feat: introduce organizations and org-scoped credentials#278
Merged
zbigniewsobiecki merged 1 commit intodevfrom Feb 16, 2026
Merged
feat: introduce organizations and org-scoped credentials#278zbigniewsobiecki merged 1 commit intodevfrom
zbigniewsobiecki merged 1 commit intodevfrom
Conversation
Replace the flat project_secrets table with a structured credential system scoped to organizations. Credentials are defined once at org level with metadata (name, env_var_key, description) and referenced by ID. Projects can override specific credentials while sharing org-level defaults. Schema changes: - New organizations table (top-level entity) - New credentials table with org FK, is_default flag, partial unique index - New project_credential_overrides table for per-project overrides - Add org_id FK to projects, cascade_defaults, and agent_configs - Migration 0003 with data migration from project_secrets Credential resolution order: project override → org default → null (caller decides fallback) The provider API (getProjectSecret, getProjectSecrets) is unchanged, so all webhook handlers, adapters, and backends work without modification. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This was referenced Feb 16, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
project_secretswith structuredcredentialstable (org-scoped, with metadata andis_defaultflag)project_credential_overridesfor per-project credential overrides that reference credentials by IDorg_idFK toprojects,cascade_defaults, andagent_configs0003handles schema changes + data migration fromproject_secretsgetProjectSecret,getProjectSecrets) unchanged — zero changes needed in consumersCredential Resolution
Files Changed
New:
src/db/schema/organizations.ts— organizations tablesrc/db/schema/credentials.ts— credentials + project_credential_overrides tablessrc/db/repositories/credentialsRepository.ts— resolution, CRUD, override managementsrc/db/migrations/0003_organizations_and_credentials.sql— migration with data backfilltests/unit/config/configCache.test.ts— 12 tests for new cache pathstests/unit/db/repositories/credentialsRepository.test.ts— 18 tests for all repository functionsModified:
src/db/schema/projects.ts—orgIdon projects + agent_configssrc/db/schema/defaults.ts—orgId(NOT NULL, UNIQUE) replacing singleton patternsrc/config/provider.ts— usescredentialsRepositoryinstead ofsecretsRepositorysrc/config/configCache.ts—orgIdByProjectcachesrc/db/repositories/configRepository.ts— org-scoped defaults + agent config resolutiontools/manage-secrets.ts— rewritten for org-scoped credential managementTest plan
npm run typecheck— cleannpm run lint— 0 errors (pre-existing warnings only)npm test— 857 tests passing (39 new)provider.ts100%,configCache.ts100%,credentialsRepository.ts100%resolve <project-id>returns same credentials as before🤖 Generated with Claude Code