20475595066
84%

Ran 24 Dec 2025 01:25AM UTC

Jobs 1

Files 22

Run time 1min

Badge

Embed ▾

Committed 24 Dec 2025 01:24AM UTC coverage: 83.78% (+0.4%) from 83.43%

Build # 20475595066

Build Type

push

github

Committed by

web-flow

Commit Message

feat: implement secrets vault with encrypted storage (#45)

* docs: add secrets vault implementation plan

Related to encrypted secrets storage feature

* docs: simplify secrets plan to unified API approach

- Same /kv/* API with ?secret=true flag
- Same table with secret boolean column
- Less code duplication, simpler mental model

* docs: switch to path-based secret detection

- secrets/ segment in path = encrypted automatically
- supports nested paths: app/secrets/foo, blah/secrets/bar
- no schema change needed, same API
- permissions use standard prefix patterns

* docs: require explicit permission grant for secrets

- wildcards like app/* do NOT match app/secrets/*
- even * does not grant secrets access
- must explicitly add secrets-containing prefix
- secure by default, opt-in for secrets

* docs: add lock icon SVG to iteration 6

* feat: implement secrets vault with encrypted storage

- add crypto.go with NaCl secretbox + Argon2id encryption
- path-based secret detection (keys containing secrets segment)
- SecretsFilter enum for list filtering (all/secrets/keys)
- explicit permission model - wildcards do not grant secrets access
- 400 error when secrets path used but key not configured
- lock icon in web UI for secret keys
- update documentation (README.md, CLAUDE.md)

Related to secrets-vault plan

* test(e2e): add secrets vault UI tests

- lock icon visibility for secret keys
- permission enforcement (user without secrets access)
- card view lock icon display
- scoped secrets access verification

* feat(web): add secrets filter toggle (All/Secrets/Keys)

- add SecretsFilter enum with Next() and Label() methods
- add filter button in header (only when secrets enabled)
- cycles through All → Secrets → Keys → All
- refactor handleKeyList to use getListParams helper (reduces complexity)
- add e2e test for filter toggle functionality
- fix SecretsEnabledFunc in all test mocks

* refactor: address code review findings for secrets vault

- fix build... (continued)

Run Details

342 of 389 new or added lines in 9 files covered. (87.92%)

2 existing lines in 2 files now uncovered.

3125 of 3730 relevant lines covered (83.78%)

81.67 hits per line

New Missed Lines in Diff

Lines	Coverage	∆	File
1	80.38	2.46%	app/server/web/handler.go
4	94.81		app/store/crypto.go
8	87.93	1.01%	app/server/web/keys.go
10	85.86	0.11%	app/store/db.go
11	64.44	-0.17%	app/main.go
13	66.28	-10.53%	app/store/cached.go

Uncovered Existing Lines

Lines	Coverage	∆	File
1	80.38	2.46%	app/server/web/handler.go
1	87.93	1.01%	app/server/web/keys.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	20475595066.1	24 Dec 2025 01:25AM UTC	22	83.78	GitHub Action Run

umputun / stash / 20475595066
84%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Uncovered Existing Lines

Jobs

Source Files on build 20475595066

umputun / stash / 20475595066 84%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Uncovered Existing Lines

Jobs

Source Files on build 20475595066

umputun / stash / 20475595066
84%

README BADGES
x