RequestId::new(),
+        script_id: ScriptId::new(),
+        script_name: "secrets-test".into(),
+        invocation_type: InvocationType::Http,
+        path: "/secrets-test".into(),
+        headers: BTreeMap::new(),
+        body: Value::Null,
+        params: BTreeMap::new(),
+        query: BTreeMap::new(),
+        rest: String::new(),
+        sandbox_overrides: ScriptSandbox::default(),
+        app_id,
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
+    }
+}
+
+async fn run_script(engine: Arc<Engine>, src: &str, req: ExecRequest) -> Value {
+    let src = src.to_string();
+    tokio::task::spawn_blocking(move || engine.execute(&src, req))
+        .await
+        .expect("spawn_blocking should not panic")
+        .expect("script execution should succeed")
+        .body
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn set_then_get_string_round_trips() {
+    let engine = make_engine();
+    let src = r#"
+        secrets::set("stripe_key", "sk_live_xxx");
+        secrets::get("stripe_key")
+    "#;
+    let body = run_script(engine, src, baseline_request(AppId::new())).await;
+    // A String comes back a String, not a JSON-quoted "\"sk_live_xxx\"".
+    assert_eq!(body, json!("sk_live_xxx"));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn set_then_get_map_round_trips() {
+    let engine = make_engine();
+    let src = r#"
+        secrets::set("oauth", #{ client_id: "abc", client_secret: "xyz" });
+        secrets::get("oauth")
+    "#;
+    let body = run_script(engine, src, baseline_request(AppId::new())).await;
+    assert_eq!(body, json!({ "client_id": "abc", "client_secret": "xyz" }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_missing_returns_unit() {
+    let engine = make_engine();
+    let src = r#"
+        let v = secrets::get("nope");
+        #{ is_unit: type_of(v) == "()" }
+    "#;
+    let body = run_script(engine, src, baseline_request(AppId::new())).await;
+    assert_eq!(body, json!({ "is_unit": true }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn delete_returns_was_present() {
+    let engine = make_engine();
+    let src = r#"
+        secrets::set("k", "v");
+        let first = secrets::delete("k");
+        let second = secrets::delete("k");
+        #{ first: first, second: second }
+    "#;
+    let body = run_script(engine, src, baseline_request(AppId::new())).await;
+    assert_eq!(body, json!({ "first": true, "second": false }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn list_returns_names_and_cursor() {
+    let engine = make_engine();
+    let src = r#"
+        secrets::set("a", 1);
+        secrets::set("b", 2);
+        secrets::set("c", 3);
+        let page = secrets::list(#{ cursor: (), limit: 2 });
+        page
+    "#;
+    let body = run_script(engine, src, baseline_request(AppId::new())).await;
+    assert_eq!(body["names"], json!(["a", "b"]));
+    assert_eq!(body["next_cursor"], json!("b"));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn empty_name_throws() {
+    let engine = make_engine();
+    let src = r#" secrets::set("", "v"); #{ ok: true } "#;
+    let app = AppId::new();
+    let out = tokio::task::spawn_blocking(move || engine.execute(src, baseline_request(app)))
+        .await
+        .expect("spawn_blocking");
+    assert!(out.is_err(), "empty secret name must throw");
+}
--- a/crates/executor-core/tests/sdk_subscriber_token.rs
+++ b/crates/executor-core/tests/sdk_subscriber_token.rs
@@ -94,6 +94,7 @@ fn make_engine() -> Arc<Engine> {
        Arc::new(NoopHttpService),
        Arc::new(NoopFilesService),
        Arc::new(FakeMintPubsub),
+        Arc::new(picloud_shared::NoopSecretsService),
    );
    Arc::new(Engine::new(Limits::default(), services))
 }