fix: add secrets field to AmbientAgentEnvironment to prevent CLI updates from resetting secrets [REMOTE-1880]

[captainsafia]

Description

Add a secrets field to the Rust AmbientAgentEnvironment struct to match the server-side CloudEnvironmentConfig Go model. Without this field, CLI environment updates via Warp Drive sync would serialize JSON without a secrets key, causing the server to interpret the missing field as nil (= "all secrets" / no scoping), effectively clearing any previously configured secret selection.

Root Cause

The AmbientAgentEnvironment struct in crates/cloud_object_models/src/cloud_environment.rs was missing a secrets field that the server-side CloudEnvironmentConfig has (Secrets *[]EnvironmentSecretRef). When the CLI's oz environment update command updated an environment:

1. It cloned the existing AmbientAgentEnvironment model (no secrets field)
2. Updated the requested fields (name, docker image, etc.)
3. Serialized and sent the model via Warp Drive sync
4. The server received JSON without a secrets key → Go deserialized it as nil → "all secrets"

The web UI was unaffected because it goes through the upsertCloudEnvironment GraphQL mutation, which properly includes secrets from the current environment data.

Fix

• Added EnvironmentSecretRef struct and secrets: Option<Vec<EnvironmentSecretRef>> to AmbientAgentEnvironment
• Uses #[serde(default, skip_serializing_if = "Option::is_none")] for backward compatibility
• Existing serialized environments without secrets still deserialize correctly as None

Linked Issue

• REMOTE-1880
• The linked issue is labeled ready-to-spec or ready-to-implement.
• Where appropriate, screenshots or a short video of the implementation are included below (especially for user-visible or UI changes).

Testing

• Added 7 new unit tests covering secrets serialization/deserialization:

  • Legacy environments without secrets deserialize correctly (None)
  • Empty secrets array round-trips as Some([])
  • Specific secrets round-trip correctly
  • None secrets are omitted from serialized JSON
  • Some([]) secrets are included in serialized JSON

• All 14 tests in cloud_environment::tests pass

• cargo check -p warp succeeds with no errors

• I have manually tested my changes locally with ./script/run

Agent Mode

• Warp Agent Mode - This PR was created via Warp's AI Agent Mode

Conversation: https://staging.warp.dev/conversation/cfdf3038-1c57-4a8c-9d3c-4e7df3f85332
Run: https://oz.staging.warp.dev/runs/019e99cd-9dc8-72eb-a7e4-c20662f3239c
This PR was generated with Oz.

[oz-for-oss]

@captainsafia

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[oz-for-oss]

Overview

This PR adds EnvironmentSecretRef and a secrets field to AmbientAgentEnvironment, preserving managed-secret scoping when cloud environment JSON is deserialized and reserialized by Rust clients. It also covers legacy missing-field behavior, explicit empty selections, specific secret selections, omission of None, and round-trip serialization.

Concerns

• No blocking correctness, security, or spec-drift concerns found in the annotated diff.

Verdict

Found: 0 critical, 0 important, 0 suggestions

Approve

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[captainsafia]

Verified the end-to-end locally and it seems to do the trick!