charles/claude-hooks

Fork

You've already forked claude-hooks

Code Issues 10 Pull requests Projects Releases Packages 1 Wiki Activity Actions

SC-6 Encrypted secrets table, ${SECRET:NAME} substitution, access log, secrets UI #628

New issue

Closed

opened 2026-05-01 10:34:20 +00:00 by claude-desktop · 0 comments

claude-desktop commented

2026-05-01 10:34:20 +00:00

Collaborator

Copy link

User story

As an operator, I want a dedicated encrypted-secrets store where MCP / config artifacts reference values by ${SECRET:NAME} placeholders, so that forge tokens and API keys never sit in plain text inside artifact bodies and every read leaves an audit trail.

Acceptance criteria

Master key + crypto

CLAUDE_HOOKS_SECRET_KEY env var (32 b64 bytes). Service refuses to start if missing or malformed length.
Document in docs/credentials.md and the systemd unit template how to generate (openssl rand -base64 32) and where to paste it.
apps/server/src/infrastructure/secrets.ts exports:
- encrypt(plain: string): { ciphertext: Buffer; iv: Buffer; auth_tag: Buffer } — AES-256-GCM, fresh 12-byte IV per call, 16-byte auth tag.
- decrypt(row, accessor: string, reason: string): Promise<string> — always logs into secret_access_log before returning the plaintext.

`${SECRET:NAME}` substitution

Helper that walks an artifact body / config object, substitutes every ${SECRET:NAME} placeholder with the decrypted value, and reports the access. Used by renderForInstance (SC-2 / SC-5).
A missing-secret reference raises MissingSecretError(name) and never silently produces empty placeholder text.

HTTP routes

GET /secrets — list of names + descriptions + last-rotated. Bodies never returned.
POST /secrets body { name, value, description? } — encrypts + inserts.
PUT /secrets/{name} body { value, description? } — replaces ciphertext, bumps rotated_at.
DELETE /secrets/{name} — hard delete.
GET /secrets/{name}/access-log — paginated audit log for that secret.
POST /secrets/{name}/rotate — re-encrypt under the current master key (bumps rotated_at; useful as a scheduled hygiene move).
All routes operator-auth-gated via the existing guardMutating rail.

Dashboard UI

/settings/secrets (or a tab in the new agent-config page): list, add, rotate, delete, access-log viewer.
Add / edit forms always treat value as write-only — read shows ••••, only POST/PUT carry it.
Reuse <Drawer>, <Button>, <Tabs> primitives per apps/web/CLAUDE.md.

Tests

Round-trip: encrypt(plain) → decrypt(row, accessor, reason) returns plain, logs one access row with the supplied accessor + reason.
Tampering: mutating the ciphertext fails decryption with a clear error (auth-tag mismatch).
Missing secret: render fails with MissingSecretError("FOO") when the placeholder names an unknown secret.
HTTP: GET /secrets returns names only, never bodies. Mutating endpoints require operator session.

Out of scope

Master-key rotation (re-encrypt every row under a new key) — separate ticket.
Hardware-backed key storage (HSM / TPM).
Per-secret access-control beyond the operator role.

References

specs/agent-config-customization.md §Encryption and §Story SC-6
apps/server/src/infrastructure/database/migrations/ — SC-1 lands the secret + secret_access_log tables
docs/credentials.md — current credentials documentation
Depends on SC-1 (tables); SC-2 consumes the substitution helper.

## User story As an operator, I want a dedicated encrypted-secrets store where MCP / config artifacts reference values by `${SECRET:NAME}` placeholders, so that forge tokens and API keys never sit in plain text inside artifact bodies and every read leaves an audit trail. ## Acceptance criteria ### Master key + crypto - [ ] `CLAUDE_HOOKS_SECRET_KEY` env var (32 b64 bytes). Service refuses to start if missing or malformed length. - [ ] Document in `docs/credentials.md` and the systemd unit template how to generate (`openssl rand -base64 32`) and where to paste it. - [ ] `apps/server/src/infrastructure/secrets.ts` exports: - `encrypt(plain: string): { ciphertext: Buffer; iv: Buffer; auth_tag: Buffer }` — AES-256-GCM, fresh 12-byte IV per call, 16-byte auth tag. - `decrypt(row, accessor: string, reason: string): Promise<string>` — always logs into `secret_access_log` before returning the plaintext. ### `${SECRET:NAME}` substitution - [ ] Helper that walks an artifact body / config object, substitutes every `${SECRET:NAME}` placeholder with the decrypted value, and reports the access. Used by `renderForInstance` (SC-2 / SC-5). - [ ] A missing-secret reference raises `MissingSecretError(name)` and never silently produces empty placeholder text. ### HTTP routes - [ ] `GET /secrets` — list of names + descriptions + last-rotated. **Bodies never returned.** - [ ] `POST /secrets` body `{ name, value, description? }` — encrypts + inserts. - [ ] `PUT /secrets/{name}` body `{ value, description? }` — replaces ciphertext, bumps `rotated_at`. - [ ] `DELETE /secrets/{name}` — hard delete. - [ ] `GET /secrets/{name}/access-log` — paginated audit log for that secret. - [ ] `POST /secrets/{name}/rotate` — re-encrypt under the current master key (bumps `rotated_at`; useful as a scheduled hygiene move). - [ ] All routes operator-auth-gated via the existing `guardMutating` rail. ### Dashboard UI - [ ] `/settings/secrets` (or a tab in the new agent-config page): list, add, rotate, delete, access-log viewer. - [ ] Add / edit forms always treat `value` as write-only — read shows `••••`, only POST/PUT carry it. - [ ] Reuse `<Drawer>`, `<Button>`, `<Tabs>` primitives per `apps/web/CLAUDE.md`. ### Tests - [ ] Round-trip: `encrypt(plain)` → `decrypt(row, accessor, reason)` returns `plain`, logs one access row with the supplied accessor + reason. - [ ] Tampering: mutating the ciphertext fails decryption with a clear error (auth-tag mismatch). - [ ] Missing secret: render fails with `MissingSecretError("FOO")` when the placeholder names an unknown secret. - [ ] HTTP: `GET /secrets` returns names only, never bodies. Mutating endpoints require operator session. ## Out of scope - Master-key rotation (re-encrypt every row under a new key) — separate ticket. - Hardware-backed key storage (HSM / TPM). - Per-secret access-control beyond the operator role. ## References - `specs/agent-config-customization.md` §Encryption and §Story SC-6 - `apps/server/src/infrastructure/database/migrations/` — SC-1 lands the `secret` + `secret_access_log` tables - `docs/credentials.md` — current credentials documentation - Depends on **SC-1** (tables); **SC-2** consumes the substitution helper.

claude-desktop added the

area:agents

type:user-story

labels

2026-05-01 10:36:30 +00:00

claude-desktop added this to the Agent config customization milestone

2026-05-01 10:36:39 +00:00

code-lead was assigned by claude-desktop

2026-05-01 10:43:56 +00:00

code-lead referenced this issue from a commit

2026-05-01 11:13:59 +00:00

feat(secrets): SC-6 encrypted secrets table + ${SECRET:NAME} substitution

code-lead referenced this issue from a pull request that will close it,

2026-05-01 11:14:32 +00:00

feat(secrets): SC-6 encrypted secrets + ${SECRET:NAME} substitution #636

code-lead referenced this issue from a commit

2026-05-01 11:34:06 +00:00

feat(secrets): SC-6 encrypted secrets table + ${SECRET:NAME} substitution

code-lead closed this issue

2026-05-01 11:37:11 +00:00

code-lead referenced this issue from a commit

2026-05-01 11:37:11 +00:00

feat(secrets): SC-6 encrypted secrets + ${SECRET:NAME} substitution (#636)

No Branch/Tag specified

main

chore/sync-pre-push-from-forge-base

fix/flows-yaml-dispatch-identity

feat/board-tap-to-assign

dev/1107

code-lead/1106

code-lead/1108

dev/1104

code-lead/1103

code-lead/1080

dev/1087

feat/flows-yaml-ci-events

chore/board-drop-stalled-and-density-controls

fix/flows-yaml-routes-always-register

flows-yaml/api-defaults

dev/1023

fix/event-log-history-bleed

fix/janitor-fix-ci-logs-and-cap

dev/1022

fix/board-card-provider

code-lead/1036

dev/1025

code-lead/1020

dev/1017

code-lead/1026

feat/web-shortcut-registry-1018

dev/1015

code-lead/1009

code-lead/1008

dev/975

dev/969

dev/973

dev/967

code-lead/968

code-lead/953

dev/970

dev/976

code-lead/966

code-lead/956

code-lead/951

dev/962

dev/963

dev/977

dev/955

dev/983

dev/961

dev/974

code-lead/950

code-lead/939

dev/941

dev/940

dev/937

dev/938

dev/936

dev/935

feat/web-i18n-fr-locale

feat/spec-editor-ui-polish

chore/drop-legacy-compat

fix/skills-drop-preview-pane

fix/882-skills-safety-rail

dev/911

dev/909

dev/923

dev/917

dev/915

feat/879-sr11-m2-drop-legacy-skill

code-lead/873

dev/881

code-lead/869

dev/867

code-lead/845

code-lead/843

code-lead/844

dev/837

dev/861

dev/849

code-lead/837

code-lead/842

fix/dedup-rebase-inflight

dev/838

code-lead/847

dev/833

code-lead/848

pr/838

code-lead/841

feat/settings-save-bar/836

code-lead/840

dev/846

code-lead/839

dev/832

fix/board-sse-stale-cache

dev/834

dev/835

feat/settings-breadcrumbs

feat/forge-oauth-credentials

refactor/service-config-consolidation

feat/agent-tokens-to-secrets

feat/gitlab-oauth-to-db

feat/authelia-rip-and-voice-fixes

fix/rebase-storm-and-dead-letter

code-lead/797

code-lead/796

dev/811

code-lead/798

dev/810

code-lead/795

dev/808

code-lead/794

dev/805

dev/802

dev/803

feat/avatar-menu-settings-entry

feat/per-agent-token-tracking

dev/793

dev/747

dev/752

code-lead/790

code-lead/759

dev/756

dev/760

dev/741

dev/767

dev/740

dev/709

dev/644

dev/637

boss/614

dev/600

dev/611

dev/585

fix/login-bonus-fixes

boss/544

dev/542

refactor/api-prefix-and-session-gate

dev/489

boss/531

boss/518

dev/499

boss/516

dev/530

dev/517

dev/519

dev/515

dev/522

dev/503

dev/471

boss/329

dev/417

dev/418

dev/402

boss/327

dev/334

dev/332

boss/326

boss/325

dev/331

boss/324

boss/323

boss/322

dev/294

test/s11-task-analytics

dev/262

boss/270

dev/268

foreman/ui-consolidation-spec

dev/234

boss/196

boss/176

boss/164

fix/124-session-persist-bind

boss/52

dev/87

boss/73

dev/77

dev/81

dev/82

boss/79

dev/42

dev/35

boss/7

No results found.

Labels

Clear labels

area:agents

Agent types, pool scheduling, per-instance config

area:dashboard

Dashboard UI and observability surfaces

area:database

DB layer — schema, migrations, ORM, raw SQL

area:design

UI/UX mockup work — routes to designer agent

area:design-review

Design review dispatch — routes to design-reviewer agent

area:flows

Flow runner — YAML loader, executor, op registry, expression eval

area:infra

Deployment, isolation, containers, systemd units

area:meta

Tracking, scaffolding, project setup

area:security

Security — routes to reviewer-security (opus)

area:sessions

Session-id store, Claude SDK resume logic

area:webhook

Forgejo webhook routing and handlers

area:workdir

Clone cache, worktrees, git identity

security

Security-sensitive issue

Tracking or decisions, not implementation work

No labels

Milestone

Clear milestone

No items

No milestone

Agent config customization

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

code-lead

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

charles/claude-hooks#628

Reference in a new issue

Repository

charles/claude-hooks

Title

Body

No description provided.

Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?

Rows
Columns