Skip to content

feat: add SecretShare model and migration (Phase 3 foundation) #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 16, 2025
Merged

feat: add SecretShare model and migration (Phase 3 foundation) #183

merged 3 commits into from
Nov 16, 2025

Conversation

@kevalyq
Copy link
Contributor

@kevalyq kevalyq commented Nov 16, 2025

Overview

Implements the foundation for Phase 3: Secret Sharing & Access Control (#182) by adding database schema, models, and relationships for fine-grained permission management.

Changes

Database Schema

  • ✅ New secret_shares table with UUID primary key
  • ✅ XOR constraint: share with user OR role (not both)
  • ✅ Permission levels: read, write, admin (hierarchical)
  • ✅ Optional expiration via expires_at timestamp
  • ✅ Foreign keys with CASCADE DELETE for referential integrity
  • ✅ Indexes on: secret_id, user_id, role_id, expires_at
  • ✅ Unique constraints prevent duplicate shares

Models

  • SecretShare model with UUID, relationships, and scopes

    • secret() - BelongsTo Secret
    • user() - BelongsTo User (nullable, XOR with role)
    • role() - BelongsTo Role (nullable, XOR with user)
    • granter() - BelongsTo User (who granted access)
    • active() - Scope for non-expired shares
    • is_expired - Accessor for expiration logic

  • Secret model extensions

    • shares() - HasMany SecretShare relationship
    • userHasPermission($user, $permission) - Authorization helper with hierarchy

Tests

  • Migration tests (3 tests): Schema validation, indexes, constraints
  • Model tests (10 tests): Relationships, scopes, accessors, expiration logic
  • All 355 tests passing (1116 assertions)

Testing

# Migration tests
ddev exec "vendor/bin/pest tests/Feature/Migrations/CreateSecretSharesTableTest.php"
# ✓ 3/3 passing

# Model tests
ddev exec "vendor/bin/pest tests/Feature/Models/SecretShareTest.php"
# ✓ 10/10 passing

# Full test suite
ddev exec "vendor/bin/pest --no-coverage"
# ✓ 355/355 passing

Next Steps (Separate PRs)

This PR provides the foundation. Follow-up PRs will add:

  1. SecretController - CRUD with permission checks
  2. SecretShareController - Grant/revoke endpoints
  3. Policies - SecretPolicy, SecretSharePolicy
  4. Form Requests - Validation with XOR logic
  5. Integration Tests - End-to-end scenarios

Checklist

  • Conventional commit message
  • CHANGELOG.md updated
  • Tests written and passing (13 new tests)
  • PHPStan passing (level 9)
  • Laravel Pint passing
  • Migration reversible
  • REUSE compliance
  • Domain policy check

Related

@kevalyq
feat: add SecretShare model and migration (Phase 3 foundation)
7591081 
- Create secret_shares table with XOR constraint (user_id OR role_id)
- Implement SecretShare model with UUID, relationships, and scopes
- Add Secret.shares() relationship and userHasPermission() method
- Permission hierarchy: admin > write > read
- Optional expiration support via expires_at timestamp
- Add active() scope for filtering non-expired shares
- Migration tests verify schema integrity (3 tests)
- Model tests cover relationships, scopes, expiration (10 tests)
- All 355 tests passing (1116 assertions)

Refs: #182 (Phase 3: Secret Sharing & Access Control)
Copilot AI review requested due to automatic review settings November 16, 2025 17:21
@github-actions
Copy link

github-actions bot commented Nov 16, 2025

💡 Tip: Consider Using Draft PRs

Benefits of opening PRs as drafts initially:

  • 💰 Saves CI runtime and Copilot review credits
  • 🎯 Automatically sets linked issues to "🚧 In Progress" status
  • 🚀 Mark "Ready for review" when done to trigger full CI pipeline

How to convert:

  1. Click "Still in progress? Convert to draft" in the sidebar, OR
  2. Use gh pr ready when ready for review

This is just a friendly reminder - feel free to continue as is! 😊

@codecov
Copy link

codecov bot commented Nov 16, 2025

Codecov Report

❌ Patch coverage is 47.50000% with 21 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
app/Models/Secret.php 8.69% 21 Missing ⚠️

📢 Thoughts on this report? Let us know!

Copilot finished reviewing on behalf of kevalyq November 16, 2025 17:22
@kevalyq kevalyq mentioned this pull request Nov 16, 2025
Closed
Copilot AI reviewed Nov 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR establishes the database foundation for Phase 3: Secret Sharing & Access Control by introducing a secret_shares table, model, and relationships. The implementation enables fine-grained permission management where secrets can be shared with individual users or roles with read/write/admin permissions and optional expiration.

Key Changes:

  • Database schema with XOR constraint ensuring shares target either a user OR a role
  • SecretShare model with UUID keys, temporal filtering, and relationship definitions
  • Secret model extensions adding share relationship and permission checking logic

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
database/migrations/2025_11_16_164313_create_secret_shares_table.php Creates secret_shares table with UUID keys, XOR constraint, permission enum, and comprehensive indexes
app/Models/SecretShare.php Defines SecretShare model with relationships, active scope for non-expired shares, and expiration accessor
app/Models/Secret.php Adds shares() relationship and userHasPermission() method for authorization checks with permission hierarchy
tests/Feature/Migrations/CreateSecretSharesTableTest.php Migration tests validating schema structure, indexes, and unique constraints
tests/Feature/Models/SecretShareTest.php Model tests covering relationships, UUID keys, scopes, and expiration logic
CHANGELOG.md Documents new secret sharing foundation features

@kevalyq
fix: add missing DB facade import and type declaration
167282a 
- Add missing 'use Illuminate\Support\Facades\DB;' import in migration
- Add explicit type declaration for $query parameter in scopeActive()
- Follows Laravel conventions and codebase patterns

Addresses Copilot review comments
@kevalyq
style: fix Laravel Pint code style issues
1649ad9 
- Fix phpdoc alignment in SecretShare model
- Fix PHPDoc tags in Secret model
- Ensure PSR-12 compliance

Fixes CI/CD pipeline
@kevalyq kevalyq merged commit 6cae4cf into main Nov 16, 2025
17 checks passed
@kevalyq kevalyq deleted the feat/issue-182-secret-sharing branch November 16, 2025 17:35
This was referenced Nov 16, 2025
Closed
Merged
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kevalyq