Skip to content

Add runtime secret backends (HashiCorp + Bitwarden) and vault store/fetch CLI#49

Open
johnnyclem wants to merge 1 commit into
mainfrom
codex/add-secret-management-with-hashicorp-vault
Open

Add runtime secret backends (HashiCorp + Bitwarden) and vault store/fetch CLI#49
johnnyclem wants to merge 1 commit into
mainfrom
codex/add-secret-management-with-hashicorp-vault

Conversation

@johnnyclem
Copy link
Copy Markdown
Owner

@johnnyclem johnnyclem commented Apr 26, 2026

Motivation

  • Support real secret management backends so secrets are stored externally and fetched at runtime (no canister persistence), and provide a simple CLI flow for storing/fetching secrets (e.g. agentvault vault store --key api_binance --value $KEY).
  • Allow operators to choose between self-hosted HashiCorp Vault and a local Bitwarden CLI workflow to cover both server and developer use cases.

Description

  • Added a backend option to vault types and config and an environment override AGENTVAULT_VAULT_BACKEND, with backend-aware loading and safe persistence logic in src/vault/types.ts and src/vault/config.ts.
  • Extended VaultClient (src/vault/client.ts) to route operations to either HashiCorp Vault (existing HTTP API flows) or Bitwarden CLI (bw) for health, get/put/delete, and enforced per-agent namespaces and policy validation.
  • Extended the vault CLI (cli/commands/vault.ts) to support backend selection in vault init, and added vault store --key --value [--agent] and vault fetch --key [--agent] commands plus updated help/next-step messaging (including a Docker hint for self-hosted Vault).
  • Updated unit tests to cover new CLI subcommands and Bitwarden config acceptance (tests/vault/cli.test.ts, tests/vault/config.test.ts) and adjusted internal behavior accordingly.

Testing

  • Ran targeted test suite: npm run test -- tests/vault/cli.test.ts tests/vault/config.test.ts tests/vault/client.test.ts, and all tests passed (3 files, 56 tests) ✅.
  • Performed a TypeScript typecheck via npm run typecheck, which failed due to pre-existing unrelated type errors in pilot files and not because of the vault changes (type failures are in cli/commands/pilot.ts and src/pilot/private-replica.ts).

Codex Task

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 26, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agent-vault Ready Ready Preview, Comment Apr 26, 2026 2:46pm
agentvault Ready Ready Preview, Comment Apr 26, 2026 2:46pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johnnyclem