feat(managed-secrets): add centrally managed secrets with GITOPS_ prefix pushed to multiple targets

Introduce managed secrets owned by GitOps that can be defined once and pushed to any combination of projects/groups across connections. Values are stored in OS keychain, secrets appear on targets as GITOPS_{key}.
2026-02-28 23:43:32 +00:00
parent 78247c1d41
commit 75d35405dc
17 changed files with 1302 additions and 4 deletions
--- a/ts/classes/gitopsapp.ts
+++ b/ts/classes/gitopsapp.ts
@@ -3,6 +3,7 @@ import { logger } from '../logging.ts';
 import { ConnectionManager } from './connectionmanager.ts';
 import { ActionLog } from './actionlog.ts';
 import { SyncManager } from './syncmanager.ts';
+import { ManagedSecretsManager } from './managedsecrets.manager.ts';
 import { OpsServer } from '../opsserver/index.ts';
 import { StorageManager } from '../storage/index.ts';
 import { CacheDb, CacheCleaner, CachedProject, CachedSecret, SecretsScanService } from '../cache/index.ts';
@@ -20,6 +21,7 @@ export class GitopsApp {
  public cacheDb: CacheDb;
  public cacheCleaner: CacheCleaner;
  public syncManager!: SyncManager;
+  public managedSecretsManager!: ManagedSecretsManager;
  public secretsScanService!: SecretsScanService;
  private scanIntervalId: number | null = null;
  private paths: ReturnType<typeof resolvePaths>;
@@ -55,6 +57,14 @@ export class GitopsApp {
    // Initialize connection manager (loads saved connections)
    await this.connectionManager.init();

+    // Initialize managed secrets manager
+    this.managedSecretsManager = new ManagedSecretsManager(
+      this.storageManager,
+      this.smartSecret,
+      this.connectionManager,
+    );
+    await this.managedSecretsManager.init();
+
    // Initialize sync manager
    this.syncManager = new SyncManager(
      this.storageManager,