feat(secrets): cluster secrets page on the hdb_secret store#1402
Draft
dawsontoth wants to merge 2 commits into
Draft
feat(secrets): cluster secrets page on the hdb_secret store#1402dawsontoth wants to merge 2 commits into
dawsontoth wants to merge 2 commits into
Conversation
This was referenced Jul 1, 2026
Merged
Contributor
|
Warning Gemini encountered an error creating the review. You can try again by commenting |
Contributor
Author
|
/gemini review |
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces client-side envelope encryption (enc:v1) using the Web Crypto API to securely manage cluster-level deployment secrets, including UI components for listing, adding, and editing secrets. Feedback focuses on utilizing the query cache for the public key, adding a deletion confirmation prompt, handling non-secure contexts where the Web Crypto API is unavailable, ensuring type safety when closing the edit modal, and optimizing ArrayBuffer slicing to avoid unnecessary memory allocations.
f3a8577 to
a2827d7
Compare
f7aafe5 to
d47f200
Compare
Config > Secrets manages the replicated system.hdb_secret table (harper#1554; Pro key custody in harper-pro#512, tracked by harper-pro#166): named, envelope-encrypted rows on the cluster itself, edited through the per-instance operations API and scoped to applications via grants. - list_secrets / set_secret / delete_secret / grant_secret / revoke_secret / get_secrets_public_key hooks on the instance operations client. - Values are encrypted in the browser (enc:v1 via lib/crypto/envSecret.ts, which harper#1554 ported into core as its envelope codec) and can never be read back. Rotation-aware: the public key is cached minutes not forever, and a kid-mismatch rejection drops the cached key, re-encrypts, and retries once. - Grants editor in the edit dialog (only granted applications receive a secret at load time) and per-row warnings for rows whose kid no longer matches the cluster's custody key. - Degrades gracefully without key custody: the list stays browsable, a banner explains why nothing can be encrypted, and add/edit is disabled. - Nav entry is version-gated only (>= 5.2.0 placeholder, matching harper#1554's upgrade directive) — the store ships in core, so it is not restricted to Fabric-managed clusters. Builds on the shared SecretsManager / SecretModals components from the .env editor PR underneath this one. Hook coverage runs against real WebCrypto RSA keys, including the rotation retry re-encrypting under the newly served key. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
448fef2 to
775ba23
Compare
…ager central-manager#409 makes CM the custodian for hosted clusters: it mints the per-cluster RSA keypair on first use (Studio's key fetch is what triggers the mint), stamps the fingerprint onto instances, and delivers the private key to host-managers — so the public key exists and is authoritative at CM even before any node has custody registered. Fabric-managed clusters now fetch the public key via POST /ClusterSecrets (get_secrets_public_key + clusterId, camelCase response); self-hosted and local instances keep the node operation (snake_case response). Both are normalized to one shape, and the kid-mismatch retry now also heals CM's documented first-mint race (the losing key's envelopes fail with a kid mismatch; re-encrypting against the stored winner fixes them). Values are unchanged: still encrypted in the browser and submitted to the cluster's own set_secret — they never pass through or live in CM. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Config → Secrets manages the replicated
system.hdb_secretstore: named, envelope-encrypted rows on the cluster itself, edited through the per-instance operations API and scoped to applications via grants. Built on the sharedSecretsManager/SecretModalscomponents from #1409.integrations/api/instance/secrets/secrets.ts— hooks forlist_secrets/set_secret/delete_secret/grant_secret/revoke_secret, plus public-key resolution:POST /ClusterSecrets, per central-manager#409) — CM is the custodian there, and Studio's key fetch is what triggers the first-use mint. Requires cluster-update rights on first use (the mint stamps fingerprints onto instances).get_secrets_public_keyoperation (file-tier custody mints its own key).lib/crypto/envSecret.ts, theenc:v1codec harper#1554 ported into core): values are encrypted in the browser and submitted as envelopes to the cluster's ownset_secret— plaintext never reaches the operations API, the operation log, disk, or CM, and can never be read back.kidno longer matches the cluster's custody key (or storedunverified) — they may fail to decrypt until re-saved..mjsfiles #409 CM) the list stays browsable, a banner explains why, and add/edit is disabled.>= 5.2.0, matching harper#1554's upgrade directive tag) — the store ships in core, so it isn't restricted to Fabric-managed clusters.Verification
tsc,oxlint,dprintclean; full suite green (1089 tests; 6 secrets-hook tests run real WebCrypto RSA keys, asserting plaintext never appears in a request body, the CM-vs-node key routing, and the rotation retry re-encrypting under the newly served key)..mjsfiles #409): the version gate correctly hides the nav entry, and direct navigation shows the degraded state (banner, read-only, empty list) with the key fetch correctly routed to CM's/ClusterSecretsfor the managed cluster..mjsfiles #409 — covered by the hook tests until then.Notes / open items
>= 5.2.0gate matches harper#1554's upgrade directive tag; retag if that ships in a different release./ClusterSecretsisn't in the generated OpenAPI SDK yet; regenerate to type it once central-manager#409 ships.get_componentswould be a nice follow-up.ClusterSecretsstore from central-manager#405 (control-plane values + host-manager value injection). That model was superseded by the two-key custody plan (harper-pro#166 / central-manager#409: CM keeps the key, the cluster keeps the ciphertext), and this page was retargeted accordingly.🤖 Generated with Claude Code
Related PRs — secrets management
One
enc:v1:client contract everywhere (public key + envelope; values encrypted before they leave the client):.envprotection in the operations API — merged (consumed by feat(secrets): version-adaptive .env editor in the application editor #1409)enc:v1:decrypt hook + envelope contract — mergedhdb_secretstore with grant-scoped secret operations +get_secrets_public_keyfile(self-hosted) +injected(Fabric) providers; supersedes harper-pro#505.envpanel (deployable now)