Create VaultService NestJS module for OpenBao Transit #353

New Issue

Closed

opened 2026-02-07 17:11:40 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-07 17:11:40 +00:00

Owner

Copy Link

Phase 2b - OpenBao Integration

Problem

The codebase needs a NestJS service that wraps OpenBao Transit API for encrypt/decrypt operations, with graceful fallback to the existing AES-256-GCM CryptoService when OpenBao is unavailable (local dev, CI).

Requirements

1. Create VaultModule (global) and VaultService
2. Authenticate via AppRole (credentials from init volume or env vars)
3. Encrypt/decrypt via Transit API with named keys
4. Auto-detect ciphertext format: vault:v1:... (Transit) vs aes:... (AES fallback)
5. Fall back to CryptoService when OpenBao is not available
6. Token auto-renewal at 50% TTL
7. Health check for monitoring
8. Migrate Account encryption middleware from Phase 1 to use VaultService

Implementation Notes

• Use native fetch() for HTTP calls to OpenBao (no external Vault client library needed)
• TransitKey enum: CREDENTIALS, ACCOUNT_TOKENS, FEDERATION, LLM_CONFIG
• Transit encrypt: POST /v1/transit/encrypt/{key} with base64-encoded plaintext
• Transit decrypt: POST /v1/transit/decrypt/{key} returns base64-encoded plaintext
• VaultService wraps CryptoService as fallback, not replaces it
• On module init: attempt AppRole login. If fails, log warning and set fallback mode.
• Account encryption middleware updated to inject VaultService instead of CryptoService directly

Files

• apps/api/src/vault/vault.module.ts (new)
• apps/api/src/vault/vault.service.ts (new)
• apps/api/src/vault/vault.service.spec.ts (new)
• apps/api/src/vault/vault.health.ts (new)
• apps/api/src/vault/vault.constants.ts (new - TransitKey enum)
• apps/api/src/app.module.ts (modify - import VaultModule)
• apps/api/src/prisma/account-encryption.middleware.ts (modify - use VaultService)
• .env.example (modify - add OPENBAO_ROLE_ID, OPENBAO_SECRET_ID)

Acceptance Criteria

• VaultService encrypts/decrypts via OpenBao Transit API
• Falls back to CryptoService when OpenBao unavailable
• AppRole authentication with auto-renewal
• Health check endpoint reports OpenBao status
• Account encryption middleware uses VaultService
• Existing aes:-prefixed ciphertext remains decryptable
• Unit tests with mocked Transit API
• Integration test with real OpenBao container (optional)

Dependencies

• Depends on: OpenBao Docker setup
• Depends on: Account token encryption middleware (Phase 1c)
• Blocks: User credential model and API (Phase 3)

Refs #346

## Phase 2b - OpenBao Integration ### Problem The codebase needs a NestJS service that wraps OpenBao Transit API for encrypt/decrypt operations, with graceful fallback to the existing AES-256-GCM CryptoService when OpenBao is unavailable (local dev, CI). ### Requirements 1. Create VaultModule (global) and VaultService 2. Authenticate via AppRole (credentials from init volume or env vars) 3. Encrypt/decrypt via Transit API with named keys 4. Auto-detect ciphertext format: vault:v1:... (Transit) vs aes:... (AES fallback) 5. Fall back to CryptoService when OpenBao is not available 6. Token auto-renewal at 50% TTL 7. Health check for monitoring 8. Migrate Account encryption middleware from Phase 1 to use VaultService ### Implementation Notes - Use native fetch() for HTTP calls to OpenBao (no external Vault client library needed) - TransitKey enum: CREDENTIALS, ACCOUNT_TOKENS, FEDERATION, LLM_CONFIG - Transit encrypt: POST /v1/transit/encrypt/{key} with base64-encoded plaintext - Transit decrypt: POST /v1/transit/decrypt/{key} returns base64-encoded plaintext - VaultService wraps CryptoService as fallback, not replaces it - On module init: attempt AppRole login. If fails, log warning and set fallback mode. - Account encryption middleware updated to inject VaultService instead of CryptoService directly ### Files - apps/api/src/vault/vault.module.ts (new) - apps/api/src/vault/vault.service.ts (new) - apps/api/src/vault/vault.service.spec.ts (new) - apps/api/src/vault/vault.health.ts (new) - apps/api/src/vault/vault.constants.ts (new - TransitKey enum) - apps/api/src/app.module.ts (modify - import VaultModule) - apps/api/src/prisma/account-encryption.middleware.ts (modify - use VaultService) - .env.example (modify - add OPENBAO_ROLE_ID, OPENBAO_SECRET_ID) ### Acceptance Criteria - [ ] VaultService encrypts/decrypts via OpenBao Transit API - [ ] Falls back to CryptoService when OpenBao unavailable - [ ] AppRole authentication with auto-renewal - [ ] Health check endpoint reports OpenBao status - [ ] Account encryption middleware uses VaultService - [ ] Existing aes:-prefixed ciphertext remains decryptable - [ ] Unit tests with mocked Transit API - [ ] Integration test with real OpenBao container (optional) ### Dependencies - Depends on: OpenBao Docker setup - Depends on: Account token encryption middleware (Phase 1c) - Blocks: User credential model and API (Phase 3) Refs #346

jason.woltje added this to the M9-CredentialSecurity (0.0.9) milestone 2026-02-07 17:11:40 +00:00

jason.woltje added the securityapiapip1 labels 2026-02-07 17:11:40 +00:00

jason.woltje referenced this issue 2026-02-07 17:12:28 +00:00

Add OpenBao to Docker Compose (turnkey setup) #357

jason.woltje referenced this issue 2026-02-07 17:13:29 +00:00

Security: Vault-based credential storage for agents and CI #346

jason.woltje referenced this issue from a commit 2026-02-07 22:13:24 +00:00

feat(#353): Create VaultService NestJS module for OpenBao Transit

jason.woltje closed this issue 2026-02-07 22:13:25 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label api api p1 security

Milestone

No items

No Milestone M9-CredentialSecurity (0.0.9)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#353