mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Security: Vault-based credential storage for agents and CI #346

New Issue
Closed
opened 2026-02-06 18:05:43 +00:00 by jason.woltje · 0 comments
jason.woltje commented 2026-02-06 18:05:43 +00:00
Owner
Copy Link

Epic: Vault-Based Credential Storage

Centralized credential management using OpenBao (open-source Vault fork) with PostgreSQL encrypted storage and RLS enforcement. Users and admins can manage API keys, git tokens, and OAuth tokens securely.

Design Document: docs/design/credential-security.md
Approach: Hybrid OpenBao Transit encryption + PostgreSQL RLS

Architecture

User stores API key via UI
-> NestJS API receives plaintext key
-> VaultService.encrypt(key) calls OpenBao Transit API
-> Ciphertext stored in PostgreSQL (user_credentials table, RLS-enforced)
-> Plaintext never persists to disk

When OpenBao is unavailable (local dev), VaultService falls back to AES-256-GCM CryptoService.

Phase 1: Security Foundations (p0)

  • #351 Create RLS context interceptor (fix SEC-API-4)
  • #350 Add RLS policies to auth tables with FORCE enforcement
  • #352 Encrypt existing plaintext Account tokens

Phase 2: OpenBao Integration (p1)

  • #357 Add OpenBao to Docker Compose (turnkey setup)
  • #353 Create VaultService NestJS module for OpenBao Transit
  • #354 Write OpenBao documentation and production hardening guide

Phase 3: User Credential Storage (p1)

  • #355 Create UserCredential Prisma model with RLS policies
  • #356 Build credential CRUD API endpoints

Phase 4: Frontend (p1)

  • #358 Build frontend credential management pages

Phase 5: Migration and Hardening (p1-p3)

  • #359 Encrypt LLM provider API keys in database
  • #360 Federation credential isolation
  • #361 Credential audit log viewer (stretch)

Phase Dependencies

Phase 1 (RLS + Token Encryption)
-> Phase 2 (OpenBao + VaultService)
-> Phase 3 (Credential Model + API) -> Phase 4 (Frontend)
-> Phase 5 (LLM Migration + Federation)

## Epic: Vault-Based Credential Storage Centralized credential management using OpenBao (open-source Vault fork) with PostgreSQL encrypted storage and RLS enforcement. Users and admins can manage API keys, git tokens, and OAuth tokens securely. **Design Document:** docs/design/credential-security.md **Approach:** Hybrid OpenBao Transit encryption + PostgreSQL RLS ### Architecture User stores API key via UI -> NestJS API receives plaintext key -> VaultService.encrypt(key) calls OpenBao Transit API -> Ciphertext stored in PostgreSQL (user_credentials table, RLS-enforced) -> Plaintext never persists to disk When OpenBao is unavailable (local dev), VaultService falls back to AES-256-GCM CryptoService. ### Phase 1: Security Foundations (p0) - #351 Create RLS context interceptor (fix SEC-API-4) - #350 Add RLS policies to auth tables with FORCE enforcement - #352 Encrypt existing plaintext Account tokens ### Phase 2: OpenBao Integration (p1) - #357 Add OpenBao to Docker Compose (turnkey setup) - #353 Create VaultService NestJS module for OpenBao Transit - #354 Write OpenBao documentation and production hardening guide ### Phase 3: User Credential Storage (p1) - #355 Create UserCredential Prisma model with RLS policies - #356 Build credential CRUD API endpoints ### Phase 4: Frontend (p1) - #358 Build frontend credential management pages ### Phase 5: Migration and Hardening (p1-p3) - #359 Encrypt LLM provider API keys in database - #360 Federation credential isolation - #361 Credential audit log viewer (stretch) ### Phase Dependencies Phase 1 (RLS + Token Encryption) -> Phase 2 (OpenBao + VaultService) -> Phase 3 (Credential Model + API) -> Phase 4 (Frontend) -> Phase 5 (LLM Migration + Federation)
jason.woltje added the security label 2026-02-06 18:05:43 +00:00
jason.woltje added this to the M6-AgentOrchestration (0.0.6) milestone 2026-02-06 18:53:29 +00:00
jason.woltje modified the milestone from M6-AgentOrchestration (0.0.6) to (deleted) 2026-02-07 16:36:03 +00:00
jason.woltje modified the milestone from (deleted) to M9-CredentialSecurity (0.0.9) 2026-02-07 17:13:17 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
ai
AI/LLM integration
 api
Backend/API work
 api
auth
Authentication
 database
database
Database/schema work
 devops
Docker/deployment
 docs
Documentation
 frontend
graph
knowledge-module
migration
Data migration
 orchestrator
Orchestrator service (apps/orchestrator/)
 p0
Critical priority
 p1
High priority
 p2
Medium priority
 p3
Low priority
 performance
Performance work
 phase-1
phase-2
phase-3
phase-4
phase-5
plugin
MoltBot plugin work
 search
security
Security-related
 setup
Initial setup
 testing
Testing/QA
 web
Frontend work
No Label security
Milestone
No items
No Milestone M9-CredentialSecurity (0.0.9)
Projects
Clear projects
No project
Assignees
Clear assignees
jason.woltje
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaic/stack#346
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?