Skip to content

Comments

feat: support arbitrary vault keys for skill API authentication#685

Merged
bug-ops merged 5 commits intomainfrom
feat/682-custom-vault-secrets
Feb 20, 2026
Merged

feat: support arbitrary vault keys for skill API authentication#685
bug-ops merged 5 commits intomainfrom
feat/682-custom-vault-secrets

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Feb 20, 2026

Summary

Closes #682

  • Add list_keys() to VaultProvider trait with AgeVaultProvider and EnvVaultProvider implementations
  • Add custom: HashMap<String, Secret> to ResolvedSecrets, auto-populated from ZEPH_SECRET_* vault keys
  • Add requires-secrets field to SKILL.md frontmatter for declaring secret dependencies
  • Gate skill activation: skills with missing required secrets are excluded from the system prompt
  • Inject active skill's secrets as scoped env vars into ShellExecutor (set before execution, cleared after)
  • Add set_skill_env() to ToolExecutor and ErasedToolExecutor traits

Key design decisions

  • Key normalization: ZEPH_SECRET_MY-KEYmy_key (lowercase, hyphens to underscores) — consistent between vault resolution and SKILL.md parsing
  • Skills with unsatisfied requires-secrets are silently excluded from the prompt (not just warned), preventing LLM from attempting to use skills without credentials
  • Secret values stay wrapped in Secret type until the moment of env injection (.expose() only at Command::envs())
  • ShellExecutor uses RwLock<Option<HashMap>> for interior mutability; poisoned lock is logged via tracing::error!

Test plan

  • 2177 tests pass (13 new tests for this feature)
  • VaultProvider::list_keys() — Age, Env, Mock implementations
  • resolve_secrets() custom key scanning, normalization, bare prefix rejection
  • SkillMeta requires_secrets parsing (single, multiple, trailing comma, underscores)
  • Skill activation gate (full match, partial match, no secrets, empty requirements)
  • ShellExecutor env injection and clearing
  • inject_active_skill_env secret name mapping verification
  • cargo +nightly fmt --check: clean
  • cargo clippy --workspace -- -D warnings: 0 warnings

@github-actions github-actions bot added documentation Improvements or additions to documentation skills SKILL.md system rust core enhancement New feature or request size/XL labels Feb 20, 2026
Add custom vault secret storage and skill-scoped environment injection.

- Add list_keys() to VaultProvider trait with Age and Env implementations
- Add custom: HashMap<String, Secret> to ResolvedSecrets, populated from
  ZEPH_SECRET_* vault keys with prefix stripping and normalization
- Add requires-secrets field to SKILL.md frontmatter for declaring secret
  dependencies with comma-separated key names
- Gate skill activation on required secrets availability: skills with
  missing secrets are excluded from the system prompt entirely
- Inject active skill's secrets as scoped env vars into ShellExecutor
  via set_skill_env with RwLock-based interior mutability
- Add set_skill_env to ToolExecutor and ErasedToolExecutor traits
- Extend vault CLI list output to include custom secret keys
Remove 9 unused imports (HashMap, SkillMeta, SkillRegistry, Mutex) from
test functions in context.rs and tool_execution.rs that were caught by
CI with --features full and -D warnings.
Refactor test assertions to use assert_custom_secret() helper instead of
inline .get().expose() chains that CodeQL flags as cleartext logging.
Add lgtm suppression comment for intentional Secret::expose() in
subprocess env injection path.
@bug-ops bug-ops force-pushed the feat/682-custom-vault-secrets branch from 1482c5b to f5c5e98 Compare February 20, 2026 23:29
…dler

Populate InstalledSkill.requires_secrets from SKILL.md metadata in
list_installed(). Update CLI install output and in-session /skill install
to warn about missing secrets. Add unit test for requires_secrets field.
@bug-ops bug-ops merged commit 18707b8 into main Feb 20, 2026
22 checks passed
@bug-ops bug-ops deleted the feat/682-custom-vault-secrets branch February 20, 2026 23:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core documentation Improvements or additions to documentation enhancement New feature or request rust size/XL skills SKILL.md system

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support arbitrary vault keys for skill API authentication

1 participant