@agent-native/dispatch 0.8.2 → 0.8.4

package/src/routes/pages/vault.tsx

@@ -4,6 +4,7 @@ import { toast } from "sonner";
 import {
   IconChevronDown,
   IconChevronRight,
+  IconEdit,
   IconEye,
   IconEyeOff,
   IconKey,
@@ -61,6 +62,7 @@ const PROVIDERS = [
   "anthropic",
   "other",
 ];
+const PROVIDER_NONE_VALUE = "__none__";
 
 type VaultAccessMode = "all-apps" | "manual";
 
@@ -177,6 +179,174 @@ function AddSecretDialog() {
   );
 }
 
+function EditSecretDialog({ secret }: { secret: any }) {
+  const [open, setOpen] = useState(false);
+  const [credentialKey, setCredentialKey] = useState(
+    secret.credentialKey || "",
+  );
+  const [name, setName] = useState(secret.name || "");
+  const [value, setValue] = useState(secret.value || "");
+  const [provider, setProvider] = useState(secret.provider || "");
+  const [description, setDescription] = useState(secret.description || "");
+  const [showValue, setShowValue] = useState(false);
+
+  const update = useActionMutation("update-vault-secret", {
+    onSuccess: () => {
+      toast.success("Secret updated");
+      setOpen(false);
+      setShowValue(false);
+    },
+    onError: (err) => toast.error(String(err)),
+  });
+
+  const resetDraft = () => {
+    setCredentialKey(secret.credentialKey || "");
+    setName(secret.name || "");
+    setValue(secret.value || "");
+    setProvider(secret.provider || "");
+    setDescription(secret.description || "");
+    setShowValue(false);
+  };
+
+  return (
+    <Dialog
+      open={open}
+      onOpenChange={(nextOpen) => {
+        if (nextOpen) resetDraft();
+        setOpen(nextOpen);
+      }}
+    >
+      <DialogTrigger asChild>
+        <Button variant="outline" size="sm">
+          <IconEdit size={14} className="mr-1" />
+          Edit secret
+        </Button>
+      </DialogTrigger>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>Edit vault secret</DialogTitle>
+          <DialogDescription>
+            Update the stored key and metadata. Changes sync to the shared
+            credential store.
+          </DialogDescription>
+        </DialogHeader>
+        <form
+          className="space-y-4 py-2"
+          onSubmit={(event) => {
+            event.preventDefault();
+            update.mutate({
+              id: secret.id,
+              credentialKey,
+              name,
+              value,
+              provider: provider || null,
+              description: description || null,
+            });
+          }}
+        >
+          <div className="space-y-2">
+            <Label htmlFor={`vault-secret-name-${secret.id}`}>Name</Label>
+            <Input
+              id={`vault-secret-name-${secret.id}`}
+              value={name}
+              onChange={(e) => setName(e.target.value)}
+            />
+          </div>
+          <div className="space-y-2">
+            <Label htmlFor={`vault-secret-key-${secret.id}`}>
+              Credential key (env var name)
+            </Label>
+            <Input
+              id={`vault-secret-key-${secret.id}`}
+              value={credentialKey}
+              onChange={(e) => setCredentialKey(e.target.value)}
+              className="font-mono text-sm"
+            />
+          </div>
+          <div className="space-y-2">
+            <Label htmlFor={`vault-secret-value-${secret.id}`}>Value</Label>
+            <div className="flex gap-2">
+              <Input
+                id={`vault-secret-value-${secret.id}`}
+                type={showValue ? "text" : "password"}
+                value={value}
+                onChange={(e) => setValue(e.target.value)}
+                className="font-mono text-sm"
+              />
+              <Button
+                type="button"
+                variant="outline"
+                size="icon"
+                onClick={() => setShowValue((current) => !current)}
+                aria-label={
+                  showValue ? "Hide secret value" : "Show secret value"
+                }
+              >
+                {showValue ? <IconEyeOff size={15} /> : <IconEye size={15} />}
+              </Button>
+            </div>
+          </div>
+          <div className="space-y-2">
+            <Label>Provider</Label>
+            <Select
+              value={provider || PROVIDER_NONE_VALUE}
+              onValueChange={(nextProvider) =>
+                setProvider(
+                  nextProvider === PROVIDER_NONE_VALUE ? "" : nextProvider,
+                )
+              }
+            >
+              <SelectTrigger>
+                <SelectValue placeholder="Select a provider..." />
+              </SelectTrigger>
+              <SelectContent>
+                <SelectItem value={PROVIDER_NONE_VALUE}>No provider</SelectItem>
+                {PROVIDERS.map((p) => (
+                  <SelectItem key={p} value={p}>
+                    {p.charAt(0).toUpperCase() + p.slice(1)}
+                  </SelectItem>
+                ))}
+              </SelectContent>
+            </Select>
+          </div>
+          <div className="space-y-2">
+            <Label htmlFor={`vault-secret-description-${secret.id}`}>
+              Description
+            </Label>
+            <Textarea
+              id={`vault-secret-description-${secret.id}`}
+              placeholder="What is this secret used for?"
+              value={description}
+              onChange={(e) => setDescription(e.target.value)}
+              rows={2}
+            />
+          </div>
+          <DialogFooter>
+            <Button
+              type="button"
+              variant="outline"
+              onClick={() => setOpen(false)}
+            >
+              Cancel
+            </Button>
+            <Button
+              type="submit"
+              disabled={
+                !credentialKey.trim() ||
+                !name.trim() ||
+                !value ||
+                update.isPending
+              }
+            >
+              {update.isPending ? "Saving..." : "Save changes"}
+            </Button>
+          </DialogFooter>
+        </form>
+      </DialogContent>
+    </Dialog>
+  );
+}
+
 function GrantDialog({
   secretId,
   secretName,
@@ -429,7 +599,8 @@ function SecretRow({
             )}
           </div>
 
-          <div className="flex justify-end border-t pt-3">
+          <div className="flex justify-end gap-2 border-t pt-3">
+            <EditSecretDialog secret={secret} />
             <AlertDialog>
               <AlertDialogTrigger asChild>
                 <Button

package/src/server/lib/vault-store.spec.ts

@@ -1,14 +1,28 @@
 import { afterEach, describe, expect, it, vi } from "vitest";
 
 const mocks = vi.hoisted(() => ({
+  deleteAppSecret: vi.fn(),
+  getDb: vi.fn(),
+  listAppSecretsForScope: vi.fn(),
   writeAppSecret: vi.fn(),
 }));
 
 vi.mock("@agent-native/core/secrets", () => ({
+  deleteAppSecret: mocks.deleteAppSecret,
+  listAppSecretsForScope: mocks.listAppSecretsForScope,
   writeAppSecret: mocks.writeAppSecret,
 }));
 
+vi.mock("../../db/index.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("../../db/index.js")>();
+  return {
+    ...actual,
+    getDb: mocks.getDb,
+  };
+});
+
 import {
+  cleanupSyncedCredentialKeysIfUnused,
   credentialStoreScopeForVaultCtx,
   syncSecretsToCredentialStore,
 } from "./vault-store.js";
@@ -67,3 +81,69 @@ describe("syncSecretsToCredentialStore", () => {
     });
   });
 });
+
+describe("cleanupSyncedCredentialKeysIfUnused", () => {
+  function mockVaultSecretLookup(rows: Array<{ id: string }> = []) {
+    const query = {
+      select: vi.fn(() => query),
+      from: vi.fn(() => query),
+      where: vi.fn(() => query),
+      limit: vi.fn(async () => rows),
+    };
+    mocks.getDb.mockReturnValue(query);
+    return query;
+  }
+
+  it("deletes a candidate synced credential when no vault secret still uses it", async () => {
+    mockVaultSecretLookup([]);
+
+    await cleanupSyncedCredentialKeysIfUnused(
+      { ownerEmail: "admin@example.test", orgId: "org_123" },
+      ["OLD_API_KEY"],
+    );
+
+    expect(mocks.deleteAppSecret).toHaveBeenCalledWith({
+      key: "OLD_API_KEY",
+      scope: "org",
+      scopeId: "org_123",
+    });
+  });
+
+  it("keeps a candidate synced credential when another vault secret still uses it", async () => {
+    mockVaultSecretLookup([{ id: "secret_1" }]);
+
+    await cleanupSyncedCredentialKeysIfUnused(
+      { ownerEmail: "admin@example.test", orgId: "org_123" },
+      ["SHARED_API_KEY"],
+    );
+
+    expect(mocks.deleteAppSecret).not.toHaveBeenCalled();
+  });
+
+  it("can scan synced app secrets to recover stale keys after a retry", async () => {
+    mockVaultSecretLookup([]);
+    mocks.listAppSecretsForScope.mockResolvedValue([
+      {
+        key: "STALE_KEY",
+        description: "Synced from Dispatch vault: Old key",
+      },
+      {
+        key: "HAND_WRITTEN_KEY",
+        description: "Created manually",
+      },
+    ]);
+
+    await cleanupSyncedCredentialKeysIfUnused({
+      ownerEmail: "admin@example.test",
+      orgId: "org_123",
+    });
+
+    expect(mocks.listAppSecretsForScope).toHaveBeenCalledWith("org", "org_123");
+    expect(mocks.deleteAppSecret).toHaveBeenCalledTimes(1);
+    expect(mocks.deleteAppSecret).toHaveBeenCalledWith({
+      key: "STALE_KEY",
+      scope: "org",
+      scopeId: "org_123",
+    });
+  });
+});

package/src/server/lib/vault-store.ts

@@ -1,7 +1,12 @@
 import crypto from "node:crypto";
 import { and, desc, eq, isNull, or } from "drizzle-orm";
 import { discoverAgents } from "@agent-native/core/server/agent-discovery";
-import { writeAppSecret, type SecretScope } from "@agent-native/core/secrets";
+import {
+  deleteAppSecret,
+  listAppSecretsForScope,
+  writeAppSecret,
+  type SecretScope,
+} from "@agent-native/core/secrets";
 import {
   getOrgSetting,
   getUserSetting,
@@ -16,6 +21,7 @@ import {
 } from "./dispatch-store.js";
 
 const VAULT_ACCESS_SETTINGS_KEY = "dispatch-vault-access-settings";
+const VAULT_SYNC_DESCRIPTION_PREFIX = "Synced from Dispatch vault:";
 
 export type VaultAccessMode = "all-apps" | "manual";
 
@@ -300,16 +306,63 @@ export async function createSecret(
 
 export async function updateSecret(
   secretId: string,
-  value: string,
+  input:
+    | string
+    | {
+        credentialKey?: string;
+        value?: string;
+        name?: string;
+        provider?: string | null;
+        description?: string | null;
+      },
   ctx: VaultCtx = requireVaultCtx(),
 ) {
   const db = getDb();
   const existing = await getSecret(secretId, ctx);
   if (!existing) throw new Error("Secret not found");
+  const patch = typeof input === "string" ? { value: input } : input;
+  const credentialKey =
+    patch.credentialKey !== undefined
+      ? normalizeCredentialKey(patch.credentialKey)
+      : existing.credentialKey;
+  if (!credentialKey) throw new Error("Credential key is required");
+  const name = patch.name !== undefined ? patch.name.trim() : existing.name;
+  if (!name) throw new Error("Secret name is required");
+  const value = patch.value !== undefined ? patch.value : existing.value;
+  if (!value) throw new Error("Secret value is required");
+  const provider =
+    patch.provider !== undefined ? patch.provider || null : existing.provider;
+  const description =
+    patch.description !== undefined
+      ? patch.description || null
+      : existing.description;
+
+  if (credentialKey !== existing.credentialKey) {
+    const conflict = await db
+      .select({ id: schema.vaultSecrets.id })
+      .from(schema.vaultSecrets)
+      .where(
+        and(
+          eq(schema.vaultSecrets.credentialKey, credentialKey),
+          ctxScope(schema.vaultSecrets, ctx),
+        ),
+      )
+      .limit(1);
+    if (conflict[0] && conflict[0].id !== secretId) {
+      throw new Error(`Credential key "${credentialKey}" is already in use`);
+    }
+  }
 
   await db
     .update(schema.vaultSecrets)
-    .set({ value, updatedAt: now() })
+    .set({
+      name,
+      credentialKey,
+      value,
+      provider,
+      description,
+      updatedAt: now(),
+    })
     .where(
       and(
         eq(schema.vaultSecrets.id, secretId),
@@ -317,14 +370,45 @@ export async function updateSecret(
       ),
     );
 
+  const auditMetadata = {
+    name,
+    previousName: name !== existing.name ? existing.name : undefined,
+    credentialKey,
+    previousCredentialKey:
+      credentialKey !== existing.credentialKey
+        ? existing.credentialKey
+        : undefined,
+    provider,
+    previousProvider:
+      provider !== existing.provider ? existing.provider : undefined,
+    description,
+    previousDescription:
+      description !== existing.description ? existing.description : undefined,
+    valueChanged: value !== existing.value ? true : undefined,
+  };
+
   await recordVaultAudit({
     action: "secret.updated",
     secretId,
-    summary: `Updated value for secret "${existing.name}" (${existing.credentialKey})`,
+    summary: `Updated secret "${name}" (${credentialKey})`,
+    metadata: auditMetadata,
+  });
+
+  await recordAudit({
+    action: "vault.secret.updated",
+    targetType: "vault-secret",
+    targetId: secretId,
+    summary: `Updated vault secret "${name}" (${credentialKey})`,
+    metadata: auditMetadata,
   });
 
   const updated = await getSecret(secretId, ctx);
   if (updated) await syncSecretsToCredentialStore([updated], ctx);
+  if (updated && credentialKey !== existing.credentialKey) {
+    await cleanupSyncedCredentialKeysIfUnused(ctx, [existing.credentialKey]);
+  } else if (patch.credentialKey !== undefined) {
+    await cleanupSyncedCredentialKeysIfUnused(ctx);
+  }
   return updated;
 }
 
@@ -352,6 +436,7 @@ export async function deleteSecret(
         ctxScope(schema.vaultSecrets, ctx),
       ),
     );
+  await cleanupSyncedCredentialKeysIfUnused(ctx, [existing.credentialKey]);
 
   await recordVaultAudit({
     action: "secret.deleted",
@@ -555,7 +640,7 @@ export async function syncSecretsToCredentialStore(
       value: secret.value,
       scope: target.scope,
       scopeId: target.scopeId,
-      description: `Synced from Dispatch vault: ${secret.name}`,
+      description: `${VAULT_SYNC_DESCRIPTION_PREFIX} ${secret.name}`,
     });
     syncedKeys.push(secret.credentialKey);
   }
@@ -563,6 +648,41 @@ export async function syncSecretsToCredentialStore(
   return { ...target, keys: syncedKeys };
 }
 
+export async function cleanupSyncedCredentialKeysIfUnused(
+  ctx: VaultCtx,
+  candidateKeys?: string[],
+) {
+  const db = getDb();
+  const target = credentialStoreScopeForVaultCtx(ctx);
+  const keys = candidateKeys
+    ? candidateKeys
+    : (await listAppSecretsForScope(target.scope, target.scopeId))
+        .filter((secret) =>
+          secret.description?.startsWith(VAULT_SYNC_DESCRIPTION_PREFIX),
+        )
+        .map((secret) => secret.key);
+
+  for (const key of new Set(keys.filter(Boolean))) {
+    const stillUsesKey = await db
+      .select({ id: schema.vaultSecrets.id })
+      .from(schema.vaultSecrets)
+      .where(
+        and(
+          eq(schema.vaultSecrets.credentialKey, key),
+          ctxScope(schema.vaultSecrets, ctx),
+        ),
+      )
+      .limit(1);
+    if (!stillUsesKey[0]) {
+      await deleteAppSecret({
+        key,
+        scope: target.scope,
+        scopeId: target.scopeId,
+      });
+    }
+  }
+}
+
 // ─── Sync ──────────────────────────────────────────────────────
 
 export async function syncGrantsToApp(