11901ae5d8
Add AES-256-GCM local encrypted secrets provider with auto-generated master key, stub providers for AWS/GCP/Vault, and a secrets service that normalizes adapter configs (converting sensitive inline values to secret refs in strict mode) and resolves secret refs back to plain values at runtime. Extract redaction utilities from agent routes into shared module. Redact sensitive values in activity logs, config revisions, and approval payloads. Block rollback of revisions containing redacted secrets. Filter hidden issues from list queries. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
33 lines
886 B
TypeScript
33 lines
886 B
TypeScript
import { unprocessable } from "../errors.js";
|
|
import type { SecretProviderModule } from "./types.js";
|
|
|
|
function unavailableProvider(
|
|
id: "aws_secrets_manager" | "gcp_secret_manager" | "vault",
|
|
label: string,
|
|
): SecretProviderModule {
|
|
return {
|
|
id,
|
|
descriptor: {
|
|
id,
|
|
label,
|
|
requiresExternalRef: true,
|
|
},
|
|
async createVersion() {
|
|
throw unprocessable(`${id} provider is not configured in this deployment`);
|
|
},
|
|
async resolveVersion() {
|
|
throw unprocessable(`${id} provider is not configured in this deployment`);
|
|
},
|
|
};
|
|
}
|
|
|
|
export const awsSecretsManagerProvider = unavailableProvider(
|
|
"aws_secrets_manager",
|
|
"AWS Secrets Manager",
|
|
);
|
|
export const gcpSecretManagerProvider = unavailableProvider(
|
|
"gcp_secret_manager",
|
|
"GCP Secret Manager",
|
|
);
|
|
export const vaultProvider = unavailableProvider("vault", "HashiCorp Vault");
|