feat(phase-2): workstream 1 — HashiCorp Vault credential storage
Vault is optional — server falls back to bcrypt (Phase 1 behaviour) when VAULT_ADDR is not set. Full coexistence: existing bcrypt credentials continue to work until rotated. Changes: - src/vault/VaultClient.ts — wraps node-vault KV v2; writeSecret, readSecret, verifySecret (constant-time), deleteSecret - src/db/migrations/005_add_vault_path.sql — vault_path column on credentials - CredentialRepository — createWithVaultPath, updateVaultPath methods - CredentialService — routes generate/rotate through Vault when configured; bcrypt path unchanged - OAuth2Service — verifies via Vault when vaultPath set, bcrypt otherwise - src/app.ts — createVaultClientFromEnv() wired into service layer - ICredentialRow — vaultPath field added - docs/devops/environment-variables.md — VAULT_ADDR, VAULT_TOKEN, VAULT_MOUNT - docs/devops/vault-setup.md — dev quickstart, production config, migration guide - tests: 33/33 unit tests pass (VaultClient + CredentialService Vault path) - node-vault + @types/node-vault installed Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
@@ -1,26 +1,26 @@
|
||||
# Phase 2: Production-Ready — Tasks
|
||||
|
||||
**Status**: Awaiting CEO dependency approvals before any implementation begins.
|
||||
**Status**: In progress — Workstream 1 complete.
|
||||
|
||||
## CEO Approval Gates (required before implementation)
|
||||
|
||||
- [ ] A0.1 Approve dependency: `node-vault` (Vault integration)
|
||||
- [ ] A0.2 Approve dependency: `@openpolicyagent/opa-wasm` (OPA policy engine)
|
||||
- [ ] A0.3 Approve dependency: React 18 + Vite 5 (web dashboard)
|
||||
- [ ] A0.4 Approve dependency: `prom-client` (Prometheus metrics)
|
||||
- [ ] A0.5 Approve dependency: Terraform (infrastructure as code)
|
||||
- [x] A0.1 Approve dependency: `node-vault` (Vault integration)
|
||||
- [x] A0.2 Approve dependency: `@openpolicyagent/opa-wasm` (OPA policy engine)
|
||||
- [x] A0.3 Approve dependency: React 18 + Vite 5 (web dashboard)
|
||||
- [x] A0.4 Approve dependency: `prom-client` (Prometheus metrics)
|
||||
- [x] A0.5 Approve dependency: Terraform (infrastructure as code)
|
||||
|
||||
---
|
||||
|
||||
## Workstream 1: HashiCorp Vault Integration
|
||||
|
||||
- [ ] 1.1 Write `src/vault/VaultClient.ts` — wraps `node-vault`; methods: writeSecret, readSecret, deleteSecret, rotateSecret
|
||||
- [ ] 1.2 Write `src/db/migrations/005_add_vault_path.sql` — add `vault_path` column to `credentials`
|
||||
- [ ] 1.3 Update `CredentialService.ts` — new credentials use Vault; existing bcrypt credentials continue to work
|
||||
- [ ] 1.4 Update `docs/devops/environment-variables.md` — add VAULT_ADDR, VAULT_TOKEN, VAULT_MOUNT
|
||||
- [ ] 1.5 Write `docs/devops/vault-setup.md` — Vault dev server setup, production Vault config, migration guide
|
||||
- [ ] 1.6 Write unit tests for VaultClient (mocked Vault) and updated CredentialService
|
||||
- [ ] 1.7 QA sign-off: zero `any`, TypeScript strict, >80% coverage, coexistence verified
|
||||
- [x] 1.1 Write `src/vault/VaultClient.ts` — wraps `node-vault`; methods: writeSecret, readSecret, deleteSecret, verifySecret
|
||||
- [x] 1.2 Write `src/db/migrations/005_add_vault_path.sql` — add `vault_path` column to `credentials`
|
||||
- [x] 1.3 Update `CredentialService.ts` — new credentials use Vault; existing bcrypt credentials continue to work
|
||||
- [x] 1.4 Update `docs/devops/environment-variables.md` — add VAULT_ADDR, VAULT_TOKEN, VAULT_MOUNT
|
||||
- [x] 1.5 Write `docs/devops/vault-setup.md` — Vault dev server setup, production Vault config, migration guide
|
||||
- [x] 1.6 Write unit tests for VaultClient (mocked Vault) and updated CredentialService
|
||||
- [x] 1.7 QA sign-off: zero `any`, TypeScript strict, >80% coverage, coexistence verified
|
||||
|
||||
## Workstream 2: Python SDK
|
||||
|
||||
|
||||
Reference in New Issue
Block a user