feat: bidirectional DB ↔ .env secrets sync + per-function env injection#55
Merged
Merged
Conversation
…tion - Add platform_secret_values table (pgpm migration: deploy/revert/verify) Columns: id, secret_name, configured_value, database_id, created_at, updated_at Unique constraint on (secret_name, database_id) - Backend API (www/server/index.ts): GET /api/secret-values — read configured values from DB POST /api/secret-values — write configured values to DB POST /api/secrets/sync-from-db — DB values -> .env POST /api/secrets/sync-to-db — .env values -> DB POST /api/env now also syncs to DB on save (best-effort) - Frontend (SecretsPanel.tsx): Add 'Sync from DB' and 'Sync to DB' buttons DB status indicator in header - Refactor scripts/dev-compute.ts: Secrets pipeline: .env > DB > hardcoded defaults Per-function env injection (only needed secrets/configs) Fail fast on missing required secrets, warn on optional - Add make secrets:sync (bidirectional sync script) - Add scripts/secrets-sync.sh for CLI-based sync
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds bidirectional sync between
.envand a newplatform_secret_valuesDB table, plus refactorsdev-compute.tsto inject only the required env vars per function.DB Schema (pgpm migration)
New table
constructive_infra_public.platform_secret_values:Full deploy/revert/verify files following existing
platform_secret_definitionspatterns.Backend API (
www/server/index.ts)New endpoints:
GET /api/secret-values— read configured values from DBPOST /api/secret-values— upsert configured values to DBPOST /api/secrets/sync-from-db— DB →.env(merges DB values into existing .env)POST /api/secrets/sync-to-db—.env→ DB (upserts all .env vars intoplatform_secret_values)POST /api/env(existing Save) now also best-effort syncs to DB after writing.env.Frontend (
SecretsPanel.tsx)Two new buttons: Sync from DB and Sync to DB in the secrets editor header, alongside the existing Save button. DB status indicator added.
Secrets Loading Pipeline (
scripts/dev-compute.ts)Refactored startup:
loadDbSecretValues(dbName)queriesplatform_secret_valuesfor configured valuesloadFunctionRequirements(dbName)now returns{ name, required }per requirementbuildFunctionEnv(fnName)injectssystemEnv + only needed secrets/configs(not the whole env)validateRequirements()fails fast on missingrequired=true, warns on optionalCLI
make secrets:sync— runsscripts/secrets-sync.shfor bidirectional .env ↔ DB syncscripts/secrets-sync.sh— bash script: reads .env → upserts to DB, then reads DB → merges new values into .envLink to Devin session: https://app.devin.ai/sessions/ad8f831705e84add8d25804094ae6d79
Requested by: @pyramation