feat: replace profiles with kubernetes-style secrets

Replace the confused Profile abstraction with a dedicated Secret resource following Kubernetes conventions. Servers now have env entries with inline values or secretRef references. Env vars are resolved and passed to containers at startup (fixes existing gap). - Add Secret CRUD (model, repo, service, routes, CLI commands) - Server env: {name, value} or {name, valueFrom: {secretRef: {name, key}}} - Add env-resolver utility shared by instance startup and config generation - Remove all profile-related code (models, services, routes, CLI, tests) - Update backup/restore for secrets instead of profiles - describe secret masks values by default, --show-values to reveal Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-22 18:40:58 +00:00
parent 02254f2aac
commit ca02340a4c
77 changed files with 1014 additions and 1931 deletions
--- a/src/cli/tests/commands/create.test.ts
+++ b/src/cli/tests/commands/create.test.ts
@@ -46,8 +46,8 @@ describe('create command', () => {
        '--command', 'python',
        '--command', '-c',
        '--command', 'print("hello")',
-        '--env-template', 'API_KEY:API key:true',
-        '--env-template', 'BASE_URL:Base URL:false',
+        '--env', 'API_KEY=secretRef:creds:API_KEY',
+        '--env', 'BASE_URL=http://localhost',
      ], { from: 'user' });

      expect(client.post).toHaveBeenCalledWith('/api/v1/servers', {
@@ -59,9 +59,9 @@ describe('create command', () => {
        containerPort: 3000,
        replicas: 2,
        command: ['python', '-c', 'print("hello")'],
-        envTemplate: [
-          { name: 'API_KEY', description: 'API key', isSecret: true },
-          { name: 'BASE_URL', description: 'Base URL', isSecret: false },
+        env: [
+          { name: 'API_KEY', valueFrom: { secretRef: { name: 'creds', key: 'API_KEY' } } },
+          { name: 'BASE_URL', value: 'http://localhost' },
        ],
      });
    });
@@ -75,49 +75,28 @@ describe('create command', () => {
    });
  });

-  describe('create profile', () => {
-    it('creates a profile resolving server name', async () => {
-      vi.mocked(client.get).mockResolvedValue([
-        { id: 'srv-abc', name: 'ha-mcp' },
-      ]);
-      const cmd = createCreateCommand({ client, log });
-      await cmd.parseAsync(['profile', 'production', '--server', 'ha-mcp'], { from: 'user' });
-      expect(client.post).toHaveBeenCalledWith('/api/v1/profiles', expect.objectContaining({
-        name: 'production',
-        serverId: 'srv-abc',
-      }));
-    });
-
-    it('parses --env KEY=value entries', async () => {
-      vi.mocked(client.get).mockResolvedValue([
-        { id: 'srv-1', name: 'test' },
-      ]);
+  describe('create secret', () => {
+    it('creates a secret with --data flags', async () => {
      const cmd = createCreateCommand({ client, log });
      await cmd.parseAsync([
-        'profile', 'dev',
-        '--server', 'test',
-        '--env', 'FOO=bar',
-        '--env', 'SECRET=s3cr3t',
+        'secret', 'ha-creds',
+        '--data', 'TOKEN=abc123',
+        '--data', 'URL=https://ha.local',
      ], { from: 'user' });
-      expect(client.post).toHaveBeenCalledWith('/api/v1/profiles', expect.objectContaining({
-        envOverrides: { FOO: 'bar', SECRET: 's3cr3t' },
-      }));
+      expect(client.post).toHaveBeenCalledWith('/api/v1/secrets', {
+        name: 'ha-creds',
+        data: { TOKEN: 'abc123', URL: 'https://ha.local' },
+      });
+      expect(output.join('\n')).toContain("secret 'test' created");
    });

-    it('passes permissions', async () => {
-      vi.mocked(client.get).mockResolvedValue([
-        { id: 'srv-1', name: 'test' },
-      ]);
+    it('creates a secret with empty data', async () => {
      const cmd = createCreateCommand({ client, log });
-      await cmd.parseAsync([
-        'profile', 'admin',
-        '--server', 'test',
-        '--permissions', 'read',
-        '--permissions', 'write',
-      ], { from: 'user' });
-      expect(client.post).toHaveBeenCalledWith('/api/v1/profiles', expect.objectContaining({
-        permissions: ['read', 'write'],
-      }));
+      await cmd.parseAsync(['secret', 'empty-secret'], { from: 'user' });
+      expect(client.post).toHaveBeenCalledWith('/api/v1/secrets', {
+        name: 'empty-secret',
+        data: {},
+      });
    });
  });