Add secrets infrastructure: DB tables, shared types, env binding model, and migration improvements

Introduce company_secrets and company_secret_versions tables for encrypted secret storage. Add EnvBinding discriminated union (plain vs secret_ref) to replace raw string env values in adapter configs. Add hiddenAt column to issues for soft-hiding. Improve migration system with journal-ordered application and manual fallback when Drizzle migrator can't reconcile history. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 15:43:43 -06:00
parent 3b81557f7c
commit d26b67ebc3
23 changed files with 7348 additions and 14 deletions
--- a/packages/shared/src/config-schema.ts
+++ b/packages/shared/src/config-schema.ts
@@ -1,4 +1,5 @@
 import { z } from "zod";
+import { SECRET_PROVIDERS } from "./constants.js";

 export const configMetaSchema = z.object({
  version: z.literal(1),
@@ -28,12 +29,31 @@ export const serverConfigSchema = z.object({
  serveUi: z.boolean().default(true),
 });

+export const secretsLocalEncryptedConfigSchema = z.object({
+  keyFilePath: z.string().default("./data/secrets/master.key"),
+});
+
+export const secretsConfigSchema = z.object({
+  provider: z.enum(SECRET_PROVIDERS).default("local_encrypted"),
+  strictMode: z.boolean().default(false),
+  localEncrypted: secretsLocalEncryptedConfigSchema.default({
+    keyFilePath: "./data/secrets/master.key",
+  }),
+});
+
 export const paperclipConfigSchema = z.object({
  $meta: configMetaSchema,
  llm: llmConfigSchema.optional(),
  database: databaseConfigSchema,
  logging: loggingConfigSchema,
  server: serverConfigSchema,
+  secrets: secretsConfigSchema.default({
+    provider: "local_encrypted",
+    strictMode: false,
+    localEncrypted: {
+      keyFilePath: "./data/secrets/master.key",
+    },
+  }),
 });

 export type PaperclipConfig = z.infer<typeof paperclipConfigSchema>;
@@ -41,4 +61,6 @@ export type LlmConfig = z.infer<typeof llmConfigSchema>;
 export type DatabaseConfig = z.infer<typeof databaseConfigSchema>;
 export type LoggingConfig = z.infer<typeof loggingConfigSchema>;
 export type ServerConfig = z.infer<typeof serverConfigSchema>;
+export type SecretsConfig = z.infer<typeof secretsConfigSchema>;
+export type SecretsLocalEncryptedConfig = z.infer<typeof secretsLocalEncryptedConfigSchema>;
 export type ConfigMeta = z.infer<typeof configMetaSchema>;