@agent-native/dispatch 0.8.1 → 0.8.3

package/src/routes/pages/vault.tsx

@@ -4,6 +4,7 @@ import { toast } from "sonner";
 import {
   IconChevronDown,
   IconChevronRight,
+  IconEdit,
   IconEye,
   IconEyeOff,
   IconKey,
@@ -61,6 +62,7 @@ const PROVIDERS = [
   "anthropic",
   "other",
 ];
+const PROVIDER_NONE_VALUE = "__none__";
 
 type VaultAccessMode = "all-apps" | "manual";
 
@@ -177,6 +179,174 @@ function AddSecretDialog() {
   );
 }
 
+function EditSecretDialog({ secret }: { secret: any }) {
+  const [open, setOpen] = useState(false);
+  const [credentialKey, setCredentialKey] = useState(
+    secret.credentialKey || "",
+  );
+  const [name, setName] = useState(secret.name || "");
+  const [value, setValue] = useState(secret.value || "");
+  const [provider, setProvider] = useState(secret.provider || "");
+  const [description, setDescription] = useState(secret.description || "");
+  const [showValue, setShowValue] = useState(false);
+
+  const update = useActionMutation("update-vault-secret", {
+    onSuccess: () => {
+      toast.success("Secret updated");
+      setOpen(false);
+      setShowValue(false);
+    },
+    onError: (err) => toast.error(String(err)),
+  });
+
+  const resetDraft = () => {
+    setCredentialKey(secret.credentialKey || "");
+    setName(secret.name || "");
+    setValue(secret.value || "");
+    setProvider(secret.provider || "");
+    setDescription(secret.description || "");
+    setShowValue(false);
+  };
+
+  return (
+    <Dialog
+      open={open}
+      onOpenChange={(nextOpen) => {
+        if (nextOpen) resetDraft();
+        setOpen(nextOpen);
+      }}
+    >
+      <DialogTrigger asChild>
+        <Button variant="outline" size="sm">
+          <IconEdit size={14} className="mr-1" />
+          Edit secret
+        </Button>
+      </DialogTrigger>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>Edit vault secret</DialogTitle>
+          <DialogDescription>
+            Update the stored key and metadata. Changes sync to the shared
+            credential store.
+          </DialogDescription>
+        </DialogHeader>
+        <form
+          className="space-y-4 py-2"
+          onSubmit={(event) => {
+            event.preventDefault();
+            update.mutate({
+              id: secret.id,
+              credentialKey,
+              name,
+              value,
+              provider: provider || null,
+              description: description || null,
+            });
+          }}
+        >
+          <div className="space-y-2">
+            <Label htmlFor={`vault-secret-name-${secret.id}`}>Name</Label>
+            <Input
+              id={`vault-secret-name-${secret.id}`}
+              value={name}
+              onChange={(e) => setName(e.target.value)}
+            />
+          </div>
+          <div className="space-y-2">
+            <Label htmlFor={`vault-secret-key-${secret.id}`}>
+              Credential key (env var name)
+            </Label>
+            <Input
+              id={`vault-secret-key-${secret.id}`}
+              value={credentialKey}
+              onChange={(e) => setCredentialKey(e.target.value)}
+              className="font-mono text-sm"
+            />
+          </div>
+          <div className="space-y-2">
+            <Label htmlFor={`vault-secret-value-${secret.id}`}>Value</Label>
+            <div className="flex gap-2">
+              <Input
+                id={`vault-secret-value-${secret.id}`}
+                type={showValue ? "text" : "password"}
+                value={value}
+                onChange={(e) => setValue(e.target.value)}
+                className="font-mono text-sm"
+              />
+              <Button
+                type="button"
+                variant="outline"
+                size="icon"
+                onClick={() => setShowValue((current) => !current)}
+                aria-label={
+                  showValue ? "Hide secret value" : "Show secret value"
+                }
+              >
+                {showValue ? <IconEyeOff size={15} /> : <IconEye size={15} />}
+              </Button>
+            </div>
+          </div>
+          <div className="space-y-2">
+            <Label>Provider</Label>
+            <Select
+              value={provider || PROVIDER_NONE_VALUE}
+              onValueChange={(nextProvider) =>
+                setProvider(
+                  nextProvider === PROVIDER_NONE_VALUE ? "" : nextProvider,
+                )
+              }
+            >
+              <SelectTrigger>
+                <SelectValue placeholder="Select a provider..." />
+              </SelectTrigger>
+              <SelectContent>
+                <SelectItem value={PROVIDER_NONE_VALUE}>No provider</SelectItem>
+                {PROVIDERS.map((p) => (
+                  <SelectItem key={p} value={p}>
+                    {p.charAt(0).toUpperCase() + p.slice(1)}
+                  </SelectItem>
+                ))}
+              </SelectContent>
+            </Select>
+          </div>
+          <div className="space-y-2">
+            <Label htmlFor={`vault-secret-description-${secret.id}`}>
+              Description
+            </Label>
+            <Textarea
+              id={`vault-secret-description-${secret.id}`}
+              placeholder="What is this secret used for?"
+              value={description}
+              onChange={(e) => setDescription(e.target.value)}
+              rows={2}
+            />
+          </div>
+          <DialogFooter>
+            <Button
+              type="button"
+              variant="outline"
+              onClick={() => setOpen(false)}
+            >
+              Cancel
+            </Button>
+            <Button
+              type="submit"
+              disabled={
+                !credentialKey.trim() ||
+                !name.trim() ||
+                !value ||
+                update.isPending
+              }
+            >
+              {update.isPending ? "Saving..." : "Save changes"}
+            </Button>
+          </DialogFooter>
+        </form>
+      </DialogContent>
+    </Dialog>
+  );
+}
+
 function GrantDialog({
   secretId,
   secretName,
@@ -429,7 +599,8 @@ function SecretRow({
             )}
           </div>
 
-          <div className="flex justify-end border-t pt-3">
+          <div className="flex justify-end gap-2 border-t pt-3">
+            <EditSecretDialog secret={secret} />
             <AlertDialog>
               <AlertDialogTrigger asChild>
                 <Button

package/src/server/lib/vault-store.spec.ts

@@ -1,10 +1,12 @@
 import { afterEach, describe, expect, it, vi } from "vitest";
 
 const mocks = vi.hoisted(() => ({
+  deleteAppSecret: vi.fn(),
   writeAppSecret: vi.fn(),
 }));
 
 vi.mock("@agent-native/core/secrets", () => ({
+  deleteAppSecret: mocks.deleteAppSecret,
   writeAppSecret: mocks.writeAppSecret,
 }));
 

package/src/server/lib/vault-store.ts

@@ -1,7 +1,11 @@
 import crypto from "node:crypto";
 import { and, desc, eq, isNull, or } from "drizzle-orm";
 import { discoverAgents } from "@agent-native/core/server/agent-discovery";
-import { writeAppSecret, type SecretScope } from "@agent-native/core/secrets";
+import {
+  deleteAppSecret,
+  writeAppSecret,
+  type SecretScope,
+} from "@agent-native/core/secrets";
 import {
   getOrgSetting,
   getUserSetting,
@@ -257,7 +261,9 @@ export async function createSecret(
       summary: `Updated vault secret "${input.name}" (${credentialKey})`,
     });
 
-    return getSecret(existing[0].id, ctx);
+    const updated = await getSecret(existing[0].id, ctx);
+    if (updated) await syncSecretsToCredentialStore([updated], ctx);
+    return updated;
   }
 
   const secretId = id();
@@ -291,21 +297,70 @@ export async function createSecret(
     summary: `Created vault secret "${input.name}" (${credentialKey})`,
   });
 
-  return getSecret(secretId, ctx);
+  const created = await getSecret(secretId, ctx);
+  if (created) await syncSecretsToCredentialStore([created], ctx);
+  return created;
 }
 
 export async function updateSecret(
   secretId: string,
-  value: string,
+  input:
+    | string
+    | {
+        credentialKey?: string;
+        value?: string;
+        name?: string;
+        provider?: string | null;
+        description?: string | null;
+      },
   ctx: VaultCtx = requireVaultCtx(),
 ) {
   const db = getDb();
   const existing = await getSecret(secretId, ctx);
   if (!existing) throw new Error("Secret not found");
+  const patch = typeof input === "string" ? { value: input } : input;
+  const credentialKey =
+    patch.credentialKey !== undefined
+      ? normalizeCredentialKey(patch.credentialKey)
+      : existing.credentialKey;
+  if (!credentialKey) throw new Error("Credential key is required");
+  const name = patch.name !== undefined ? patch.name.trim() : existing.name;
+  if (!name) throw new Error("Secret name is required");
+  const value = patch.value !== undefined ? patch.value : existing.value;
+  if (!value) throw new Error("Secret value is required");
+  const provider =
+    patch.provider !== undefined ? patch.provider || null : existing.provider;
+  const description =
+    patch.description !== undefined
+      ? patch.description || null
+      : existing.description;
+
+  if (credentialKey !== existing.credentialKey) {
+    const conflict = await db
+      .select({ id: schema.vaultSecrets.id })
+      .from(schema.vaultSecrets)
+      .where(
+        and(
+          eq(schema.vaultSecrets.credentialKey, credentialKey),
+          ctxScope(schema.vaultSecrets, ctx),
+        ),
+      )
+      .limit(1);
+    if (conflict[0] && conflict[0].id !== secretId) {
+      throw new Error(`Credential key "${credentialKey}" is already in use`);
+    }
+  }
 
   await db
     .update(schema.vaultSecrets)
-    .set({ value, updatedAt: now() })
+    .set({
+      name,
+      credentialKey,
+      value,
+      provider,
+      description,
+      updatedAt: now(),
+    })
     .where(
       and(
         eq(schema.vaultSecrets.id, secretId),
@@ -313,13 +368,61 @@ export async function updateSecret(
       ),
     );
 
+  const auditMetadata = {
+    name,
+    previousName: name !== existing.name ? existing.name : undefined,
+    credentialKey,
+    previousCredentialKey:
+      credentialKey !== existing.credentialKey
+        ? existing.credentialKey
+        : undefined,
+    provider,
+    previousProvider:
+      provider !== existing.provider ? existing.provider : undefined,
+    description,
+    previousDescription:
+      description !== existing.description ? existing.description : undefined,
+    valueChanged: value !== existing.value ? true : undefined,
+  };
+
   await recordVaultAudit({
     action: "secret.updated",
     secretId,
-    summary: `Updated value for secret "${existing.name}" (${existing.credentialKey})`,
+    summary: `Updated secret "${name}" (${credentialKey})`,
+    metadata: auditMetadata,
   });
 
-  return getSecret(secretId, ctx);
+  await recordAudit({
+    action: "vault.secret.updated",
+    targetType: "vault-secret",
+    targetId: secretId,
+    summary: `Updated vault secret "${name}" (${credentialKey})`,
+    metadata: auditMetadata,
+  });
+
+  const updated = await getSecret(secretId, ctx);
+  if (updated) await syncSecretsToCredentialStore([updated], ctx);
+  if (updated && credentialKey !== existing.credentialKey) {
+    const stillUsesOldKey = await db
+      .select({ id: schema.vaultSecrets.id })
+      .from(schema.vaultSecrets)
+      .where(
+        and(
+          eq(schema.vaultSecrets.credentialKey, existing.credentialKey),
+          ctxScope(schema.vaultSecrets, ctx),
+        ),
+      )
+      .limit(1);
+    if (!stillUsesOldKey[0]) {
+      const target = credentialStoreScopeForVaultCtx(ctx);
+      await deleteAppSecret({
+        key: existing.credentialKey,
+        scope: target.scope,
+        scopeId: target.scopeId,
+      });
+    }
+  }
+  return updated;
 }
 
 export async function deleteSecret(