Merged
Conversation
Collaborator
boblangley
commented
Feb 8, 2026
boblangley
commented
- Add support for HashiCorp Vault
- Add license
- Update documentation
- Add devcontainer
Introduce a SecretsBackend interface so agent credentials can be stored in either Bitwarden/Vaultwarden or HashiCorp Vault (KV v2). The backend is selected via the SECRETS_BACKEND env var (default: "bitwarden"). - Add SecretsBackend interface with shared types in backend.go - Implement VaultBackend using hashicorp/vault/api Go client - Refactor store.go to use LoadFromBackend instead of LoadFromBitwarden - Update config to support VAULT_ADDR, VAULT_TOKEN, VAULT_MOUNT_PATH, VAULT_BASE_PATH with _FILE variants for Docker secrets - Add Vault e2e test infrastructure (docker-compose, seeder script) - Add unit tests for Vault backend with httptest mocks - Add parallel e2e-test-vault CI job - Skip tests requiring real GitHub API when TEST_GITHUB_API_ENABLED!=true Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move detailed reference content out of README.md into dedicated docs: - docs/vault.md — HashiCorp Vault setup guide - docs/api.md — REST API reference - docs/configuration.md — environment variable reference - docs/helpers.md — helper binaries usage Also extract development instructions into CONTRIBUTING.md. README.md now focuses on overview, quick start, and links to detailed docs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds HashiCorp Vault as an alternative secrets backend to Bitwarden/Vaultwarden, along with supporting docs and test infrastructure.
Changes:
- Introduces a
SecretsBackendinterface and implements a Vault KV v2 backend. - Updates server/config to select backend via
SECRETS_BACKENDand adds Vault configuration options. - Adds Vault-focused e2e stack/seeding plus expanded documentation and CI coverage.
Reviewed changes
Copilot reviewed 28 out of 29 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/e2e_test.go | Skips GitHub-dependent e2e checks when GitHub API isn’t configured |
| scripts/seed-vault-hcv.sh | Adds Vault seeding script for e2e runs |
| internal/secrets/vault_test.go | Adds unit tests for the Vault backend |
| internal/secrets/vault.go | Implements Vault KV v2 backend |
| internal/secrets/store.go | Generalizes store loading to work with any backend |
| internal/secrets/bitwarden.go | Adapts Bitwarden backend to SecretsBackend interface |
| internal/secrets/backend.go | Adds backend interface + shared types/errors |
| internal/config/config.go | Adds backend selection + Vault config and validation |
| go.mod | Adds Vault API dependency and updates Go/x crypto deps |
| docs/vault.md | Documents Vault setup and secret structure |
| docs/helpers.md | Documents helper binaries usage |
| docs/configuration.md | Documents env var configuration including backend selection |
| docs/api.md | Extracts/centralizes API reference documentation |
| docker-compose.yml | Documents/configures optional Vault backend env vars |
| docker-compose.test-vault.yml | Adds Vault-based e2e docker-compose stack |
| cmd/server/main.go | Selects and initializes secrets backend at startup |
| README.md | Updates overview and links to new documentation |
| Makefile | Adds test-e2e-vault target and improves cleanup |
| LICENSE | Adds project license file |
| Dockerfile.test-seeder-vault | Adds a Vault seeder container image |
| Dockerfile.test-runner | Bumps Go version for test runner |
| Dockerfile.helpers | Bumps Go version for helpers build |
| Dockerfile | Bumps Go version for main build |
| CONTRIBUTING.md | Adds contribution and test instructions including Vault |
| AGENTS.md | Updates architecture/docs for pluggable secrets backends |
| .github/workflows/test.yml | Adds Vault e2e job and bumps Go version |
| .env.example | Adds backend selection and Vault env var examples |
| .devcontainer/devcontainer.json | Adds devcontainer configuration |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Allow empty BW_COLLECTION_ID (loads personal vault, not a required field) - Return empty slice instead of error for empty Vault secret list - Remove GitHub secrets from seeder required_vars (defaults provided for CI) - Always run vault seeder in CI (works without real GitHub credentials) - Use t.Setenv instead of os.Setenv/Unsetenv in vault tests - Tighten agent_token.txt permissions to 600 - Align docs/vault.md private_key examples to use @file syntax - Fix workflow_dispatch boolean default type Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.