@checkstack/integration-backend 0.2.0 → 0.3.1

package/CHANGELOG.md

@@ -1,5 +1,119 @@
 # @checkstack/integration-backend
 
+## 0.3.1
+
+### Patch Changes
+
+- Updated dependencies [a57f7db]
+  - @checkstack/backend-api@0.20.0
+  - @checkstack/secrets-backend@0.1.1
+  - @checkstack/command-backend@0.1.33
+  - @checkstack/queue-api@0.3.8
+
+## 0.3.0
+
+### Minor Changes
+
+- 270ef29: Fix suspend/resume durability + complete the run-wide secret-masking guarantee.
+
+  A panel review confirmed several defects in the automation dispatch engine's suspend/resume durability and in the run-wide masking choke point. These survived because the unit suite stubbed the seam under test; the fixes ship with tests that exercise the real suspend / sweep / resume paths.
+
+  Suspend/resume durability:
+
+  - **Stalled sweeper no longer re-runs intentional waits.** `findStalledRunIds` now joins `automation_runs` and returns only `status = 'running'` runs, and suspend-finalisation no longer clobbers the run's `lastActionPath` checkpoint to `null`. Previously any wait longer than the stale window (>60s) was re-walked from the top every sweep cycle, re-firing pre-wait side effects and leaking wait locks. The wait-aware sweeps now also run before the stalled-run sweep.
+  - **Stalled recovery refuses a run holding a live wait lock.** `recoverStalledRun` now only recovers a genuinely-`running` run with no wait lock; a crash-mid-wait recovery is left to the wait/resume paths instead of re-walking from the top and creating a duplicate lock + duplicate delay job.
+  - **Cancelled runs can no longer resurrect.** `resumeRun` guards on `status === 'waiting'` (mirroring `checkWaitUntil`) and drops any stale lock for a non-waiting run, so `wakeWaitingRuns` / delay-expiry / a racing queue job can't wake a cancelled or terminal run. `cancelActiveRuns` (restart mode) now deletes the cancelled runs' wait locks + run-state in the same operation.
+  - **Concurrency check-then-create is serialized.** The `mode` check + `createRun` now run under a transaction-scoped advisory lock keyed on `(automationId, scope)`, so two concurrent fires can't both pass a `single`-mode "no active run" check and double-run.
+
+  Masking guarantee (now genuinely covers scope + artifacts):
+
+  - **The run-wide masking choke point now also masks the durable scope snapshot and produced artifacts.** The `RunSecretRegistry` is threaded into `RunStateStore.upsert` (masks `scopeSnapshot`) and `ArtifactStore.record` (masks `data`) so a resolved connection credential threaded into `scope.variables` or surfaced into an artifact is redacted before persist - and therefore cannot reach a read-only user via `getRunScopeForReplay`. **GUARANTEE CHANGE**: run-wide masking now covers step output, run error, scope snapshot, and artifact data for every action.
+  - **`testConnection` / `testProviderConnection` mask provider errors.** These RPCs run outside a dispatch run, so they build a per-call mask set from the resolved/submitted connection config and run any provider error through it before returning, so a provider error echoing a token can't cross back to the browser.
+  - **Short secrets surface a warning.** `setSecret` now warns when a value is shorter than `MIN_MASKABLE_LENGTH` (4) that it cannot be auto-redacted (the threshold is intentionally not lowered).
+
+  Internal:
+
+  - `@checkstack/backend-api`: `withXactLock`'s `fn` now receives the transaction handle `tx` so a critical section can run on the locked connection; the doc clarifies why running on the pool inside the lock window is still safe. The incident dedup caller's comment is corrected accordingly. `RunStore` gains `findWaitLocksByRun`.
+
+- 270ef29: Secrets platform Phase 5b: route integration connection credentials through the ONE secrets channel.
+
+  Connection credentials now resolve through the same secrets channel as
+  everything else, so a credential can originate from Vault and there is no
+  parallel credential-resolution code to drift. Two entry forms, both walked
+  by the shared `walkSecretFields` machinery (acting only on the provider
+  `connectionSchema`'s `x-secret` fields):
+
+  - Reference form: a `${{ secrets.NAME }}` template resolves through the
+    ACTIVE backend (local or Vault) via `secretResolverRef`.
+  - Inline form: an operator-typed value is extracted into an internal
+    secret on the local backend; the stored config keeps only a reference
+    marker, resolved via `internalSecretsRef`.
+
+  The `ConnectionStore` public API is unchanged: `listConnections` /
+  `getConnection` stay redacted; `getConnectionWithCredentials` inflates via
+  the unified channel. A one-time, idempotent, parity-verified, REVERSIBLE
+  migration (backup ConfigService entry per connection; rewrites only after
+  the platform copy reads back identically) moves existing inline
+  credentials onto the platform without breaking live connections.
+
+  `secrets-backend` exports `walkSecretFields` (the shared schema-walk behind
+  `resolveSecretsBySchema`, reused for the migration extract + inflate).
+
+  BREAKING CHANGES: a connection's stored credential fields may now hold a
+  `${{ secrets.NAME }}` reference or an internal-reference marker instead of
+  an inline value. Resolution is transparent (`getConnectionWithCredentials`
+  returns the same plaintext); a legacy inline value still resolves until the
+  one-time migration converts it.
+
+### Patch Changes
+
+- 270ef29: Secrets platform Phase 5: internal-secret consolidation (registry token) + connection-credential leak hardening.
+
+  - New `internalSecretsRef`: platform-internal secrets (not user-managed
+    named secrets) stored under a reserved `__internal__:` prefix, ALWAYS on
+    the local (always-writable, AES-GCM) backend so internal writes never
+    break when Vault is the active backend. Excluded from the user-facing
+    Secrets list.
+  - The script-package registry auth token is consolidated onto
+    `internalSecretsRef`. The `authSecretRef` column now holds a stable
+    marker; a one-time, idempotent, parity-verified migration moves legacy
+    inline ciphertext into the platform and only rewrites the column once the
+    platform copy reads back identically (legacy value never dropped early).
+    Resolution stays backward-compatible with legacy ciphertext.
+  - Integration: `createConnection` / `updateConnection` now return the
+    redacted connection preview instead of echoing the submitted credential
+    fields back in the response (leak hardening). Non-breaking — the frontend
+    refetches the redacted list and ignores the returned preview.
+
+  NOTE: integration connection-credential STORAGE is intentionally NOT
+  migrated onto the secrets platform. Connection creds are co-mingled
+  secret/non-secret config stored per-provider via `ConfigService` (which
+  already uses the same AES-GCM crypto + per-field redaction); splitting them
+  out would require per-provider schema-walking and a lossy migration across
+  live integrations for no real gain. The `ConnectionStore` API + storage are
+  unchanged.
+
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [270ef29]
+- Updated dependencies [b995afb]
+  - @checkstack/backend-api@0.19.0
+  - @checkstack/secrets-backend@0.1.0
+  - @checkstack/secrets-common@0.1.0
+  - @checkstack/command-backend@0.1.32
+  - @checkstack/queue-api@0.3.7
+
 ## 0.2.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/integration-backend",
-  "version": "0.2.0",
+  "version": "0.3.1",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.ts",
@@ -15,21 +15,23 @@
     "test": "bun test"
   },
   "dependencies": {
-    "@checkstack/integration-common": "0.5.0",
-    "@checkstack/backend-api": "0.17.1",
-    "@checkstack/signal-common": "0.2.4",
-    "@checkstack/queue-api": "0.3.5",
-    "@checkstack/common": "0.11.0",
-    "@checkstack/command-backend": "0.1.30",
+    "@checkstack/integration-common": "0.6.0",
+    "@checkstack/backend-api": "0.18.0",
+    "@checkstack/signal-common": "0.2.5",
+    "@checkstack/queue-api": "0.3.6",
+    "@checkstack/common": "0.12.0",
+    "@checkstack/command-backend": "0.1.31",
+    "@checkstack/secrets-common": "0.0.1",
+    "@checkstack/secrets-backend": "0.0.1",
     "drizzle-orm": "^0.45.0",
     "zod": "^4.2.1",
     "@orpc/server": "^1.13.2"
   },
   "devDependencies": {
     "@checkstack/drizzle-helper": "0.0.5",
-    "@checkstack/scripts": "0.3.3",
+    "@checkstack/scripts": "0.3.4",
     "@checkstack/tsconfig": "0.0.7",
-    "@checkstack/test-utils-backend": "0.1.30",
+    "@checkstack/test-utils-backend": "0.1.31",
     "@types/node": "^20.0.0",
     "drizzle-kit": "^0.31.10",
     "typescript": "^5.0.0"

package/src/connection-credentials-migration.test.ts

@@ -0,0 +1,171 @@
+import { describe, it, expect } from "bun:test";
+import { z } from "zod";
+import { configString } from "@checkstack/backend-api";
+import { createMockLogger } from "@checkstack/test-utils-backend";
+import type {
+  Logger,
+  ConfigService,
+} from "@checkstack/backend-api";
+import type {
+  SecretResolverService,
+  InternalSecretsService,
+} from "@checkstack/secrets-backend";
+import {
+  migrateConnectionCredentials,
+  type ConnectionForMigration,
+} from "./connection-credentials-migration";
+import { inflateConnectionCredentials } from "./connection-credentials";
+
+const schema = z.object({
+  baseUrl: z.string(),
+  apiToken: configString({ "x-secret": true }),
+});
+
+function fakeInternal(): InternalSecretsService & { store: Map<string, string> } {
+  const store = new Map<string, string>();
+  const key = (parts: string[]) => parts.join("|");
+  return {
+    store,
+    set: async ({ parts, value }) => {
+      store.set(key(parts), value);
+    },
+    get: async ({ parts }) => store.get(key(parts)),
+    delete: async ({ parts }) => {
+      store.delete(key(parts));
+    },
+  };
+}
+
+const noopResolver: SecretResolverService = {
+  resolveSecret: async () => "",
+  resolveBySchema: async ({ value }) => ({ resolved: value, warnings: [] }),
+  resolveForRun: async () => ({
+    env: {},
+    masking: { size: 0, maskText: (t) => t, maskDeep: (v) => v },
+  }),
+};
+
+/** Minimal in-memory ConfigService for the backup entries. */
+function fakeConfigService(): ConfigService {
+  const store = new Map<string, unknown>();
+  return {
+    get: async (id) => store.get(id) as never,
+    getRedacted: async (id) => store.get(id) as never,
+    set: async (id, _s, _v, data) => {
+      store.set(id, data);
+    },
+    delete: async (id) => {
+      store.delete(id);
+    },
+    list: async () => [...store.keys()],
+  };
+}
+
+const PROVIDER = "integration-jira.jira";
+
+describe("migrateConnectionCredentials", () => {
+  it("migrates an inline credential, backs it up, and is parity-verified + reversible", async () => {
+    const internal = fakeInternal();
+    const configService = fakeConfigService();
+    const persisted = new Map<string, Record<string, unknown>>();
+
+    const conn: ConnectionForMigration = {
+      providerId: PROVIDER,
+      connectionId: "c1",
+      schema,
+      schemaVersion: 1,
+      config: { baseUrl: "https://x", apiToken: "inline-secret-1" },
+    };
+
+    const result = await migrateConnectionCredentials({
+      configService,
+      internalSecrets: internal,
+      secretResolver: noopResolver,
+      logger: createMockLogger() as Logger,
+      loadConnections: async () => [conn],
+      persistConfig: async ({ connectionId, config }) => {
+        persisted.set(connectionId, config);
+      },
+    });
+
+    expect(result).toEqual({ total: 1, migrated: 1, skipped: 0, failed: 0 });
+
+    // Stored config is reference-ized (no plaintext).
+    const stored = persisted.get("c1")!;
+    expect(JSON.stringify(stored)).not.toContain("inline-secret-1");
+
+    // Reversible: a backup of the original raw config exists.
+    const backup = await configService.get(
+      "integration_connection_credbackup_integration-jira_jira_c1",
+      z.object({ config: z.record(z.string(), z.unknown()) }),
+      1,
+    );
+    expect((backup as { config: Record<string, unknown> }).config.apiToken).toBe(
+      "inline-secret-1",
+    );
+
+    // Parity: inflating the stored form yields the original plaintext.
+    const { config: inflated } = await inflateConnectionCredentials({
+      providerId: PROVIDER,
+      connectionId: "c1",
+      config: stored,
+      schema,
+      deps: { internalSecrets: internal, secretResolver: noopResolver },
+    });
+    expect(inflated).toEqual(conn.config);
+  });
+
+  it("is idempotent: re-running over the already-migrated (marker) config does nothing", async () => {
+    const internal = fakeInternal();
+    const configService = fakeConfigService();
+
+    // First pass.
+    let stored: Record<string, unknown> = {
+      baseUrl: "https://x",
+      apiToken: "inline-secret-2",
+    };
+    const run = (config: Record<string, unknown>) =>
+      migrateConnectionCredentials({
+        configService,
+        internalSecrets: internal,
+        secretResolver: noopResolver,
+        logger: createMockLogger() as Logger,
+        loadConnections: async () => [
+          { providerId: PROVIDER, connectionId: "c2", schema, schemaVersion: 1, config },
+        ],
+        persistConfig: async ({ config: c }) => {
+          stored = c;
+        },
+      });
+
+    const first = await run(stored);
+    expect(first.migrated).toBe(1);
+    const second = await run(stored); // now reference-ized
+    expect(second.migrated).toBe(0);
+    expect(second.skipped).toBe(1);
+  });
+
+  it("skips a connection with no inline secret (already a reference)", async () => {
+    const internal = fakeInternal();
+    const result = await migrateConnectionCredentials({
+      configService: fakeConfigService(),
+      internalSecrets: internal,
+      secretResolver: noopResolver,
+      logger: createMockLogger() as Logger,
+      loadConnections: async () => [
+        {
+          providerId: PROVIDER,
+          connectionId: "c3",
+          schema,
+          schemaVersion: 1,
+          config: { baseUrl: "https://x", apiToken: "${{ secrets.jira }}" },
+        },
+      ],
+      persistConfig: async () => {
+        throw new Error("should not persist a reference-only connection");
+      },
+    });
+    expect(result.skipped).toBe(1);
+    expect(result.migrated).toBe(0);
+  });
+});

package/src/connection-credentials-migration.ts

@@ -0,0 +1,182 @@
+/**
+ * One-time, idempotent, parity-verified, REVERSIBLE migration that moves
+ * inline connection credentials onto the secrets platform.
+ *
+ * For each existing connection of each provider that has a
+ * `connectionSchema`:
+ *   1. Back up the current raw config to a backup ConfigService entry
+ *      (only if no backup exists yet) so the pre-migration value is
+ *      recoverable.
+ *   2. Extract inline `x-secret` values into internal secrets (local
+ *      backend) via `extractInlineCredentials`, producing a config whose
+ *      secret fields are internal-ref markers.
+ *   3. Verify parity: inflate the rewritten config back through the unified
+ *      channel and confirm every secret field resolves to the SAME value as
+ *      the original. Only if parity holds, rewrite the stored config.
+ *
+ * Idempotent: a config already reference-ized (markers / `${{ }}`) extracts
+ * nothing and is left as-is. Guarded across boots by the per-connection
+ * backup entry + the marker form. Never drops a value until the platform
+ * copy reads back identically.
+ */
+import { z } from "zod";
+import type { ConfigService, Logger } from "@checkstack/backend-api";
+import { extractErrorMessage } from "@checkstack/common";
+import type {
+  SecretResolverService,
+  InternalSecretsService,
+} from "@checkstack/secrets-backend";
+import {
+  extractInlineCredentials,
+  inflateConnectionCredentials,
+} from "./connection-credentials";
+
+const BACKUP_VERSION = 1;
+
+/** Backup ConfigService key for a connection's pre-migration raw config. */
+function backupKey(providerId: string, connectionId: string): string {
+  const sanitized = providerId.replaceAll(".", "_");
+  return `integration_connection_credbackup_${sanitized}_${connectionId}`;
+}
+
+const BackupSchema = z.object({
+  config: z.record(z.string(), z.unknown()),
+  migratedAt: z.coerce.date(),
+});
+
+export interface ConnectionForMigration {
+  providerId: string;
+  connectionId: string;
+  /** Provider connection schema (Zod) used to find x-secret fields. */
+  schema: z.ZodTypeAny;
+  /** Provider connectionSchema version (for ConfigService set). */
+  schemaVersion: number;
+  /** Current raw stored config. */
+  config: Record<string, unknown>;
+}
+
+export interface MigrationResult {
+  total: number;
+  migrated: number;
+  skipped: number;
+  failed: number;
+}
+
+/**
+ * Run the credential migration over the given connections.
+ *
+ * `loadConnections` yields every connection (with its provider schema) so
+ * this stays decoupled from the store internals; `persistConfig` writes the
+ * rewritten config back through the store's normal path.
+ */
+export async function migrateConnectionCredentials(params: {
+  configService: ConfigService;
+  internalSecrets: InternalSecretsService;
+  secretResolver: SecretResolverService;
+  logger: Logger;
+  loadConnections: () => Promise<ConnectionForMigration[]>;
+  persistConfig: (input: {
+    providerId: string;
+    connectionId: string;
+    schemaVersion: number;
+    config: Record<string, unknown>;
+  }) => Promise<void>;
+}): Promise<MigrationResult> {
+  const {
+    configService,
+    internalSecrets,
+    secretResolver,
+    logger,
+    loadConnections,
+    persistConfig,
+  } = params;
+
+  const connections = await loadConnections();
+  const result: MigrationResult = {
+    total: connections.length,
+    migrated: 0,
+    skipped: 0,
+    failed: 0,
+  };
+
+  for (const conn of connections) {
+    try {
+      // 1. Back up the original raw config (idempotent — only once).
+      const bKey = backupKey(conn.providerId, conn.connectionId);
+      const existingBackup = await configService.get(
+        bKey,
+        BackupSchema,
+        BACKUP_VERSION,
+      );
+      if (!existingBackup) {
+        await configService.set(bKey, BackupSchema, BACKUP_VERSION, {
+          config: conn.config,
+          migratedAt: new Date(),
+        });
+      }
+
+      // 2. Extract inline secret values into internal secrets.
+      const { config: rewritten, extracted } = await extractInlineCredentials({
+        providerId: conn.providerId,
+        connectionId: conn.connectionId,
+        config: conn.config,
+        schema: conn.schema,
+        internalSecrets,
+      });
+
+      if (extracted === 0) {
+        // Already reference-ized (or no secret fields) — nothing to do.
+        result.skipped++;
+        continue;
+      }
+
+      // 3. Parity check: inflate the rewritten config and confirm the
+      //    secret fields resolve back to the ORIGINAL values before we
+      //    overwrite the stored config (reversible guarantee).
+      const original = await inflateConnectionCredentials({
+        providerId: conn.providerId,
+        connectionId: conn.connectionId,
+        config: conn.config,
+        schema: conn.schema,
+        deps: { secretResolver, internalSecrets },
+      });
+      const roundTripped = await inflateConnectionCredentials({
+        providerId: conn.providerId,
+        connectionId: conn.connectionId,
+        config: rewritten,
+        schema: conn.schema,
+        deps: { secretResolver, internalSecrets },
+      });
+      if (
+        JSON.stringify(original.config) !== JSON.stringify(roundTripped.config)
+      ) {
+        logger.error(
+          `Credential migration parity check FAILED for connection ${conn.connectionId}; leaving it unchanged.`,
+        );
+        result.failed++;
+        continue;
+      }
+
+      // Parity proven — rewrite the stored config to the reference form.
+      await persistConfig({
+        providerId: conn.providerId,
+        connectionId: conn.connectionId,
+        schemaVersion: conn.schemaVersion,
+        config: rewritten,
+      });
+      result.migrated++;
+    } catch (error) {
+      logger.error(
+        `Credential migration failed for connection ${conn.connectionId}: ${extractErrorMessage(error)}`,
+      );
+      result.failed++;
+    }
+  }
+
+  if (result.migrated > 0 || result.failed > 0) {
+    logger.info(
+      `Connection credential migration: ${result.migrated} migrated, ${result.skipped} skipped, ${result.failed} failed (of ${result.total}).`,
+    );
+  }
+  return result;
+}

package/src/connection-credentials.test.ts

@@ -0,0 +1,180 @@
+import { describe, it, expect } from "bun:test";
+import { z } from "zod";
+import { configString } from "@checkstack/backend-api";
+import type {
+  SecretResolverService,
+  InternalSecretsService,
+} from "@checkstack/secrets-backend";
+import {
+  inflateConnectionCredentials,
+  extractInlineCredentials,
+  internalRefMarker,
+  isInternalRefMarker,
+  connectionSecretParts,
+} from "./connection-credentials";
+
+// A Jira-like connection schema: baseUrl (non-secret) + apiToken (x-secret).
+const connectionSchema = z.object({
+  baseUrl: z.string(),
+  email: z.string(),
+  apiToken: configString({ "x-secret": true }),
+});
+
+/** In-memory internal-secrets fake (the local store). */
+function fakeInternal(): InternalSecretsService & { store: Map<string, string> } {
+  const store = new Map<string, string>();
+  const key = (parts: string[]) => parts.join("|");
+  return {
+    store,
+    set: async ({ parts, value }) => {
+      store.set(key(parts), value);
+    },
+    get: async ({ parts }) => store.get(key(parts)),
+    delete: async ({ parts }) => {
+      store.delete(key(parts));
+    },
+  };
+}
+
+/** Resolver fake backed by a name->value map (simulates the active backend). */
+function fakeResolver(values: Record<string, string>): SecretResolverService {
+  const RE = /\$\{\{\s*secrets\.([a-zA-Z0-9_-]+)\s*\}\}/g;
+  return {
+    resolveSecret: async ({ name }) => values[name] ?? "",
+    resolveBySchema: async ({ value }) => ({ resolved: value, warnings: [] }),
+    resolveForRun: async ({ secretEnv }) => {
+      const env: Record<string, string> = {};
+      for (const [k, template] of Object.entries(secretEnv)) {
+        RE.lastIndex = 0;
+        env[k] = template.replaceAll(RE, (_m, n: string) => values[n] ?? "");
+      }
+      return {
+        env,
+        masking: { size: 0, maskText: (t) => t, maskDeep: (v) => v },
+      };
+    },
+  };
+}
+
+const PROVIDER = "integration-jira.jira";
+const CONN = "conn-1";
+
+describe("extractInlineCredentials", () => {
+  it("moves an inline x-secret value into an internal secret + leaves a marker", async () => {
+    const internal = fakeInternal();
+    const { config, extracted } = await extractInlineCredentials({
+      providerId: PROVIDER,
+      connectionId: CONN,
+      config: { baseUrl: "https://x", email: "a@b.c", apiToken: "tok-INLINE" },
+      schema: connectionSchema,
+      internalSecrets: internal,
+    });
+    expect(extracted).toBe(1);
+    expect(config.baseUrl).toBe("https://x"); // non-secret untouched
+    expect(isInternalRefMarker(config.apiToken as string)).toBe(true);
+    expect(config.apiToken).toBe(internalRefMarker("apiToken"));
+    // The value moved to the internal store.
+    expect(
+      internal.store.get(
+        connectionSecretParts({
+          providerId: PROVIDER,
+          connectionId: CONN,
+          fieldPath: "apiToken",
+        }).join("|"),
+      ),
+    ).toBe("tok-INLINE");
+  });
+
+  it("is idempotent: a marker or reference extracts nothing", async () => {
+    const internal = fakeInternal();
+    const { extracted } = await extractInlineCredentials({
+      providerId: PROVIDER,
+      connectionId: CONN,
+      config: {
+        baseUrl: "https://x",
+        email: "a@b.c",
+        apiToken: internalRefMarker("apiToken"),
+      },
+      schema: connectionSchema,
+      internalSecrets: internal,
+    });
+    expect(extracted).toBe(0);
+
+    const ref = await extractInlineCredentials({
+      providerId: PROVIDER,
+      connectionId: CONN,
+      config: { baseUrl: "https://x", email: "a@b.c", apiToken: "${{ secrets.jira }}" },
+      schema: connectionSchema,
+      internalSecrets: internal,
+    });
+    expect(ref.extracted).toBe(0);
+  });
+});
+
+describe("inflateConnectionCredentials", () => {
+  it("inflates an internal-ref marker (inline path) from the local store", async () => {
+    const internal = fakeInternal();
+    await internal.set({
+      parts: connectionSecretParts({ providerId: PROVIDER, connectionId: CONN, fieldPath: "apiToken" }),
+      value: "tok-RESOLVED",
+    });
+    const { config, values } = await inflateConnectionCredentials({
+      providerId: PROVIDER,
+      connectionId: CONN,
+      config: { baseUrl: "https://x", email: "a@b.c", apiToken: internalRefMarker("apiToken") },
+      schema: connectionSchema,
+      deps: { internalSecrets: internal, secretResolver: fakeResolver({}) },
+    });
+    expect(config.apiToken).toBe("tok-RESOLVED");
+    expect(values).toContain("tok-RESOLVED");
+  });
+
+  it("inflates a ${{ secrets.NAME }} reference (reference path) via the active backend", async () => {
+    const internal = fakeInternal();
+    const { config } = await inflateConnectionCredentials({
+      providerId: PROVIDER,
+      connectionId: CONN,
+      config: { baseUrl: "https://x", email: "a@b.c", apiToken: "${{ secrets.jira_token }}" },
+      schema: connectionSchema,
+      deps: {
+        internalSecrets: internal,
+        secretResolver: fakeResolver({ jira_token: "tok-FROM-VAULT" }),
+      },
+    });
+    expect(config.apiToken).toBe("tok-FROM-VAULT");
+  });
+
+  it("round-trips: extract then inflate yields the original plaintext", async () => {
+    const internal = fakeInternal();
+    const original = { baseUrl: "https://x", email: "a@b.c", apiToken: "round-trip-tok" };
+    const { config: stored } = await extractInlineCredentials({
+      providerId: PROVIDER,
+      connectionId: CONN,
+      config: original,
+      schema: connectionSchema,
+      internalSecrets: internal,
+    });
+    // Stored form is reference-ized (no plaintext).
+    expect(JSON.stringify(stored)).not.toContain("round-trip-tok");
+    const { config: inflated } = await inflateConnectionCredentials({
+      providerId: PROVIDER,
+      connectionId: CONN,
+      config: stored,
+      schema: connectionSchema,
+      deps: { internalSecrets: internal, secretResolver: fakeResolver({}) },
+    });
+    expect(inflated).toEqual(original);
+  });
+
+  it("leaves a bare legacy literal unchanged (pre-migration safety)", async () => {
+    const internal = fakeInternal();
+    const { config } = await inflateConnectionCredentials({
+      providerId: PROVIDER,
+      connectionId: CONN,
+      config: { baseUrl: "https://x", email: "a@b.c", apiToken: "legacy-inline" },
+      schema: connectionSchema,
+      deps: { internalSecrets: internal, secretResolver: fakeResolver({}) },
+    });
+    expect(config.apiToken).toBe("legacy-inline");
+  });
+});

package/src/connection-credentials.ts

@@ -0,0 +1,165 @@
+/**
+ * Unified credential resolution for integration connections.
+ *
+ * Connection credential fields (the provider `connectionSchema`'s
+ * `x-secret` fields) resolve through the ONE secrets channel, two entry
+ * forms:
+ *
+ *   1. Reference form: the field holds a `${{ secrets.NAME }}` template.
+ *      It resolves through the ACTIVE backend (local or Vault) via
+ *      `secretResolverRef` — so a credential that "originates from Vault"
+ *      just works.
+ *   2. Inline form: an operator-typed value, extracted into an INTERNAL
+ *      secret on the local backend (Vault is read-through / unwritable) and
+ *      represented in the stored config by an internal-reference marker.
+ *      It resolves via `internalSecretsRef`.
+ *
+ * Both forms are walked with the shared `walkSecretFields` machinery
+ * (acting only on `x-secret` fields) — no per-provider logic is
+ * re-implemented. Non-secret config is never touched.
+ */
+import { z } from "zod";
+import {
+  SECRET_TEMPLATE_REGEX,
+  type SecretEnvMapping,
+} from "@checkstack/secrets-common";
+import {
+  walkSecretFields,
+  type SecretResolverService,
+  type InternalSecretsService,
+} from "@checkstack/secrets-backend";
+
+/**
+ * Marker stored in a connection config field for an extracted INLINE
+ * credential. The actual value lives in an internal secret keyed by
+ * (providerId, connectionId, fieldPath). The marker carries the field path
+ * so the inflate can rebuild the internal-secret key.
+ */
+const INTERNAL_REF_PREFIX = "__connref__:";
+
+export function internalRefMarker(fieldPath: string): string {
+  return `${INTERNAL_REF_PREFIX}${fieldPath}`;
+}
+
+export function isInternalRefMarker(value: string): boolean {
+  return value.startsWith(INTERNAL_REF_PREFIX);
+}
+
+function fieldPathFromMarker(marker: string): string {
+  return marker.slice(INTERNAL_REF_PREFIX.length);
+}
+
+/** Internal-secret name parts for a connection credential field. */
+export function connectionSecretParts(input: {
+  providerId: string;
+  connectionId: string;
+  fieldPath: string;
+}): string[] {
+  return ["connection", input.providerId, input.connectionId, input.fieldPath];
+}
+
+/** Whether a string is a `${{ secrets.NAME }}` reference (whole-value). */
+function isSecretReference(value: string): boolean {
+  SECRET_TEMPLATE_REGEX.lastIndex = 0;
+  return SECRET_TEMPLATE_REGEX.test(value);
+}
+
+export interface ConnectionCredentialDeps {
+  secretResolver: SecretResolverService;
+  internalSecrets: InternalSecretsService;
+}
+
+/**
+ * Inflate a stored connection config to full credentials by resolving its
+ * `x-secret` fields through the unified channel. A reference form resolves
+ * through the active backend; an internal-ref marker resolves the inline
+ * value from the local internal store; a bare literal (legacy, pre-migration)
+ * is returned unchanged.
+ *
+ * Returns the inflated config plus the set of resolved credential VALUES
+ * (for registering with the run-scoped masking context).
+ */
+export async function inflateConnectionCredentials(params: {
+  providerId: string;
+  connectionId: string;
+  config: Record<string, unknown>;
+  schema: z.ZodTypeAny;
+  deps: ConnectionCredentialDeps;
+}): Promise<{ config: Record<string, unknown>; values: string[] }> {
+  const { providerId, connectionId, config, schema, deps } = params;
+  const values: string[] = [];
+
+  const inflated = await walkSecretFields({
+    value: config,
+    schema,
+    visit: async ({ value }) => {
+      let resolved = value;
+      if (isInternalRefMarker(value)) {
+        const fieldPath = fieldPathFromMarker(value);
+        const got = await deps.internalSecrets.get({
+          parts: connectionSecretParts({ providerId, connectionId, fieldPath }),
+        });
+        if (got === undefined) {
+          throw new Error(
+            `Connection ${connectionId}: internal credential for "${fieldPath}" not found.`,
+          );
+        }
+        resolved = got;
+      } else if (isSecretReference(value)) {
+        // `${{ secrets.NAME }}` — resolve via the active backend (Vault/local).
+        const mapping: SecretEnvMapping = { CRED: value };
+        const { env } = await deps.secretResolver.resolveForRun({
+          secretEnv: mapping,
+        });
+        resolved = env.CRED;
+      }
+      // else: bare literal (legacy) — leave as-is.
+      if (resolved.length > 0) values.push(resolved);
+      return resolved;
+    },
+  });
+
+  return { config: inflated as Record<string, unknown>, values };
+}
+
+/**
+ * Extract INLINE `x-secret` values out of a stored connection config into
+ * internal secrets, replacing each with an internal-ref marker. Reference
+ * (`${{ secrets.NAME }}`) values and already-extracted markers are left
+ * untouched. Returns the rewritten config + how many inline values moved.
+ *
+ * Used by the one-time migration. Idempotent: re-running over an
+ * already-migrated config (markers everywhere) extracts nothing.
+ */
+export async function extractInlineCredentials(params: {
+  providerId: string;
+  connectionId: string;
+  config: Record<string, unknown>;
+  schema: z.ZodTypeAny;
+  internalSecrets: InternalSecretsService;
+}): Promise<{ config: Record<string, unknown>; extracted: number }> {
+  const { providerId, connectionId, config, schema, internalSecrets } = params;
+  let extracted = 0;
+
+  const rewritten = await walkSecretFields({
+    value: config,
+    schema,
+    visit: async ({ path, value }) => {
+      // Already a marker or a reference — nothing to extract.
+      if (isInternalRefMarker(value) || isSecretReference(value)) {
+        return value;
+      }
+      // Empty literal — leave as-is (nothing to protect).
+      if (value.length === 0) return value;
+      // Inline literal: move it to an internal secret keyed by field path.
+      await internalSecrets.set({
+        parts: connectionSecretParts({ providerId, connectionId, fieldPath: path }),
+        value,
+      });
+      extracted++;
+      return internalRefMarker(path);
+    },
+  });
+
+  return { config: rewritten as Record<string, unknown>, extracted };
+}

package/src/connection-store.ts

@@ -17,6 +17,15 @@ import type {
   ProviderConnection,
   ProviderConnectionRedacted,
 } from "@checkstack/integration-common";
+import {
+  inflateConnectionCredentials,
+  extractInlineCredentials,
+  type ConnectionCredentialDeps,
+} from "./connection-credentials";
+import {
+  migrateConnectionCredentials,
+  type ConnectionForMigration,
+} from "./connection-credentials-migration";
 
 // Schema for connection metadata (stored separately from config)
 const ConnectionMetadataSchema = z.object({
@@ -105,12 +114,27 @@ interface ConnectionStoreDeps {
   configService: ConfigService;
   providerRegistry: IntegrationProviderRegistry;
   logger: Logger;
+  /**
+   * Unified secret-credential resolution. When provided,
+   * `getConnectionWithCredentials` inflates `x-secret` fields through the
+   * ONE secrets channel: `${{ secrets.NAME }}` references resolve via the
+   * active backend (local or Vault), inline values resolve from the local
+   * internal store. Optional so tests / older boots without the secrets
+   * platform degrade to the legacy inline-config behavior.
+   */
+  credentials?: ConnectionCredentialDeps;
 }
 
+/** The public store plus the internal one-time credential migration. */
+export type ConnectionStoreWithMigration = ConnectionStore & {
+  /** Consolidate legacy inline credentials onto the secrets platform. */
+  runCredentialMigration(): Promise<void>;
+};
+
 export function createConnectionStore(
   deps: ConnectionStoreDeps
-): ConnectionStore {
-  const { configService, providerRegistry, logger } = deps;
+): ConnectionStoreWithMigration {
+  const { configService, providerRegistry, logger, credentials } = deps;
 
   // Cache of connectionId -> providerId for efficient lookups
   const connectionProviderCache = new Map<string, string>();
@@ -242,6 +266,33 @@ export function createConnectionStore(
     );
   }
 
+  /**
+   * Persist a connection config, extracting any INLINE `x-secret` value into
+   * an internal secret first (so the stored config holds references /
+   * markers, never raw inline credentials). `${{ secrets.NAME }}`
+   * references are left as-is (they resolve via the active backend at use
+   * time). Falls back to plain storage when the credentials deps are absent.
+   */
+  async function persistConnectionConfig(
+    providerId: string,
+    connectionId: string,
+    config: Record<string, unknown>
+  ): Promise<void> {
+    const provider = providerRegistry.getProvider(providerId);
+    if (credentials && provider?.connectionSchema) {
+      const { config: rewritten } = await extractInlineCredentials({
+        providerId,
+        connectionId,
+        config,
+        schema: provider.connectionSchema.schema,
+        internalSecrets: credentials.internalSecrets,
+      });
+      await setConnectionConfig(providerId, connectionId, rewritten);
+      return;
+    }
+    await setConnectionConfig(providerId, connectionId, config);
+  }
+
   /**
    * Delete connection config and metadata.
    */
@@ -335,11 +386,29 @@ export function createConnectionStore(
 
       if (!metadata || !config) return;
 
+      // Inflate x-secret fields through the unified secrets channel:
+      // `${{ secrets.NAME }}` references resolve via the active backend
+      // (local or Vault); inline values resolve from the local internal
+      // store. When the credentials deps are absent (legacy / tests), the
+      // raw config is used as-is.
+      const provider = providerRegistry.getProvider(providerId);
+      let resolvedConfig = config;
+      if (credentials && provider?.connectionSchema) {
+        const inflated = await inflateConnectionCredentials({
+          providerId,
+          connectionId,
+          config,
+          schema: provider.connectionSchema.schema,
+          deps: credentials,
+        });
+        resolvedConfig = inflated.config;
+      }
+
       return {
         id: metadata.id,
         providerId: metadata.providerId,
         name: metadata.name,
-        config,
+        config: resolvedConfig,
         createdAt: metadata.createdAt,
         updatedAt: metadata.updatedAt,
       };
@@ -357,9 +426,10 @@ export function createConnectionStore(
         updatedAt: now,
       };
 
-      // Save metadata and config separately
+      // Save metadata and config separately. Inline credentials are
+      // extracted to internal secrets so the stored config holds references.
       await setConnectionMetadata(providerId, id, metadata);
-      await setConnectionConfig(providerId, id, config);
+      await persistConnectionConfig(providerId, id, config);
 
       // Add to index
       const connectionIds = await getConnectionIndex(providerId);
@@ -371,6 +441,9 @@ export function createConnectionStore(
         `Created connection "${name}" (${id}) for provider ${providerId}`
       );
 
+      // Return the caller's config as submitted (so the create call's return
+      // is consistent with what was requested). The stored form is
+      // reference-ized; the router returns the redacted preview separately.
       return { ...metadata, config };
     },
 
@@ -404,7 +477,7 @@ export function createConnectionStore(
         : existingConfig;
 
       await setConnectionMetadata(providerId, connectionId, updatedMetadata);
-      await setConnectionConfig(providerId, connectionId, updatedConfig);
+      await persistConnectionConfig(providerId, connectionId, updatedConfig);
 
       logger.info(
         `Updated connection "${updatedMetadata.name}" (${connectionId})`
@@ -459,5 +532,45 @@ export function createConnectionStore(
 
       return;
     },
+
+    // Not part of the public ConnectionStore interface (so callers are
+    // unchanged) — invoked once from afterPluginsReady to consolidate any
+    // legacy inline credentials onto the secrets platform.
+    async runCredentialMigration() {
+      if (!credentials) return;
+      await migrateConnectionCredentials({
+        configService,
+        internalSecrets: credentials.internalSecrets,
+        secretResolver: credentials.secretResolver,
+        logger,
+        loadConnections: async () => {
+          const out: ConnectionForMigration[] = [];
+          for (const provider of providerRegistry.getProviders()) {
+            if (!provider.connectionSchema) continue;
+            const ids = await getConnectionIndex(provider.qualifiedId);
+            for (const connectionId of ids) {
+              const config = await getConnectionConfigRaw(
+                provider.qualifiedId,
+                connectionId,
+              );
+              if (!config) continue;
+              out.push({
+                providerId: provider.qualifiedId,
+                connectionId,
+                schema: provider.connectionSchema.schema,
+                schemaVersion: provider.connectionSchema.version,
+                config,
+              });
+            }
+          }
+          return out;
+        },
+        persistConfig: async ({ providerId, connectionId, config }) => {
+          // The config is already reference-ized by the migration; store it
+          // verbatim (do not re-extract).
+          await setConnectionConfig(providerId, connectionId, config);
+        },
+      });
+    },
   };
 }

package/src/index.ts

@@ -23,6 +23,10 @@ import {
 } from "./connection-store";
 import { createIntegrationRouter } from "./router";
 import { registerSearchProvider } from "@checkstack/command-backend";
+import {
+  secretResolverRef,
+  internalSecretsRef,
+} from "@checkstack/secrets-backend";
 
 // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 // Service References
@@ -62,6 +66,11 @@ export const integrationProviderExtensionPoint =
 // Plugin Definition
 // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
+interface EnvStash {
+  /** Set in `init`, used by `afterPluginsReady` for the credential migration. */
+  runCredentialMigration?: () => Promise<void>;
+}
+
 export default createBackendPlugin({
   metadata: pluginMetadata,
 
@@ -85,16 +94,31 @@ export default createBackendPlugin({
         logger: coreServices.logger,
         rpc: coreServices.rpc,
         config: coreServices.config,
+        secretResolver: secretResolverRef,
+        internalSecrets: internalSecretsRef,
       },
-      init: async ({ logger, rpc, config, database }) => {
+      init: async ({
+        logger,
+        rpc,
+        config,
+        database,
+        secretResolver,
+        internalSecrets,
+      }) => {
         logger.debug("🔌 Initializing Integration Backend...");
 
         const connectionStore = createConnectionStore({
           configService: config,
           providerRegistry,
           logger,
+          // Unified credential resolution through the ONE secrets channel.
+          credentials: { secretResolver, internalSecrets },
         });
         env.registerService(connectionStoreRef, connectionStore);
+        // Stash the migration for afterPluginsReady (all providers + their
+        // connectionSchemas are registered only by then).
+        (env as unknown as EnvStash).runCredentialMigration = () =>
+          connectionStore.runCredentialMigration();
 
         const router = createIntegrationRouter({
           db: database,
@@ -123,6 +147,19 @@ export default createBackendPlugin({
           `📡 Integration Backend init complete with ${providerRegistry.getProviders().length} providers`,
         );
       },
+
+      // Consolidate legacy inline connection credentials onto the secrets
+      // platform once every provider (and its connectionSchema) is
+      // registered. Idempotent + parity-verified + reversible (backup).
+      afterPluginsReady: async ({ logger }) => {
+        try {
+          await (env as unknown as EnvStash).runCredentialMigration?.();
+        } catch (error) {
+          logger.error(
+            `Connection credential migration failed: ${String(error)}`,
+          );
+        }
+      },
     });
   },
 });

package/src/router.ts

@@ -7,6 +7,7 @@ import {
   type SafeDatabase,
 } from "@checkstack/backend-api";
 import { extractErrorMessage } from "@checkstack/common";
+import { maskSecrets } from "@checkstack/secrets-common";
 import { integrationContract } from "@checkstack/integration-common";
 
 import type { IntegrationProviderRegistry } from "./provider-registry";
@@ -80,9 +81,17 @@ export function createIntegrationRouter(deps: RouterDeps) {
           const result = await provider.testConnection(config);
           return result;
         } catch (error) {
+          // Mask any credential the submitted config carries out of the
+          // provider error before returning (same guard as the saved-
+          // connection testConnection path below).
+          const values: string[] = [];
+          collectStringLeaves(config, values);
           return {
             success: false,
-            message: extractErrorMessage(error),
+            message: maskSecrets({
+              text: extractErrorMessage(error),
+              values,
+            }),
           };
         }
       },
@@ -158,11 +167,15 @@ export function createIntegrationRouter(deps: RouterDeps) {
 
       logger.info(`Created connection "${name}" for provider ${providerId}`);
 
+      // Return the REDACTED preview (secret fields stripped) rather than
+      // echoing the raw submitted config back — credentials must never
+      // cross back to the browser, even on create.
+      const redacted = await connectionStore.getConnection(connection.id);
       return {
         id: connection.id,
         providerId: connection.providerId,
         name: connection.name,
-        configPreview: config,
+        configPreview: redacted?.configPreview ?? {},
         createdAt: connection.createdAt,
         updatedAt: connection.updatedAt,
       };
@@ -177,11 +190,14 @@ export function createIntegrationRouter(deps: RouterDeps) {
           updates,
         });
 
+        // Return the REDACTED preview rather than echoing the submitted
+        // config — credentials must never cross back to the browser.
+        const redacted = await connectionStore.getConnection(connection.id);
         return {
           id: connection.id,
           providerId: connection.providerId,
           name: connection.name,
-          configPreview: (updates.config ?? {}) as Record<string, unknown>,
+          configPreview: redacted?.configPreview ?? {},
           createdAt: connection.createdAt,
           updatedAt: connection.updatedAt,
         };
@@ -231,9 +247,19 @@ export function createIntegrationRouter(deps: RouterDeps) {
         const result = await provider.testConnection(connection.config);
         return result;
       } catch (error) {
+        // The resolved connection config carries live credentials. A
+        // provider error may echo a token (e.g. "401 with Bearer <token>").
+        // There is no run-scoped secret registry on this path, so build a
+        // per-call mask set from the resolved config's string leaves and
+        // run the error through it before returning to the browser.
+        const values: string[] = [];
+        collectStringLeaves(connection.config, values);
         return {
           success: false,
-          message: extractErrorMessage(error),
+          message: maskSecrets({
+            text: extractErrorMessage(error),
+            values,
+          }),
         };
       }
     }),
@@ -298,3 +324,19 @@ export function createIntegrationRouter(deps: RouterDeps) {
 }
 
 export type IntegrationRouter = ReturnType<typeof createIntegrationRouter>;
+
+/**
+ * Collect every string leaf in a JSON-like value into `out`. Used to build
+ * a per-call secret mask set from a resolved/submitted connection config so
+ * a provider error echoing a credential can be redacted before it crosses
+ * back to the browser. Mirrors the dispatch engine's run-secret capture.
+ */
+function collectStringLeaves(value: unknown, out: string[]): void {
+  if (typeof value === "string") {
+    out.push(value);
+  } else if (Array.isArray(value)) {
+    for (const v of value) collectStringLeaves(v, out);
+  } else if (value !== null && typeof value === "object") {
+    for (const v of Object.values(value)) collectStringLeaves(v, out);
+  }
+}

package/src/test-connection-masking.test.ts

@@ -0,0 +1,98 @@
+import { describe, it, expect } from "bun:test";
+import { call } from "@orpc/server";
+import { createMockRpcContext, type SafeDatabase } from "@checkstack/backend-api";
+import { createIntegrationRouter } from "./router";
+import type { IntegrationProviderRegistry } from "./provider-registry";
+import type { ConnectionStore } from "./connection-store";
+import type * as schema from "./schema";
+
+/**
+ * M4 — `testConnection` resolves the connection WITH credentials and runs
+ * the provider's `testConnection`. A provider error that echoes the
+ * credential must be masked before it is returned to the (manage-access)
+ * browser. There is no run-scoped registry on this path, so the router
+ * builds a per-call mask set from the resolved config's string leaves.
+ */
+
+const SECRET = "super-secret-token-abc123";
+
+function fakeProviderRegistry(): IntegrationProviderRegistry {
+  return {
+    register() {},
+    getProviders: () => [],
+    hasProvider: () => true,
+    getProviderConnectionSchema: () => undefined,
+    getProvider: (qualifiedId: string) =>
+      qualifiedId === "demo.provider"
+        ? {
+            id: "provider",
+            qualifiedId: "demo.provider",
+            ownerPluginId: "demo",
+            displayName: "Demo",
+            // Echoes the resolved token in its error — the leak vector.
+            testConnection: async () => {
+              throw new Error(
+                `401 Unauthorized using Bearer ${SECRET} against demo`,
+              );
+            },
+          }
+        : undefined,
+  } as unknown as IntegrationProviderRegistry;
+}
+
+function fakeConnectionStore(): ConnectionStore {
+  return {
+    listConnections: async () => [],
+    getConnection: async () => undefined,
+    getConnectionWithCredentials: async () => ({
+      id: "conn-1",
+      providerId: "demo.provider",
+      name: "Demo connection",
+      // Resolved credentials live here.
+      config: { apiToken: SECRET, baseUrl: "https://demo.example" },
+      createdAt: new Date(),
+      updatedAt: new Date(),
+    }),
+    createConnection: async () => {
+      throw new Error("nope");
+    },
+    updateConnection: async () => {
+      throw new Error("nope");
+    },
+    deleteConnection: async () => false,
+    findConnectionProvider: async () => "demo.provider",
+  } as unknown as ConnectionStore;
+}
+
+function buildRouter() {
+  const noopLogger = {
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+  } as unknown as Parameters<typeof createIntegrationRouter>[0]["logger"];
+  return createIntegrationRouter({
+    db: {} as unknown as SafeDatabase<typeof schema>,
+    providerRegistry: fakeProviderRegistry(),
+    connectionStore: fakeConnectionStore(),
+    logger: noopLogger,
+  });
+}
+
+describe("M4 — testConnection masks provider errors that echo credentials", () => {
+  it("redacts the resolved token in the returned error message", async () => {
+    const router = buildRouter();
+    const result = await call(
+      router.testConnection,
+      { connectionId: "conn-1" },
+      { context: createMockRpcContext() },
+    );
+
+    expect(result.success).toBe(false);
+    expect(result.message).not.toContain(SECRET);
+    expect(result.message).toContain("****");
+    expect(result.message).toBe(
+      "401 Unauthorized using Bearer **** against demo",
+    );
+  });
+});

package/tsconfig.json

@@ -22,6 +22,12 @@
     {
       "path": "../queue-api"
     },
+    {
+      "path": "../secrets-backend"
+    },
+    {
+      "path": "../secrets-common"
+    },
     {
       "path": "../signal-common"
     },