feat(v1.1.7-secrets): secrets SDK + table + admin API + dashboard

Encrypted per-app secrets, reachable from scripts as secrets::{get,set,delete,list}(name) and managed from the dashboard Secrets tab. Values are AES-256-GCM-sealed with the process master key (picloud_shared::crypto) before they touch Postgres; the repo only ever sees ciphertext + nonce. JSON round-trip preserves Rhai types. - migration 0023_secrets.sql (PRIMARY KEY (app_id, name)). - SecretsService trait (picloud-shared) + SecretsServiceImpl + repo (manager-core), wired into the Services bundle and Rhai engine. - Capability::AppSecretsRead/Write (→ script:read / script:write); no new Scope variants (seven-scope commitment). - Admin API GET/POST/DELETE /apps/{id}/secrets (list returns names + updated_at, never values). - build_app now takes a MasterKey, sourced from PICLOUD_SECRET_KEY in main.rs; test callers pass a fixed test key. - 64 KB value cap (PICLOUD_SECRET_MAX_VALUE_BYTES); no ServiceEvent emission (secret writes don't fire triggers, by design). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 21:37:17 +02:00
parent dc2e4fa01f
commit 2d11090d1a
28 changed files with 1959 additions and 35 deletions
--- a/crates/picloud/tests/api.rs
+++ b/crates/picloud/tests/api.rs
@@ -40,7 +40,13 @@ async fn server_with_app(pool: PgPool) -> (TestServer, String) {
        .await
        .expect("seed admin");

-    let app = picloud::build_app(pool, auth).await.expect("build_app");
+    let app = picloud::build_app(
+        pool,
+        auth,
+        picloud_shared::MasterKey::from_bytes([0x42u8; 32]),
+    )
+    .await
+    .expect("build_app");
    let mut server = TestServer::new(app).expect("TestServer should build");

    let resp = server
--- a/crates/picloud/tests/authz.rs
+++ b/crates/picloud/tests/authz.rs
@@ -57,9 +57,13 @@ async fn boot(pool: PgPool) -> Seeded {
        .await
        .expect("seed owner");

-    let app = picloud::build_app(pool.clone(), auth)
-        .await
-        .expect("build_app");
+    let app = picloud::build_app(
+        pool.clone(),
+        auth,
+        picloud_shared::MasterKey::from_bytes([0x42u8; 32]),
+    )
+    .await
+    .expect("build_app");
    let server = TestServer::new(app).expect("TestServer");

    // Default app id (seeded by migration 0005).
--- a/crates/picloud/tests/dispatcher_e2e.rs
+++ b/crates/picloud/tests/dispatcher_e2e.rs
@@ -67,7 +67,13 @@ async fn server_for(pool: PgPool, suffix: &str) -> (TestServer, String) {
        .await
        .expect("seed admin");

-    let app = picloud::build_app(pool, auth).await.expect("build_app");
+    let app = picloud::build_app(
+        pool,
+        auth,
+        picloud_shared::MasterKey::from_bytes([0x42u8; 32]),
+    )
+    .await
+    .expect("build_app");
    let mut server = TestServer::new(app).expect("TestServer");
    let resp = server
        .post("/api/v1/admin/auth/login")