michal/mcpctl
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
2155910f1cc2b08fe0af255f45dcc4fab6295a63
mcpctl/src/mcpd/src/repositories/secret-backend.repository.ts

104 lines
3.6 KiB
TypeScript
Raw Normal View History

feat(mcpd): pluggable SecretBackend abstraction + OpenBao driver + migrate Why: API keys live in Postgres as plaintext JSON. A DB read exposes every credential in the system. Before centralising more secrets (LLM keys, etc.) we want to be able to point at an external KV store and drop DB access to sensitive rows. New model: - `SecretBackend` resource (CRUD + isDefault invariant) owns how a secret is stored. `Secret` gains `backendId` FK and `externalRef`. Reads/writes dispatch through a driver. - `plaintext` driver (near-noop, uses existing Secret.data column) is seeded as the `default` row at startup. Acts as trust root / bootstrap. - `openbao` driver (also HashiCorp Vault KV v2 compatible) talks plain HTTP, no SDK dependency. Auth via static token pulled from a plaintext-backed `Secret` through the injected SecretRefResolver. Caches resolved token. - `SecretMigrateService` moves secrets one-at-a-time: read → write dest → flip row → best-effort source delete. Interrupted runs are idempotent (skips secrets already on destination). CLI surface: - `mcpctl create|get|describe|delete secretbackend` + `--default` on create. - `mcpctl migrate secrets --from X --to Y [--names a,b] [--keep-source] [--dry-run]` - `apply -f` round-trips secretbackends (yaml/json multi-doc + grouped). - RBAC: `secretbackends` resource + `run:migrate-secrets` operation. - Fish + bash completions regenerated. docs/secret-backends.md covers the OpenBao policy, chicken-and-egg auth flow, and the migration semantics. Broke the circular dep (OpenBao needs SecretService to resolve its own token, SecretService needs SecretBackendService) with a deferred-resolver bridge in mcpd startup. 11 new driver unit tests; existing env-resolver/secret-route/ backup tests updated for the new service signatures. Full suite: 1792/1792. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 19:29:55 +01:00
import type { PrismaClient, SecretBackend, Prisma } from '@prisma/client';
export interface CreateSecretBackendInput {
name: string;
type: string;
config?: Record<string, unknown>;
isDefault?: boolean;
description?: string;
}
export interface UpdateSecretBackendInput {
config?: Record<string, unknown>;
isDefault?: boolean;
description?: string;
}
export interface ISecretBackendRepository {
findAll(): Promise<SecretBackend[]>;
findById(id: string): Promise<SecretBackend | null>;
findByName(name: string): Promise<SecretBackend | null>;
findDefault(): Promise<SecretBackend | null>;
create(data: CreateSecretBackendInput): Promise<SecretBackend>;
update(id: string, data: UpdateSecretBackendInput): Promise<SecretBackend>;
/**
* Atomically clear `isDefault` on every row except the one named, then set
* the given row as default. Used by `setDefault`.
*/
setAsDefault(id: string): Promise<SecretBackend>;
delete(id: string): Promise<void>;
/** Count secrets that still reference this backend — used to guard delete. */
countReferencingSecrets(backendId: string): Promise<number>;
}
export class SecretBackendRepository implements ISecretBackendRepository {
constructor(private readonly prisma: PrismaClient) {}
async findAll(): Promise<SecretBackend[]> {
return this.prisma.secretBackend.findMany({ orderBy: { name: 'asc' } });
}
async findById(id: string): Promise<SecretBackend | null> {
return this.prisma.secretBackend.findUnique({ where: { id } });
}
async findByName(name: string): Promise<SecretBackend | null> {
return this.prisma.secretBackend.findUnique({ where: { name } });
}
async findDefault(): Promise<SecretBackend | null> {
return this.prisma.secretBackend.findFirst({ where: { isDefault: true } });
}
async create(data: CreateSecretBackendInput): Promise<SecretBackend> {
return this.prisma.$transaction(async (tx) => {
if (data.isDefault === true) {
await tx.secretBackend.updateMany({ where: { isDefault: true }, data: { isDefault: false } });
}
return tx.secretBackend.create({
data: {
name: data.name,
type: data.type,
config: (data.config ?? {}) as Prisma.InputJsonValue,
isDefault: data.isDefault ?? false,
description: data.description ?? '',
},
});
});
}
async update(id: string, data: UpdateSecretBackendInput): Promise<SecretBackend> {
return this.prisma.$transaction(async (tx) => {
if (data.isDefault === true) {
await tx.secretBackend.updateMany({
where: { isDefault: true, NOT: { id } },
data: { isDefault: false },
});
}
const updateData: Prisma.SecretBackendUpdateInput = {};
if (data.config !== undefined) updateData.config = data.config as Prisma.InputJsonValue;
if (data.isDefault !== undefined) updateData.isDefault = data.isDefault;
if (data.description !== undefined) updateData.description = data.description;
return tx.secretBackend.update({ where: { id }, data: updateData });
});
}
async setAsDefault(id: string): Promise<SecretBackend> {
return this.prisma.$transaction(async (tx) => {
await tx.secretBackend.updateMany({
where: { isDefault: true, NOT: { id } },
data: { isDefault: false },
});
return tx.secretBackend.update({ where: { id }, data: { isDefault: true } });
});
}
async delete(id: string): Promise<void> {
await this.prisma.secretBackend.delete({ where: { id } });
}
async countReferencingSecrets(backendId: string): Promise<number> {
return this.prisma.secret.count({ where: { backendId } });
}
}
Reference in New Issue Copy Permalink