Skip to content

Vault-support#1

Merged
boblangley merged 4 commits intomainfrom
vault-support
Feb 8, 2026
Merged

Vault-support#1
boblangley merged 4 commits intomainfrom
vault-support

Conversation

@boblangley
Copy link
Collaborator

  • Add support for HashiCorp Vault
  • Add license
  • Update documentation
  • Add devcontainer

boblangley and others added 3 commits February 8, 2026 17:57
Introduce a SecretsBackend interface so agent credentials can be stored
in either Bitwarden/Vaultwarden or HashiCorp Vault (KV v2). The backend
is selected via the SECRETS_BACKEND env var (default: "bitwarden").

- Add SecretsBackend interface with shared types in backend.go
- Implement VaultBackend using hashicorp/vault/api Go client
- Refactor store.go to use LoadFromBackend instead of LoadFromBitwarden
- Update config to support VAULT_ADDR, VAULT_TOKEN, VAULT_MOUNT_PATH,
  VAULT_BASE_PATH with _FILE variants for Docker secrets
- Add Vault e2e test infrastructure (docker-compose, seeder script)
- Add unit tests for Vault backend with httptest mocks
- Add parallel e2e-test-vault CI job
- Skip tests requiring real GitHub API when TEST_GITHUB_API_ENABLED!=true

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move detailed reference content out of README.md into dedicated docs:
- docs/vault.md — HashiCorp Vault setup guide
- docs/api.md — REST API reference
- docs/configuration.md — environment variable reference
- docs/helpers.md — helper binaries usage

Also extract development instructions into CONTRIBUTING.md. README.md
now focuses on overview, quick start, and links to detailed docs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@boblangley boblangley self-assigned this Feb 8, 2026
@boblangley boblangley requested a review from Copilot February 8, 2026 17:59
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds HashiCorp Vault as an alternative secrets backend to Bitwarden/Vaultwarden, along with supporting docs and test infrastructure.

Changes:

  • Introduces a SecretsBackend interface and implements a Vault KV v2 backend.
  • Updates server/config to select backend via SECRETS_BACKEND and adds Vault configuration options.
  • Adds Vault-focused e2e stack/seeding plus expanded documentation and CI coverage.

Reviewed changes

Copilot reviewed 28 out of 29 changed files in this pull request and generated 13 comments.

Show a summary per file
File Description
tests/e2e_test.go Skips GitHub-dependent e2e checks when GitHub API isn’t configured
scripts/seed-vault-hcv.sh Adds Vault seeding script for e2e runs
internal/secrets/vault_test.go Adds unit tests for the Vault backend
internal/secrets/vault.go Implements Vault KV v2 backend
internal/secrets/store.go Generalizes store loading to work with any backend
internal/secrets/bitwarden.go Adapts Bitwarden backend to SecretsBackend interface
internal/secrets/backend.go Adds backend interface + shared types/errors
internal/config/config.go Adds backend selection + Vault config and validation
go.mod Adds Vault API dependency and updates Go/x crypto deps
docs/vault.md Documents Vault setup and secret structure
docs/helpers.md Documents helper binaries usage
docs/configuration.md Documents env var configuration including backend selection
docs/api.md Extracts/centralizes API reference documentation
docker-compose.yml Documents/configures optional Vault backend env vars
docker-compose.test-vault.yml Adds Vault-based e2e docker-compose stack
cmd/server/main.go Selects and initializes secrets backend at startup
README.md Updates overview and links to new documentation
Makefile Adds test-e2e-vault target and improves cleanup
LICENSE Adds project license file
Dockerfile.test-seeder-vault Adds a Vault seeder container image
Dockerfile.test-runner Bumps Go version for test runner
Dockerfile.helpers Bumps Go version for helpers build
Dockerfile Bumps Go version for main build
CONTRIBUTING.md Adds contribution and test instructions including Vault
AGENTS.md Updates architecture/docs for pluggable secrets backends
.github/workflows/test.yml Adds Vault e2e job and bumps Go version
.env.example Adds backend selection and Vault env var examples
.devcontainer/devcontainer.json Adds devcontainer configuration

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

- Allow empty BW_COLLECTION_ID (loads personal vault, not a required field)
- Return empty slice instead of error for empty Vault secret list
- Remove GitHub secrets from seeder required_vars (defaults provided for CI)
- Always run vault seeder in CI (works without real GitHub credentials)
- Use t.Setenv instead of os.Setenv/Unsetenv in vault tests
- Tighten agent_token.txt permissions to 600
- Align docs/vault.md private_key examples to use @file syntax
- Fix workflow_dispatch boolean default type

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@boblangley boblangley merged commit 5b2ff6b into main Feb 8, 2026
@boblangley boblangley deleted the vault-support branch February 8, 2026 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant