feat: support arbitrary vault keys for skill API authentication#685
Merged
feat: support arbitrary vault keys for skill API authentication#685
Conversation
github-actions
bot
added
documentation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Add custom vault secret storage and skill-scoped environment injection. - Add list_keys() to VaultProvider trait with Age and Env implementations - Add custom: HashMap<String, Secret> to ResolvedSecrets, populated from ZEPH_SECRET_* vault keys with prefix stripping and normalization - Add requires-secrets field to SKILL.md frontmatter for declaring secret dependencies with comma-separated key names - Gate skill activation on required secrets availability: skills with missing secrets are excluded from the system prompt entirely - Inject active skill's secrets as scoped env vars into ShellExecutor via set_skill_env with RwLock-based interior mutability - Add set_skill_env to ToolExecutor and ErasedToolExecutor traits - Extend vault CLI list output to include custom secret keys
Remove 9 unused imports (HashMap, SkillMeta, SkillRegistry, Mutex) from test functions in context.rs and tool_execution.rs that were caught by CI with --features full and -D warnings.
Refactor test assertions to use assert_custom_secret() helper instead of inline .get().expose() chains that CodeQL flags as cleartext logging. Add lgtm suppression comment for intentional Secret::expose() in subprocess env injection path.
bug-ops
force-pushed
the
feat/682-custom-vault-secrets
branch
from
1482c5b to
f5c5e98
Compare
…dler Populate InstalledSkill.requires_secrets from SKILL.md metadata in list_installed(). Update CLI install output and in-session /skill install to warn about missing secrets. Add unit test for requires_secrets field.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #682
list_keys()toVaultProvidertrait withAgeVaultProviderandEnvVaultProviderimplementationscustom: HashMap<String, Secret>toResolvedSecrets, auto-populated fromZEPH_SECRET_*vault keysrequires-secretsfield to SKILL.md frontmatter for declaring secret dependenciesShellExecutor(set before execution, cleared after)set_skill_env()toToolExecutorandErasedToolExecutortraitsKey design decisions
ZEPH_SECRET_MY-KEY→my_key(lowercase, hyphens to underscores) — consistent between vault resolution and SKILL.md parsingrequires-secretsare silently excluded from the prompt (not just warned), preventing LLM from attempting to use skills without credentialsSecrettype until the moment of env injection (.expose()only atCommand::envs())ShellExecutorusesRwLock<Option<HashMap>>for interior mutability; poisoned lock is logged viatracing::error!Test plan