Refactor secret management with pluggable storage providers

Introduce a modular secret storage architecture that supports multiple
backends (keyring and file-based storage). This enables better flexibility
for different deployment scenarios while maintaining consistent encryption.

Key changes:
• Rename Client to Encryption for clarity and rename associated files
• Extract secret storage into a Provider interface with two implementations:
  - KeyringProvider: Uses system keyring for credential storage
  - FileProvider: Uses encrypted files for secret persistence
• Consolidate error types into errors.go for better maintainability
• Update ModelProviderSecret to ModelProviderAssociated for semantic clarity
• Refactor daemon_run to support configurable secret providers via config
• Add comprehensive provider tests for both keyring and file backends

The provider can be selected via the 'secret.provider' configuration
(defaults to keyring, can be set to 'file' for file-based storage).

Co-authored-by: construct-agent <noreply@construct.sh>

Author: Furisto

backend/agent/client.go

@@ -13,11 +13,11 @@ import (
 )
 
 type ModelProviderFactory struct {
-	encryption *secret.Client
+	encryption *secret.Encryption
 	memory     *memory.Client
 }
 
-func NewModelProviderFactory(encryption *secret.Client, memory *memory.Client) *ModelProviderFactory {
+func NewModelProviderFactory(encryption *secret.Encryption, memory *memory.Client) *ModelProviderFactory {
 	return &ModelProviderFactory{
 		encryption: encryption,
 		memory:     memory,
@@ -33,7 +33,7 @@ func (f *ModelProviderFactory) CreateClient(
 		return nil, fmt.Errorf("failed to fetch model provider: %w", err)
 	}
 
-	providerAuth, err := f.encryption.Decrypt(provider.Secret, []byte(secret.ModelProviderSecret(provider.ID)))
+	providerAuth, err := f.encryption.Decrypt(provider.Secret, []byte(secret.ModelProviderAssociated(provider.ID)))
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt model provider secret: %w", err)
 	}

backend/agent/runtime.go

@@ -61,7 +61,7 @@ func WithAnalytics(analytics analytics.Client) RuntimeOption {
 type Runtime struct {
 	api            *api.Server
 	memory         *memory.Client
-	encryption     *secret.Client
+	encryption     *secret.Encryption
 	eventHub       *event.MessageHub
 	bus            *event.Bus
 	taskReconciler *TaskReconciler
@@ -71,7 +71,7 @@ type Runtime struct {
 	metrics   *prometheus.Registry
 }
 
-func NewRuntime(memory *memory.Client, encryption *secret.Client, listener net.Listener, opts ...RuntimeOption) (*Runtime, error) {
+func NewRuntime(memory *memory.Client, encryption *secret.Encryption, listener net.Listener, opts ...RuntimeOption) (*Runtime, error) {
 	options := DefaultRuntimeOptions()
 	for _, opt := range opts {
 		opt(options)
@@ -154,7 +154,7 @@ func (rt *Runtime) Run(ctx context.Context) error {
 	}
 }
 
-func (rt *Runtime) Encryption() *secret.Client {
+func (rt *Runtime) Encryption() *secret.Encryption {
 	return rt.encryption
 }
 

backend/api/api_test.go

@@ -298,7 +298,7 @@ func (m *MockAgentRuntime) Memory() *memory.Client {
 	return nil
 }
 
-func (m *MockAgentRuntime) Encryption() *secret.Client {
+func (m *MockAgentRuntime) Encryption() *secret.Encryption {
 	return nil
 }
 

backend/api/model_provider.go

@@ -22,7 +22,7 @@ import (
 
 var _ v1connect.ModelProviderServiceHandler = (*ModelProviderHandler)(nil)
 
-func NewModelProviderHandler(db *memory.Client, encryption *secret.Client) *ModelProviderHandler {
+func NewModelProviderHandler(db *memory.Client, encryption *secret.Encryption) *ModelProviderHandler {
 	return &ModelProviderHandler{
 		db:         db,
 		encryption: encryption,
@@ -31,7 +31,7 @@ func NewModelProviderHandler(db *memory.Client, encryption *secret.Client) *Mode
 
 type ModelProviderHandler struct {
 	db         *memory.Client
-	encryption *secret.Client
+	encryption *secret.Encryption
 	v1connect.UnimplementedModelProviderServiceHandler
 }
 
@@ -47,7 +47,7 @@ func (h *ModelProviderHandler) CreateModelProvider(ctx context.Context, req *con
 	}
 
 	modelProviderID := uuid.New()
-	encryptedSecret, err := h.encryption.Encrypt(jsonSecret, []byte(secret.ModelProviderSecret(modelProviderID)))
+	encryptedSecret, err := h.encryption.Encrypt(jsonSecret, []byte(secret.ModelProviderAssociated(modelProviderID)))
 	if err != nil {
 		return nil, apiError(fmt.Errorf("failed to encrypt API key"))
 	}
@@ -211,7 +211,7 @@ func (h *ModelProviderHandler) UpdateModelProvider(ctx context.Context, req *con
 				return nil, apiError(fmt.Errorf("failed to marshal API key: %w", err))
 			}
 
-			encryptedSecret, err := h.encryption.Encrypt(jsonSecret, []byte(secret.ModelProviderSecret(id)))
+			encryptedSecret, err := h.encryption.Encrypt(jsonSecret, []byte(secret.ModelProviderAssociated(id)))
 			if err != nil {
 				return nil, apiError(fmt.Errorf("failed to encrypt API key: %w", err))
 			}

backend/secret/client.go backend/secret/encryption.gobackend/secret/client.go renamed to backend/secret/encryption.go

@@ -14,24 +14,24 @@ func GenerateKeyset() (*keyset.Handle, error) {
 	return keyset.NewHandle(aead.AES256GCMKeyTemplate())
 }
 
-type Client struct {
+type Encryption struct {
 	keyset *keyset.Handle
 	aead   tink.AEAD
 }
 
-func NewClient(keysetHandle *keyset.Handle) (*Client, error) {
+func NewClient(keysetHandle *keyset.Handle) (*Encryption, error) {
 	aeadPrimitive, err := aead.New(keysetHandle)
 	if err != nil {
 		return nil, fmt.Errorf("aead.New failed: %v", err)
 	}
 
-	return &Client{
+	return &Encryption{
 		keyset: keysetHandle,
 		aead:   aeadPrimitive,
 	}, nil
 }
 
-func (c *Client) Encrypt(plaintext []byte, associatedData []byte) ([]byte, error) {
+func (c *Encryption) Encrypt(plaintext []byte, associatedData []byte) ([]byte, error) {
 	if plaintext == nil {
 		return nil, fmt.Errorf("plaintext cannot be nil")
 	}
@@ -44,7 +44,7 @@ func (c *Client) Encrypt(plaintext []byte, associatedData []byte) ([]byte, error
 	return ciphertext, nil
 }
 
-func (c *Client) Decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
+func (c *Encryption) Decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
 	if ciphertext == nil {
 		return nil, fmt.Errorf("ciphertext cannot be nil")
 	}

backend/secret/client_test.go backend/secret/encryption_test.gobackend/secret/client_test.go renamed to backend/secret/encryption_test.go

@@ -85,4 +85,4 @@ func TestKeysetSerialization(t *testing.T) {
 	if !bytes.Equal(decrypted, plaintext) {
 		t.Fatal("Decrypted data doesn't match original plaintext")
 	}
-}
+}

backend/secret/errors.go

@@ -0,0 +1,35 @@
+package secret
+
+import "fmt"
+
+type ErrSecretNotFound struct {
+	Key string
+	Err error
+}
+
+func (e *ErrSecretNotFound) Error() string {
+	return fmt.Sprintf("key %s not found: %s", e.Key, e.Err)
+}
+
+func (e *ErrSecretNotFound) Is(target error) bool {
+	_, ok := target.(*ErrSecretNotFound)
+	return ok
+}
+
+type ErrSecretMarshal struct {
+	Key string
+	Err error
+}
+
+func (e *ErrSecretMarshal) Error() string {
+	return fmt.Sprintf("failed to marshal secret %s: %s", e.Key, e.Err)
+}
+
+type ErrSecretTooLarge struct {
+	Key string
+	Err error
+}
+
+func (e *ErrSecretTooLarge) Error() string {
+	return fmt.Sprintf("secret %s is too large: %s", e.Key, e.Err)
+}

backend/secret/file_provider.go

@@ -0,0 +1,59 @@
+package secret
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/afero"
+)
+
+type FileProvider struct {
+	basePath string
+	fs       afero.Fs
+}
+
+func NewFileProvider(basePath string, fs afero.Fs) (*FileProvider, error) {
+	if err := fs.MkdirAll(basePath, 0700); err != nil {
+		return nil, fmt.Errorf("failed to create secret directory: %w", err)
+	}
+
+	return &FileProvider{
+		basePath: basePath,
+		fs:       fs,
+	}, nil
+}
+
+func (fp *FileProvider) Get(key string) (string, error) {
+	filePath := filepath.Join(fp.basePath, key)
+
+	data, err := afero.ReadFile(fp.fs, filePath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return "", &ErrSecretNotFound{Key: key, Err: err}
+		}
+		return "", fmt.Errorf("failed to read secret file: %w", err)
+	}
+
+	return string(data), nil
+}
+
+func (fp *FileProvider) Set(key string, value string) error {
+	filePath := filepath.Join(fp.basePath, key)
+
+	if err := afero.WriteFile(fp.fs, filePath, []byte(value), 0600); err != nil {
+		return fmt.Errorf("failed to write secret file: %w", err)
+	}
+
+	return nil
+}
+
+func (fp *FileProvider) Delete(key string) error {
+	filePath := filepath.Join(fp.basePath, key)
+
+	if err := fp.fs.Remove(filePath); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to delete secret file: %w", err)
+	}
+
+	return nil
+}

backend/secret/keyring.go

@@ -0,0 +1,49 @@
+package secret
+
+import (
+	"github.com/zalando/go-keyring"
+)
+
+const keychainService = "construct"
+
+type KeyringProvider struct{}
+
+func NewKeyringProvider() *KeyringProvider {
+	return &KeyringProvider{}
+}
+
+func (k *KeyringProvider) Get(key string) (string, error) {
+	secret, err := keyring.Get(keychainService, key)
+	if err != nil {
+		return "", toError(key, err)
+	}
+	return secret, nil
+}
+
+func (k *KeyringProvider) Set(key string, value string) error {
+	err := keyring.Set(keychainService, key, value)
+	if err != nil {
+		return toError(key, err)
+	}
+	return nil
+}
+
+func (k *KeyringProvider) Delete(key string) error {
+	err := keyring.Delete(keychainService, key)
+	if err != nil {
+		return toError(key, err)
+	}
+	return nil
+}
+
+func toError(key string, err error) error {
+	if err == keyring.ErrNotFound {
+		return &ErrSecretNotFound{Key: key, Err: err}
+	}
+
+	if err == keyring.ErrSetDataTooBig {
+		return &ErrSecretTooLarge{Key: key, Err: err}
+	}
+
+	return err
+}