Skip to content

Feat/key vault#8

Open
CPrutean wants to merge 31 commits into
mainfrom
feat/key_vault
Open

Feat/key vault#8
CPrutean wants to merge 31 commits into
mainfrom
feat/key_vault

Conversation

@CPrutean
Copy link
Copy Markdown
Member

@CPrutean CPrutean commented Jun 5, 2026

What changed

Created the API key vault

Why

Sharing API keys at trickfire has been a really bad practice, this alleviates that.

Type of change

  • Feature (feat/)
  • Bug fix (fix/)
  • Chore / infra (chore/)
  • Docs (docs/)
  • Refactor (refactor/)

Checklist

  • pnpm lint passes
  • pnpm format:check passes
  • If schema.ts was changed - migration generated (pnpm db:generate) and committed alongside the schema
  • PR is focused on one concern

CPrutean added 30 commits June 4, 2026 15:37
@CPrutean
feat(vault): add AES-256-GCM encryption helper
b6ae828 
Encrypts vault secrets at rest. Resolves the key from VAULT_ENCRYPTION_KEY,
falling back to an auto-generated, persisted db/vault.key in development.
@CPrutean
feat(db): add vault_entry table for stored secrets
57a7ffe
@CPrutean
feat(db): add can_access_vault column to user
9bd520a
@CPrutean
feat(auth): expose canAccessVault on the session user
b21d2a4
@CPrutean
feat(db): generate migration for vault_entry and can_access_vault
12a698c
@CPrutean
feat(vault): add entry validation schemas and canAccessVault on user …
f545050 
…update
@CPrutean
feat(vault): add canUseVault permission helper
488c61e
@CPrutean
feat(api): add vault entry create endpoint
32c6927
@CPrutean
feat(api): add vault entry edit and delete endpoints
0a6c4c0
@CPrutean
feat(api): add on-demand secret reveal endpoint
be29450
@CPrutean
feat(api): persist canAccessVault on user update
be6249f
@CPrutean
feat(vault): add reveal/copy secret field with restricted mode
c2968d7
@CPrutean
feat(vault): add create/edit entry dialog
164cef9
@CPrutean
feat(vault): add manager table with admin actions
e54c946
@CPrutean
feat(vault): build the API key vault page
7227d80
@CPrutean
feat(vault): gate the nav link by vault access
efc5a5e
@CPrutean
feat(vault): pass vault access from layout to sidebar
5965e78
@CPrutean
feat(admin): add vault access toggle to the users table
835f10e
@CPrutean
feat(admin): load canAccessVault for the users table
f484d07
@CPrutean
docs: add VAULT_ENCRYPTION_KEY to env example
1b35fd7
@CPrutean
docs: document API key vault and encryption key setup
272ce67
@CPrutean
docs: note VAULT_ENCRYPTION_KEY as a required production secret
9c3e7b6
@CPrutean
feat(db): add vault_entry_access table for per-person api_key grants
8dc85dd
@CPrutean
feat(vault): add session-authenticated api_key fetch endpoint
01e3da4 
api_key secrets are no longer revealed in-browser. GET /api/vault/[id]/key
returns the decrypted key only to admins or users holding a per-entry grant
(canReadVaultKey). The reveal endpoint now rejects api_key entries.
@CPrutean
feat(api): add per-person vault access grant/revoke endpoint
43449db 
POST/DELETE /api/admin/vault/[id]/access let admins grant or revoke a user's
access to an api_key entry. Only applies to api_key entries.
@CPrutean
feat(vault): endpoint-only api_key UI with per-person access management
1b4dd03 
- Hide api_key secrets in the table; show the fetch endpoint instead
- Add a Manage access dialog to grant/revoke users per api_key entry
- Hide the copy-behavior field for api_key entries in the editor
- Truncate long entry names (click to expand) and wrap long secrets
@CPrutean
docs: document the api_key fetch endpoint and per-person access
7706679
@CPrutean
refactor(vault): remove the copy-behavior (easyCopy) setting
e363aad 
The easy-to-copy vs restricted distinction wasn't needed. Login secrets are
now always revealable and copyable; drop the easy_copy column, its schema,
validation, API handling, the editor field, and the table's Copy column.
@CPrutean
fix(vault): harden secret endpoints against caching and deactivated u…
aae6a84 
…sers

Add Cache-Control: no-store so decrypted secrets aren't written to browser or
shared caches, and reject deactivated accounts (which keep a valid cookie and
aren't covered by the middleware matcher for /api/vault/*).
@CPrutean
feat(vault): extend per-person grants to login entries
d8ae8d6 
Login secrets now require a per-entry grant to reveal, the same model as
api_key entries - the global Vault-access toggle only controls page
visibility. Generalize canReadVaultKey -> canReadVaultEntry, drop the
api_key-only restriction on the access route, and show Manage access on
every row.
@CPrutean CPrutean requested a review from matejstastny June 5, 2026 18:39
@CPrutean CPrutean self-assigned this Jun 5, 2026
@CPrutean CPrutean added the enhancement New feature or request label Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matejstastny matejstastny Awaiting requested review from matejstastny

At least 1 approving review is required to merge this pull request.

Assignees

@CPrutean CPrutean

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CPrutean