michal/mcpctl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(secrets): describe --show-values resolves through the backend driver
Some checks failed
CI/CD / lint (push) Successful in 55s
Details
CI/CD / test (push) Failing after 1m5s
Details
CI/CD / typecheck (push) Has started running
Details
CI/CD / smoke (push) Has been cancelled
Details
CI/CD / build (push) Has been cancelled
Details
CI/CD / publish (push) Has been cancelled
Details

Browse Source 
Post-migration, every Secret on a non-plaintext backend has empty `Secret.data`
(the actual value lives in the backend; only externalRef is on the row).
`describe secret --show-values` was reading the raw row, so the user saw
"Data: (empty)" for every migrated secret.

- Route GET /api/v1/secrets/:id accepts ?reveal=true; when set, resolves the
  value via SecretService.resolveData() so the response carries the actual
  data dispatched through the right driver.
- CLI --show-values flips that query param. Without --show-values the route
  returns the raw row exactly as before (no leak risk).

Caught running the wizard end-to-end on the live cluster after the
ClusterMesh fix on the kubernetes-deployment side made bao reachable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Michal
2026-04-24 00:46:54 +01:00
parent bf312850b5
commit faccbb58e7
2 changed files with 28 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/cli/src/commands/describe.ts
View File

@@ -928,7 +928,15 @@ export function createDescribeCommand(deps: DescribeCommandDeps): Command {
}
}
const item = await deps.fetchResource(resource, id) as Record<string, unknown>;
let item: Record<string, unknown>;
if (resource === 'secrets' && opts.showValues === true) {
// --show-values needs the resolved data (the raw row's `data` is
// empty for non-plaintext backends — values live in the backend).
// Use ?reveal=true so mcpd dispatches through the backing driver.
item = await deps.client.get<Record<string, unknown>>(`/api/v1/secrets/${id}?reveal=true`);
} else {
item = await deps.fetchResource(resource, id) as Record<string, unknown>;
}
// Enrich instances with container inspect data
let inspect: Record<string, unknown> | undefined;

22
src/mcpd/src/routes/secrets.ts
View File

@@ -9,9 +9,25 @@ export function registerSecretRoutes(
return service.list();
});
app.get<{ Params: { id: string } }>('/api/v1/secrets/:id', async (request) => {
return service.getById(request.params.id);
});
app.get<{ Params: { id: string }; Querystring: { reveal?: string } }>(
'/api/v1/secrets/:id',
async (request) => {
const secret = await service.getById(request.params.id);
// ?reveal=true → resolve `data` through the backing driver. Without
// reveal we return the raw row, which for non-plaintext backends has
// an empty `data` (the real values live in the backend; only the
// externalRef is on the row). The CLI's `describe secret` already
// masks values by default; --show-values flips this query param so the
// describe output matches what the user expects pre/post migration.
if (request.query.reveal === 'true') {
const resolved = await service.resolveData(secret).catch(() => null);
if (resolved !== null) {
return { ...secret, data: resolved };
}
}
return secret;
},
);
app.post('/api/v1/secrets', async (request, reply) => {
const secret = await service.create(request.body);