vault wiring

jaberjaber23 · jaberjaber23 · commit fdd6c1a1f7d0 · 2026-03-15T05:48:09.000+03:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -18,7 +18,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.4.3"
+version = "0.4.4"
 edition = "2021"
 license = "Apache-2.0 OR MIT"
 repository = "https://github.com/RightNow-AI/openfang"
diff --git a/crates/openfang-api/src/routes.rs b/crates/openfang-api/src/routes.rs
@@ -6953,7 +6953,10 @@ pub async fn set_provider_key(
             })
     };
 
-    // Write to secrets.env file
+    // Store in vault (best-effort — no-op if vault not initialized)
+    state.kernel.store_credential(&env_var, &key);
+
+    // Write to secrets.env file (dual-write for backward compat / vault corruption recovery)
     let secrets_path = state.kernel.config.home_dir.join("secrets.env");
     if let Err(e) = write_secret_env(&secrets_path, &env_var, &key) {
         return (
@@ -7115,6 +7118,9 @@ pub async fn delete_provider_key(
         );
     }
 
+    // Remove from vault (best-effort)
+    state.kernel.remove_credential(&env_var);
+
     // Remove from secrets.env
     let secrets_path = state.kernel.config.home_dir.join("secrets.env");
     if let Err(e) = remove_secret_env(&secrets_path, &env_var) {
@@ -10267,7 +10273,10 @@ pub async fn copilot_oauth_poll(
             Json(serde_json::json!({"status": "pending"})),
         ),
         openfang_runtime::copilot_oauth::DeviceFlowStatus::Complete { access_token } => {
-            // Save to secrets.env
+            // Store in vault (best-effort)
+            state.kernel.store_credential("GITHUB_TOKEN", &access_token);
+
+            // Save to secrets.env (dual-write)
             let secrets_path = state.kernel.config.home_dir.join("secrets.env");
             if let Err(e) = write_secret_env(&secrets_path, "GITHUB_TOKEN", &access_token) {
                 return (
diff --git a/crates/openfang-cli/src/main.rs b/crates/openfang-cli/src/main.rs
@@ -4813,6 +4813,10 @@ fn cmd_config_set_key(provider: &str) {
         return;
     }
 
+    // Try vault first (best-effort)
+    save_credential_prefer_vault(&env_var, &key);
+
+    // Always save to dotenv as fallback
     match dotenv::save_env_key(&env_var, &key) {
         Ok(()) => {
             ui::success(&format!("Saved {env_var} to ~/.openfang/.env"));
@@ -4835,6 +4839,18 @@ fn cmd_config_set_key(provider: &str) {
 fn cmd_config_delete_key(provider: &str) {
     let env_var = provider_to_env_var(provider);
 
+    // Remove from vault (best-effort)
+    {
+        let home = openfang_home();
+        let vault_path = home.join("vault.enc");
+        if vault_path.exists() {
+            let mut vault = openfang_extensions::vault::CredentialVault::new(vault_path);
+            if vault.unlock().is_ok() {
+                let _ = vault.remove(&env_var);
+            }
+        }
+    }
+
     match dotenv::remove_env_key(&env_var) {
         Ok(()) => ui::success(&format!("Removed {env_var} from ~/.openfang/.env")),
         Err(e) => {
@@ -4864,6 +4880,26 @@ fn cmd_config_test_key(provider: &str) {
     }
 }
 
+/// Try to store a credential in the vault first; silently falls through if vault
+/// is not initialized or cannot be unlocked. The caller should always also
+/// write to dotenv as a fallback.
+fn save_credential_prefer_vault(env_var: &str, value: &str) {
+    use zeroize::Zeroizing;
+
+    let home = openfang_home();
+    let vault_path = home.join("vault.enc");
+    if !vault_path.exists() {
+        return;
+    }
+    let mut vault = openfang_extensions::vault::CredentialVault::new(vault_path);
+    if vault.unlock().is_err() {
+        return;
+    }
+    if let Ok(()) = vault.set(env_var.to_string(), Zeroizing::new(value.to_string())) {
+        println!("  {}", "Also stored in encrypted vault".dimmed());
+    }
+}
+
 // ---------------------------------------------------------------------------
 // Quick chat (OpenClaw alias)
 // ---------------------------------------------------------------------------
diff --git a/crates/openfang-extensions/src/credentials.rs b/crates/openfang-extensions/src/credentials.rs
@@ -126,6 +126,17 @@ impl CredentialResolver {
             ))
         }
     }
+
+    /// Remove a credential from the vault (if available).
+    pub fn remove_from_vault(&mut self, key: &str) -> ExtensionResult<bool> {
+        if let Some(ref mut vault) = self.vault {
+            vault.remove(key)
+        } else {
+            Err(crate::ExtensionError::Vault(
+                "No vault configured".to_string(),
+            ))
+        }
+    }
 }
 
 /// Load a dotenv file into a HashMap.
diff --git a/crates/openfang-kernel/Cargo.toml b/crates/openfang-kernel/Cargo.toml
@@ -34,6 +34,7 @@ rand = { workspace = true }
 hex = { workspace = true }
 reqwest = { workspace = true }
 cron = "0.15"
+zeroize = { workspace = true }
 
 [target.'cfg(unix)'.dependencies]
 libc = "0.2"
diff --git a/crates/openfang-kernel/src/kernel.rs b/crates/openfang-kernel/src/kernel.rs

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ members = [`
`18`	`18`	`]`
`19`	`19`
`20`	`20`	`[workspace.package]`
`21`		`-version = "0.4.3"`
	`21`	`+version = "0.4.4"`
`22`	`22`	`edition = "2021"`
`23`	`23`	`license = "Apache-2.0 OR MIT"`
`24`	`24`	`repository = "https://github.com/RightNow-AI/openfang"`
Original file line number	Diff line number	Diff line change
`@@ -126,6 +126,17 @@ impl CredentialResolver {`
`126`	`126`	`))`
`127`	`127`	`}`
`128`	`128`	`}`
	`129`	`+`
	`130`	`+ /// Remove a credential from the vault (if available).`
	`131`	`+ pub fn remove_from_vault(&mut self, key: &str) -> ExtensionResult<bool> {`
	`132`	`+ if let Some(ref mut vault) = self.vault {`
	`133`	`+ vault.remove(key)`
	`134`	`+ } else {`
	`135`	`+ Err(crate::ExtensionError::Vault(`
	`136`	`+ "No vault configured".to_string(),`
	`137`	`+ ))`
	`138`	`+ }`
	`139`	`+ }`
`129`	`140`	`}`
`130`	`141`
`131`	`142`	`/// Load a dotenv file into a HashMap.`