Skip to content

auth v2 vault cli#5745

Closed
jroth1111 wants to merge 12 commits intoanomalyco:devfrom
jroth1111:auth-v2-vault-cli
Closed

auth v2 vault cli#5745
jroth1111 wants to merge 12 commits intoanomalyco:devfrom
jroth1111:auth-v2-vault-cli

Conversation

@jroth1111
Copy link

@jroth1111 jroth1111 commented Dec 18, 2025
edited
Loading

Context: #5748.

Builds on auth v2 core branch jroth1111:auth-v2-core.

Summary

Adds CLI commands to manage the local vault key used to encrypt credentials at rest (backup/migration and key rotation workflows).

What changed

  • opencode auth vault init (optionally --force) to create/overwrite the key file.
  • opencode auth vault export to print the base64 key or write it to a file (--output).
  • opencode auth vault import to load a base64 key (from --file, --key, or interactive prompt) with overwrite confirmation.
  • Extends VaultKey with helpers to support init/import/export.

Notes

Overwriting the key without exporting & reimporting/re-encrypting credentials will make existing records undecryptable; the commands prompt before overwriting.

gwizz added 12 commits December 18, 2025 14:25
core: subscription OAuth pools + same-request rotation
9bf4db8
fix: share OAuth creds across provider aliases
8eeb053
core: encrypted credential pools + rotating OAuth fetch
a090731
fix(mcp): use credential store for oauth state
fee71b9
fix(credentials): make legacy migration idempotent
e7e32b1
test(mcp): increase headers test timeout
f407387
fix(mcp): lazy-load remote transports
2abf0fd
test(mcp): stub client creation for deterministic header tests
c3923cc
fix(auth-v2): address review issues
a65ad2a 
- Move vault key from config/ to data/ for backup locality
- Extract parseRetryAfterMs and cooldown constants to util/http.ts
- Add type guards in credentials/guards.ts to replace unsafe casts
- Add OAuth placeholder comments to all 6 provider adapters
- Add Bun dependency comment to store.ts glob usage
- Update RFC with backup guidance and key rotation docs
refactor(auth): remove legacy V1 encryption and enforce AAD binding
1bb8b51
feat(auth): add vault init/export/import
9d9c3c5
fix(auth-v2): address review issues
8e0ad6a 
- Move vault key from config/ to data/ for backup locality
- Extract parseRetryAfterMs and cooldown constants to util/http.ts
- Add type guards in credentials/guards.ts to replace unsafe casts
- Add OAuth placeholder comments to all 6 provider adapters
- Add Bun dependency comment to store.ts glob usage
- Update RFC with backup guidance and key rotation docs
This was referenced Dec 18, 2025
Closed
Closed
Closed
@jroth1111
Copy link
Author

jroth1111 commented Dec 18, 2025

Context: #5748.

Heads-up: these auth-v2 PRs are stacked in my fork, so GitHub will show the full diff vs sst:dev here.

For just the incremental changes in this PR (on top of auth-v2 core), you can use:

If you prefer a single diff to review, #5746 is the combined PR.

@jroth1111
Copy link
Author

jroth1111 commented Dec 18, 2025

Superseded by #5754 (focused multi-account OAuth subscription failover using Bun.secrets). Closing to reduce noise; happy to reopen if you want the broader scope.

@jroth1111 jroth1111 closed this Dec 18, 2025
@jroth1111 jroth1111 deleted the auth-v2-vault-cli branch January 14, 2026 23:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jroth1111

Comments