We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
There was an error while loading. Please reload this page.
Home/Sessions/Releases + Secrets-Wallet umbrella: GUI credential View/Edit recovery (#82) Post-merge dashboard refresh for the 2026-06-10 GUI/e2e session: - Home: Last-refreshed headline, Recently-closed #82 row, Sessions + Releases previews. - Sessions-Log: full session entry (gui#36 credential recovery + gui#35 dev:kind script + e2e#36 fixture dedup; pointers gui 8cacc9e / e2e 4a9ffbc). - Releases: noetl/gui v1.11.0 + v1.11.1 timeline rows. - Umbrella-Secrets-Wallet: downstream (post-close, client-side) note — the GUI fix adapts clients to Phase 1's forward-only storage; the server's 500 on pre-wallet records is correct behavior.
docs(secrets-wallet): umbrella #61 closes — three 6d.X cloud providers landed (server v2.45.0-v2.47.0) The Secrets Wallet umbrella noetl/ai-meta#61 is now feature-complete. Three cloud-specific dynamic-secret providers shipped this session: - Phase 6d.1 AWS STS AssumeRoleWithWebIdentity (server#137, v2.45.0): exchanges the EKS-projected ServiceAccount JWT for short-lived AWS temp credentials; no SigV4 (STS anonymous action); response parser handles both XML and JSON. - Phase 6d.3 Azure AAD client-credentials (server#139, v2.46.0): off-cluster (non-IMDS) AAD client_credentials flow; service- principal triple from env; sovereign-cloud overrides. - Phase 6d.2 GCP iamcredentials.generateAccessToken (server#138, v2.47.0): mints short-lived OAuth2 tokens for a target SA via workload-identity impersonation. All three return SecretValue.expires_at populated — Phase 6d's cache_decision clamps cache TTL; Phase 7c.3 background refresh re-resolves inside the refresh window. 39 new unit tests across the three providers. Rule 0a four-page sweep: - Home: Last refreshed bumped + ecosystem-map server cell v2.44.0 → v2.47.0; #61 moved from Active umbrellas to Recently closed; preamble Six → Five. - Sessions-Log: prepend new dated entry covering the three rounds + the full feature inventory. - Releases: prepend v2.45.0 / v2.46.0 / v2.47.0 rows; Last refreshed bumped. - Umbrella-Secrets-Wallet: replace status block with CLOSED state + complete feature inventory; drop the obsolete Remaining work section. The umbrella issue gets closed as part of this change set.
docs(secrets-wallet): record 7c.3 background-refresh wire-up (server v2.44.0) Phase 7c.3 ([server#136](https://github.com/noetl/server/pull/136), closed [server#135](https://github.com/noetl/server/issues/135)) wires the Phase-7c decision primitive + the Phase-7c.2 cache-side companion into the resolver's cache-hit path: - New src/services/keychain_refresh.rs RefreshInflight wraps Arc<tokio::sync::Mutex<HashSet<(i64, String)>>> with try_claim + release for stampede collapse. - CredentialService cache-hit branch spawns a background tokio task that re-resolves via the Phase-3b SecretProvider + updates the cache via KeychainService::set. - Cached value returns to the caller IMMEDIATELY (worker fetches stay on the fast path). - Stampede collapse: N workers crossing the refresh threshold for the same (catalog_id, alias) collapse to one provider call; concurrent callers piggy-back via outcome="stampede_collapsed". - Refactor: extracted resolve_via_provider from try_resolve_keychain so cache-miss inline + background refresh share identical code. - 6 new unit tests; lib 441/0. Phase 7c series is now wire-complete (7c + 7c.2 + 7c.3). Platform- side wallet is otherwise complete; only remaining work is the three cloud-specific dynamic-secret providers (6d.1 AWS STS / 6d.2 GCP iamcredentials / 6d.3 Azure AAD). Rule 0a sweep: Home (Last refreshed + ecosystem-map server cell v2.43.0 → v2.44.0), Sessions-Log (prepend entry for v2.44.0), Releases (prepend row), Umbrella-Secrets-Wallet (latest landings + trim 7c.3 from remaining-work list).
docs(secrets-wallet): record 7a.2/7b.2/7c.2 follow-ups landing v2.42.0+v2.43.0 Rule 0a four-page sweep for the Secrets Wallet umbrella (noetl/ai-meta#61) capturing this session's three follow-up rounds: - Phase 7a.2: KEK rotation endpoint + key-status + DB scans (server#127, v2.42.0) - Phase 7b.2: noetl.secret_audit table + DbAuditSink + GET query endpoint (server#129, v2.43.0) - Phase 7c.2: KeychainService::should_refresh cache-side primitive (server#131, v2.43.0) Three discrete follow-up sub-issues filed for the cloud-specific dynamic-secret providers: 6d.1 AWS STS (server#132), 6d.2 GCP iamcredentials (server#133), 6d.3 Azure AAD (server#134). Phase 7c.3 (resolver-side stampede mutex + background re-resolve) remains queued as the next round on the same branch. Home: Last refreshed → 2026-06-07; ecosystem-map server cell v2.41.0 → v2.43.0 with new bullet; Active umbrellas #61 row 'Last update' → 2026-06-07 with new status summary. Sessions-Log: prepend entry for 2026-06-07. Releases: prepend rows for v2.42.0 (2026-06-06) + v2.43.0 (2026-06-07). Umbrella-Secrets-Wallet: replace Status block with latest landings + remaining-work list pointing at server#132/#133/#134 + 7c.3.
wiki: Secrets Wallet Phase 7c landed — closes Phase 7 (all named rounds 1–7 done) noetl-server v2.41.0 (server#125): token auto-renewal primitives. should_refresh(expires_at, refresh_window, now) decision primitive; KEYCHAIN_CACHE_REFRESH_WINDOW_SECS env; noetl_secret_refresh_total{outcome} counter + noetl_secret_refresh_duration_seconds histogram. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.41.0 + 'all named phases 1-7 complete' banner; server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 7c entry prepended with the full Phase 7 architectural shape + the follow-up queue. - Releases.md: new v2.41.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 7 status flipped to ✅; Status banner updated to 'All named phases (1-7) complete'; remaining queue (7a.2 / 7b.2 / 7c.2 / 6d.1-3) listed. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 7b primitives landed — noetl-server v2.40.0 (server#123) AuditEvent struct (NEVER contains secret value); AuditSink trait + NoopAuditSink default; SecretAuditService with record_async + record_strict + record (dispatches by strict-mode); NOETL_SECRET_AUDIT_REQUIRED env; noetl_secret_audit_writes_total counter (failed_strict alert-worthy). Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.40.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 7b entry prepended; calls out Phase 7c (token auto-renewal) as next. - Releases.md: new v2.40.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 7b primitives cell flipped to ✅ landed; 7b.2 (DbAuditSink + endpoint + handler wire) queued. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 7a primitives landed — noetl-server v2.39.0 (server#121) Starts Phase 7. KeyManager::current_key_version() trait accessor + EnvelopeCipher::rewrap_storage_string primitive (Skipped if same version, else Rewrapped with new storage string). Plaintext NEVER reconstructed during rotation — pure DEK re-wrap. noetl_wallet_rotate_total counter. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.39.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 7a entry prepended. - Releases.md: new v2.39.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 7 row populated with 7a ✅ landed + 7a.2/7b/7c queued. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 6e landed — noetl-server v2.38.0 (server#119) — Phase 6 closes Cross-region broker; BrokerRegistry + BrokerClient + POST /api/internal/cross-region/resolve peer endpoint; KeychainDef.no_broker_fallback per-credential opt-out; AppError::CrossRegionUnreachable HTTP 502; two new metrics (broker_call_total counter + broker_call_duration_seconds histogram). Phase 6 of the Secrets Wallet umbrella closes — both residency shapes operational (hard isolation + soft federation). Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.38.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 6e entry prepended with the full architectural shape diagram. - Releases.md: new v2.38.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 6e cell flipped to ✅ landed; Status banner updated to 'Phases 1-6 complete'; next: Phase 7. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 6d primitives landed — noetl-server v2.37.0 (server#117) SecretValue.expires_at field + cache_decision honors issuer TTL with SkipCacheAlreadyExpired guard; KEYCHAIN_CACHE_DYNAMIC_SAFETY_MARGIN_SECS env; two new metrics (noetl_secret_dynamic_ttl_seconds histogram + noetl_secret_cache_skip_total counter). Backward compatible. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.37.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 6d entry prepended. - Releases.md: new v2.37.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 6d primitives cell flipped to ✅ landed; 6d.1/6d.2/6d.3 cloud-specific providers queued as follow-ups. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 6c landed — noetl-server v2.36.0 (server#115) Residency-policy gate (none/advisory/strict) in front of the resolver — strict-mode mismatches short-circuit with AppError::ResidencyViolation (HTTP 403) before any provider call. noetl_secret_residency_check_total{policy, decision} counter per observability.md Principle 1. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.36.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 6c entry prepended. - Releases.md: new v2.36.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 6c cell flipped to ✅ landed. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 6b landed — noetl-server v2.35.0 (server#113) ProviderRegistry cache of (provider_id, region) → Arc<dyn SecretProvider>; noetl_secret_provider_build_total counter + noetl_secret_resolve_duration_seconds histogram per observability.md Principle 1. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.35.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 6b entry prepended. - Releases.md: new v2.35.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 6b cell flipped to ✅ landed. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 6a landed — noetl-server v2.34.0 (server#111) Starts Phase 6 (residency-aware distributed resolution). KeychainDef.region + SecretRef.region routing primitives; AWS provider honors the region with explicit precedence; NOETL_SERVER_REGION env + server_region() / effective_region() fallback helpers; noetl_secret_resolve_total counter per observability.md Principle 1. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.34.0 headline + server ecosystem-map cell refreshed. - Sessions-Log.md: new 2026-06-06 Phase 6a entry prepended. - Releases.md: new v2.34.0 row at the top + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 6 row updated (status 🚧, 6a ✅ landed, 6b/6c/6d/6e queued). Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 5c landed — noetl-worker v5.13.0 (worker#58) Phase 5 (sealed payload delivery) fully merged across server (5a+5b) + worker (5c). Cross-repo kind-val pass: server seals to the worker's registered pubkey; noetl_credentials_sealed_total{status="ok"} ticks. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v5.13.0 headline + #61 row 5c cell flipped landed + worker ecosystem-map cell refreshed. - Sessions-Log.md: 2026-06-06 Phase 5c heading flipped to "landed v5.13.0"; cross-repo kind-val results recorded with the captured envelope shape + counter. - Releases.md: new v5.13.0 row at the top + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 5 status flipped from 🚧 to ✅ fully merged. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 5b landed — noetl-server v2.33.0 (server#109) GET /api/credentials/{id}/sealed?worker_id=<name> ships, sub-issue server#108 auto-closed. Workers opt in via runtime JSON worker_public_key — no schema migration. Observability per agents/rules/observability.md Principle 1 (counter + span + execution_id). Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.33.0 headline; #61 Active-umbrella row 5b cell flipped landed; server ecosystem-map cell refreshed to v2.33.0. - Sessions-Log.md: 2026-06-06 Phase 5b heading flipped to "landed v2.33.0"; what-landed line cites server#109 + e9f8099 + closed server#108. - Releases.md: new v2.33.0 row at the top + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 5b cell flipped to landed. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 5c — worker integration (PR open, Phase 5 functionally complete) Home Last-refreshed + #61 row; Sessions-Log 5c entry; Umbrella phased plan 5 row → 5c PR open + Phase 5 functionally complete. worker#58 (closes worker#57), Refs noetl/ai-meta#61.
wiki: Secrets Wallet Phase 5b — wire format + sealing endpoint (PR open, kind-validated) Home Last-refreshed + #61 row; Sessions-Log 5b entry; Umbrella phased plan 5 row → 5b PR-open/kind-validated. server#109 (closes server#108), Refs noetl/ai-meta#61.
wiki: Secrets Wallet Phase 5a landed — noetl-server v2.32.0 (server#107) Home Last-refreshed + #61 row + server ecosystem cell → v2.32.0; Releases v2.32.0 row + Last-refreshed; Sessions-Log → merged; Umbrella 5 row → 5a landed. Refs noetl/ai-meta#61.
wiki: Secrets Wallet Phase 5a — sealed payload primitives (PR open) Home Last-refreshed + #61 row; Sessions-Log 5a entry; Umbrella phased plan 5 row → 5a PR open + 5b/5c plan. server#107 (closes server#106), Refs noetl/ai-meta#61.
wiki: Secrets Wallet Phase 4d merged (ops@0fc0dc8) — Phase 4 fully merged Flip 4d PR-open → merged in Home/#61 row/Sessions-Log/Umbrella; phase 4 fully merged across 4a/4b/4c/4d. Refs noetl/ai-meta#61.
wiki: Secrets Wallet Phase 4d — Helm chart values-gated mTLS (PR open, kind-validated) Home Last-refreshed + #61 row; Sessions-Log 4d entry; Umbrella phased plan 4 row → all of 4a/4b/4c landed + 4d PR open. ops#165 (closes ops#164), Refs noetl/ai-meta#61.
wiki: Secrets Wallet providers 3.x landed — noetl-server v2.31.0 (server#105) 5-provider matrix complete (GCP/K8s/Vault/AWS/Azure). Home Last-refreshed + #61 row + server ecosystem cell → v2.31.0; Releases v2.31.0 row + Last-refreshed; Sessions-Log → merged; Umbrella phased plan 3.x → all 5 landed. Refs noetl/ai-meta#61.
wiki: Secrets Wallet providers 3.x — AWS SM + Azure KV (PR open) Home Last-refreshed + #61 row; Sessions-Log entry; Umbrella phased plan 3.x row. server#105 (closes server#104), Refs noetl/ai-meta#61.
wiki: Secrets Wallet Phase 4c merged (ops@37d4d6c) — Phase 4 transport mTLS complete Flip 4c PR-open → merged in Home/#61 row/Sessions-Log/Umbrella. Refs noetl/ai-meta#61.
wiki: Secrets Wallet Phase 4c — cert-manager mTLS overlay (PR open, kind-validated) Home Last-refreshed + #61 row; Sessions-Log 4c entry; Umbrella phased plan 4c → PR open/kind-validated + Phase 4 transport mTLS functionally complete (4a+4b+4c). ops#163 (closes ops#162), Refs noetl/ai-meta#61.
wiki: Secrets Wallet Phase 4b landed — noetl-worker v5.12.0 (worker#56) Home Last-refreshed/#61 row/worker ecosystem cell → v5.12.0; Releases v5.12.0 row + Last-refreshed; Sessions-Log 4b → merged; Umbrella 4b → landed. Refs noetl/ai-meta#61.
wiki: Secrets Wallet Phase 4b — worker mTLS client (PR open, kind-validated) Home Last-refreshed + #61 row; Sessions-Log 4b entry; Umbrella phased plan 4b → PR open/kind-validated + 4c init-container finding. worker#56 (closes worker#55), Refs noetl/ai-meta#61.
wiki: Secrets Wallet Phase 4a landed — noetl-server v2.30.0 (server#103) Home Last-refreshed + #61 row + server ecosystem-map cell → v2.30.0; Releases v2.30.0 row + Last-refreshed; Sessions-Log 4a entry → merged; Umbrella 4a → landed. Refs noetl/ai-meta#61.
wiki: Secrets Wallet Phase 4a — server TLS/mTLS listener (PR open, kind-validated) Home Last-refreshed 2026-06-06 + 4a headline + #61 row; Sessions-Log entry; Umbrella phased plan reconciled (transport mTLS = Phase 4 [4a/4b/4c], payload sealing = Phase 5; reordered from original). server#103 (closes server#102), Refs noetl/ai-meta#61.
docs(wiki): Vault provider landed (server v2.29.0) — Secrets Wallet #61 - Releases: v2.29.0 row + Last-refreshed. - Home: server cell v2.29.0; #61 row Vault landed; Last-refreshed. - Sessions-Log: Vault entry landed (server 86b2be2). - Umbrella-Secrets-Wallet: Vault provider landed. Refs noetl/ai-meta#61
docs(wiki): Secrets Wallet #61 providers 3.x — Vault provider in flight (server#101) - Home: #61 row + Last-refreshed (Vault KV v2 provider, kind-validated). - Sessions-Log: new entry (VaultSecretProvider, 330/0, real-value kind-val). - Umbrella-Secrets-Wallet: providers-3.x Vault note. Refs noetl/ai-meta#61