-
- {{ me?.email || "Session loading" }}
-
- {{ me?.role || "user" }}
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {{ row.title }}
+
+
+
+
+ {{ row.status }}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {{ value }}
+
+
+
+
+
+
+
+
+
+
+
+
+ Create token
+
+
+
+
+
+
+ Revoke
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Refresh
+
+
+
+
+
+ {{ diagnostics.health }}
+
+
+
+
+ {{ diagnostics.ready }}
+
+
+
+ Check diagnostics
+
+
+
+ {{ row.email }}
+ {{ row.display_name || row.id }}
+
+
+
+ {{ value }}
+
+
+ {{ value }}
+
+
+
+
+
+
+
+ Create backup
+
+
+
+
+ Download
+ Restore
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+ Cancel
+
Create
-
-
-
- {{ row.title }}
-
-
-
- {{ row.status }}
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Refresh
-
-
-
-
-
- Reveal
-
-
-
-
-
- Copy
-
-
-
-
-
-
-
-
-
-
-
- All
-
-
- Selected secret
-
- Refresh
-
-
-
-
-
-
-
-
-
-
-
-
- Refresh
-
-
-
-
- Create token
-
-
-
- Copy token
-
-
-
-
- Revoke
-
-
-
-
-
-
-
-
-
-
-
-
-
- Import selected file
-
- Export decrypted JSON
-
- Delete all data
-
-
-
-
-
-
-
-
-
-
- Refresh
-
-
-
-
-
- {{ diagnostics.health }}
-
-
-
-
- {{ diagnostics.ready }}
-
-
-
- Check diagnostics
-
-
-
- {{ row.email }}
- {{ row.display_name || row.id }}
-
-
-
- {{ value }}
-
-
- {{ value }}
-
-
-
-
-
-
-
{{ error }}
+
+
+ Create
+
-
+
+ Save new version
+
+ Cancel
+
+
+
+ Hide
+
+
+ Reveal
+
+
+
+
+ {{ importError }}
+
+ {{ importPreview.secrets?.length || 0 }} secrets ready
+ {{ importFile?.name }}
+
+
+
+ Import selected file
+
+
+ + Export all secrets as decrypted JSON. Store the file securely — it contains plaintext values. +
+
+ Export decrypted JSON
+
+ + Deleting all data removes every secret and version. Audit records and API tokens are preserved. +
+
+
+ Delete all data
+
+
+
+
+
+
+
+
+
+
+ Add field
+
+
+
+
+
+
+
-
+
+ + Add one row per secret value. Enable encryption for passwords, tokens, PINs, and keys. +
+
+
+
+
+
+
+
+
+
+
+ Available from the web interface after login.
+
+
+ Available to external clients using API tokens.
+
+
+ Available to MCP clients when token scopes allow it.
+ {{ error }}
-
- Back
-
- {{ selected.status }}
-
-
-
-
-
-
-
-
- Save new version
-
- Cancel
-
-
- {{ isRevealedFieldVisible(item.key) ? item.raw.value : maskValue(item.raw.value) }}
-
- {{ item.raw.value }}
- {{ JSON.stringify(item.raw.metadata) }}
-
-
-
- {{ importError }}
-- {{ importPreview.secrets?.length || 0 }} secrets ready to import from - {{ importFile?.name }} -
-
-
-
-
-
-
-
-
- Add field
-
-
-
-
-
- - Add one row per secret value. Enable encryption for passwords, tokens, PINs, and keys. -
-
- Cancel
-
- Create
-
-
-
-
-
- Cancel
-
- Save metadata
-
-
-
+
+ Copy token
+ Close
+
+
+
-
- Cancel
- Delete
-
-
+
+ Save profile
+ Cancel
+
+
-
- Cancel
- Delete
+
+ Cancel
+ Restore
+
+
+
-
-
+
diff --git a/frontend/src/api.js b/frontend/src/api.js
index 9320c5e..d2e7c84 100644
--- a/frontend/src/api.js
+++ b/frontend/src/api.js
@@ -1,28 +1,52 @@
const jsonHeaders = { "Content-Type": "application/json", Accept: "application/json" };
-async function request(path, options = {}) {
- const response = await fetch(path, {
- credentials: "include",
- ...options,
- headers: {
- ...jsonHeaders,
- ...(options.headers || {})
+async function sleep(ms) {
+ return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+async function requestWithRetry(path, options = {}, retries = 3) {
+ let lastError;
+ for (let attempt = 0; attempt < retries; attempt++) {
+ try {
+ const response = await fetch(path, {
+ credentials: "include",
+ ...options,
+ headers: {
+ ...jsonHeaders,
+ ...(options.headers || {})
+ }
+ });
+ if (response.status === 204) {
+ return null;
+ }
+ const payload = await response.json();
+ if (!response.ok) {
+ throw new Error(payload?.error?.message || "Request failed");
+ }
+ return payload;
+ } catch (err) {
+ lastError = err;
+ const isNetworkError = !err.message?.includes("Request failed");
+ if (!isNetworkError || attempt >= retries - 1) {
+ throw err;
+ }
+ await sleep(300 * Math.pow(2, attempt));
}
- });
- if (response.status === 204) {
- return null;
}
- const payload = await response.json();
- if (!response.ok) {
- throw new Error(payload?.error?.message || "Request failed");
- }
- return payload;
+ throw lastError;
+}
+
+function request(path, options = {}) {
+ return requestWithRetry(path, options, 3);
}
export const api = {
health: () => request("/health"),
ready: () => request("/ready"),
me: () => request("/api/v1/me"),
+ updateMe: (payload) =>
+ request("/api/v1/me", { method: "PATCH", body: JSON.stringify(payload) }),
+ logout: () => request("/auth/logout", { method: "POST" }),
listSecrets: (params = {}) => {
const query = new URLSearchParams(params);
return request(`/api/v1/secrets?${query}`);
@@ -37,12 +61,19 @@
versions: (id) => request(`/api/v1/secrets/${id}/versions`),
revealVersion: (id, versionId) =>
request(`/api/v1/secrets/${id}/versions/${versionId}/reveal`, { method: "POST" }),
- audit: () => request("/api/v1/audit-events"),
- secretAudit: (id) => request(`/api/v1/secrets/${id}/audit-events`),
+ audit: (params = {}) => {
+ const query = new URLSearchParams(params);
+ return request(`/api/v1/audit-events?${query}`);
+ },
+ secretAudit: (id, params = {}) => {
+ const query = new URLSearchParams(params);
+ return request(`/api/v1/secrets/${id}/audit-events?${query}`);
+ },
tokens: () => request("/api/v1/api-tokens"),
createToken: (payload) =>
request("/api/v1/api-tokens", { method: "POST", body: JSON.stringify(payload) }),
- revokeToken: (id) => request(`/api/v1/api-tokens/${id}`, { method: "DELETE" }),
+ revokeToken: (id) =>
+ request(`/api/v1/api-tokens/${id}/revoke`, { method: "PATCH" }),
exportData: () => request("/api/v1/export", { method: "POST" }),
importData: (payload) =>
request("/api/v1/import", { method: "POST", body: JSON.stringify(payload) }),
@@ -50,5 +81,11 @@
adminUsers: (params = {}) => {
const query = new URLSearchParams(params);
return request(`/api/v1/admin/users?${query}`);
- }
+ },
+ stats: () => request("/api/v1/stats"),
+ createBackup: () => request("/api/v1/admin/backup", { method: "POST" }),
+ listBackups: () => request("/api/v1/admin/backups"),
+ downloadBackup: (filename) => `/api/v1/admin/backups/${encodeURIComponent(filename)}`,
+ restoreBackup: (filename) =>
+ request("/api/v1/admin/restore", { method: "POST", body: JSON.stringify({ filename }) })
};
diff --git a/frontend/src/components/SecretDetailPanel.vue b/frontend/src/components/SecretDetailPanel.vue
new file mode 100644
index 0000000..ff9ab45
--- /dev/null
+++ b/frontend/src/components/SecretDetailPanel.vue
@@ -0,0 +1,161 @@
+
+
+
+
+
+
+
+
+
diff --git a/frontend/src/styles.css b/frontend/src/styles.css
index 72b79e3..614778c 100644
--- a/frontend/src/styles.css
+++ b/frontend/src/styles.css
@@ -14,32 +14,7 @@
min-height: 100vh;
width: min(1480px, calc(100vw - 48px));
margin: 0 auto;
- padding: 24px 0 40px;
-}
-
-.app-header {
- margin-bottom: 14px;
-}
-
-.session-box {
- display: flex;
- align-items: center;
- gap: 10px;
- min-width: 0;
-}
-
-.session-box span {
- overflow: hidden;
- text-overflow: ellipsis;
- white-space: nowrap;
-}
-
-.app-tabs {
- margin: 14px 0;
-}
-
-.app-tabs .tabs-panels {
- display: none;
+ padding: 16px 0 40px;
}
.list-panel,
@@ -95,19 +70,6 @@
animation: gnexus-creds-modal-dialog-out 0.28s ease-in both;
}
-.header-actions {
- display: flex;
- flex-direction: column;
- align-items: center;
- justify-content: flex-end;
- gap: 8px;
- min-width: 0;
-}
-
-.header-search {
- width: min(360px, 34vw);
-}
-
.secrets-page {
display: grid;
gap: 15px;
@@ -141,6 +103,37 @@
text-align: right;
}
+.audit-table {
+ min-width: 100%;
+}
+
+.audit-table th,
+.audit-table td {
+ white-space: nowrap;
+}
+
+.audit-table td:last-child {
+ white-space: normal;
+ min-width: 200px;
+}
+
+.nav-topbar-brand img {
+ width: 42px;
+ height: 42px;
+}
+
+.import-preview {
+ display: flex;
+ gap: 10px;
+ align-items: center;
+}
+
+.danger-zone {
+ border: 2px solid rgba(247, 118, 142, 0.28);
+ background: rgba(247, 118, 142, 0.04);
+ padding: 15px;
+}
+
.selected-secret-title {
color: #7aa2f7;
}
@@ -154,6 +147,50 @@
flex-wrap: wrap;
}
+.detail-header {
+ display: flex;
+ align-items: center;
+ gap: 12px;
+ padding: 12px;
+ border: 2px solid rgba(192, 202, 245, 0.24);
+ border-left-width: 6px;
+ background: rgba(192, 202, 245, 0.045);
+}
+
+.detail-title {
+ flex: 1;
+ min-width: 0;
+ overflow: hidden;
+ text-overflow: ellipsis;
+ white-space: nowrap;
+ font-size: 16px;
+ font-weight: 700;
+ line-height: 1;
+ text-transform: uppercase;
+}
+
+.detail-actions {
+ display: flex;
+ gap: 10px;
+ align-items: center;
+ flex-wrap: wrap;
+}
+
+.secret-dropdown .dropdown-menu {
+ right: 0;
+ left: auto;
+ transform-origin: top right;
+}
+
+.detail-panel .description-list {
+ max-width: none;
+}
+
+.create-actions {
+ display: flex;
+ justify-content: flex-end;
+}
+
.form-grid {
display: grid;
gap: 12px;
@@ -241,6 +278,17 @@
background: rgba(22, 22, 30, 0.22);
}
+.profile-identity {
+ display: block;
+ text-decoration: none;
+ color: inherit;
+ min-width: 0;
+}
+
+.profile-identity:hover {
+ color: inherit;
+}
+
.identity-cell {
display: grid;
gap: 4px;
@@ -295,6 +343,14 @@
color: #f7768e;
}
+.secret-title-link {
+ cursor: pointer;
+}
+
+.secret-title-link:hover {
+ color: #7aa2f7;
+}
+
.empty-state.large {
min-height: 240px;
align-content: center;
@@ -303,15 +359,6 @@
}
@media (max-width: 1260px) {
- .header-actions {
- align-items: stretch;
- width: 100%;
- }
-
- .header-search {
- width: 100%;
- }
-
.list-panel {
max-height: none;
}
@@ -323,11 +370,6 @@
padding-top: 12px;
}
- .session-box {
- align-items: flex-start;
- flex-direction: column;
- }
-
.settings-metrics {
grid-template-columns: 1fr;
}
@@ -386,3 +428,19 @@
transform: translateY(-18px);
}
}
+
+@keyframes gnexus-creds-toast-in {
+ from {
+ bottom: -100px;
+ opacity: 0;
+ }
+
+ to {
+ bottom: 15px;
+ opacity: 1;
+ }
+}
+
+.toast.a-show {
+ animation: gnexus-creds-toast-in 0.28s ease both;
+}
diff --git a/gnexus_creds/api.py b/gnexus_creds/api.py
index 65c1c7a..a1ce7b7 100644
--- a/gnexus_creds/api.py
+++ b/gnexus_creds/api.py
@@ -4,16 +4,21 @@
from uuid import UUID
from fastapi import APIRouter, Depends, Query
+from fastapi.responses import FileResponse
from sqlalchemy import distinct, func, select
from sqlalchemy.orm import Session, selectinload
from gnexus_creds.auth import actor_from_request, require_admin
+from gnexus_creds.config import get_settings
from gnexus_creds.db import get_db
+from gnexus_creds.errors import AppError
from gnexus_creds.models import ApiToken, AuditEvent, Secret, SecretTag, User
from gnexus_creds.schemas import (
ApiTokenCreate,
ApiTokenCreated,
ApiTokenRead,
+ AuditEventRead,
+ ExportResponse,
ImportPayload,
Page,
Scope,
@@ -24,7 +29,11 @@
SecretStatus,
SecretUpdate,
SecretVersionRead,
+ StatsRead,
+ UserRead,
+ UserUpdate,
)
+from gnexus_creds.backup import create_backup, list_backups, restore_backup
from gnexus_creds.services import (
Actor,
audit,
@@ -32,6 +41,7 @@
create_api_token,
create_secret,
delete_secret,
+ get_secret,
get_version,
list_secrets,
list_versions,
@@ -43,22 +53,6 @@
router = APIRouter(prefix="/api/v1")
-def _audit_read(row: AuditEvent) -> dict:
- return {
- "id": row.id,
- "user_id": row.user_id,
- "actor_user_id": row.actor_user_id,
- "api_token_id": row.api_token_id,
- "secret_id": row.secret_id,
- "channel": row.channel,
- "action": row.action,
- "ip_address": row.ip_address,
- "user_agent": row.user_agent,
- "metadata": row.audit_metadata,
- "created_at": row.created_at,
- }
-
-
def _export_secret(row: Secret, actor: Actor, db: Session) -> dict:
revealed = serialize_secret(row, reveal=True, db=db, user=actor.user)
return SecretCreate(
@@ -86,19 +80,50 @@
).model_dump(mode="json")
-@router.get("/me")
-async def me(actor: Actor = Depends(actor_from_request)) -> dict:
- return {
- "id": actor.user.id,
- "email": actor.user.email,
- "display_name": actor.user.display_name,
- "locale": actor.user.locale,
- "role": actor.user.system_role,
- "status": actor.user.status,
- }
+@router.get("/me", response_model=UserRead, tags=["user"], summary="Get current user")
+async def me(actor: Actor = Depends(actor_from_request)) -> UserRead:
+ settings = get_settings()
+ profile = actor.user.profile or {}
+ return UserRead(
+ id=actor.user.id,
+ email=actor.user.email,
+ display_name=actor.user.display_name,
+ locale=actor.user.locale,
+ role=actor.user.system_role,
+ status=actor.user.status,
+ avatar_url=profile.get("avatar_url"),
+ auth_profile_url=f"{settings.auth_base_url}/account/profile",
+ )
-@router.get("/secrets", response_model=Page)
+@router.patch("/me", response_model=UserRead, tags=["user"], summary="Update current user profile")
+async def update_me(
+ payload: UserUpdate,
+ db: Session = Depends(get_db),
+ actor: Actor = Depends(actor_from_request),
+) -> UserRead:
+ actor.require(Scope.write)
+ if payload.display_name is not None:
+ actor.user.display_name = payload.display_name
+ if payload.locale is not None:
+ actor.user.locale = payload.locale
+ db.commit()
+ db.refresh(actor.user)
+ settings = get_settings()
+ profile = actor.user.profile or {}
+ return UserRead(
+ id=actor.user.id,
+ email=actor.user.email,
+ display_name=actor.user.display_name,
+ locale=actor.user.locale,
+ role=actor.user.system_role,
+ status=actor.user.status,
+ avatar_url=profile.get("avatar_url"),
+ auth_profile_url=f"{settings.auth_base_url}/account/profile",
+ )
+
+
+@router.get("/secrets", response_model=Page[SecretRead], tags=["secrets"], summary="List secrets")
async def secrets_list(
q: str | None = None,
category: str | None = None,
@@ -106,9 +131,11 @@
include_archived: bool = False,
offset: int = Query(0, ge=0),
limit: int = Query(50, ge=1, le=200),
+ sort_by: str = Query("updated_at"),
+ sort_dir: str = Query("desc"),
db: Session = Depends(get_db),
actor: Actor = Depends(actor_from_request),
-) -> Page:
+) -> Page[SecretRead]:
items, total = list_secrets(
db,
actor,
@@ -118,13 +145,15 @@
include_archived=include_archived,
offset=offset,
limit=limit,
+ sort_by=sort_by,
+ sort_dir=sort_dir,
)
return Page(
items=[item.model_dump() for item in items], total=total, offset=offset, limit=limit
)
-@router.post("/secrets", response_model=SecretRead)
+@router.post("/secrets", response_model=SecretRead, tags=["secrets"], summary="Create a secret")
async def secrets_create(
payload: SecretCreate,
db: Session = Depends(get_db),
@@ -135,18 +164,20 @@
return result
-@router.get("/secrets/{secret_id}", response_model=SecretRead)
+@router.get(
+ "/secrets/{secret_id}", response_model=SecretRead, tags=["secrets"], summary="Get a secret"
+)
async def secrets_get(
secret_id: UUID,
db: Session = Depends(get_db),
actor: Actor = Depends(actor_from_request),
) -> SecretRead:
- from gnexus_creds.services import get_secret
-
return get_secret(db, actor, secret_id)
-@router.patch("/secrets/{secret_id}", response_model=SecretRead)
+@router.patch(
+ "/secrets/{secret_id}", response_model=SecretRead, tags=["secrets"], summary="Update a secret"
+)
async def secrets_update(
secret_id: UUID,
payload: SecretUpdate,
@@ -158,7 +189,12 @@
return result
-@router.delete("/secrets/{secret_id}", status_code=204)
+@router.delete(
+ "/secrets/{secret_id}",
+ status_code=204,
+ tags=["secrets"],
+ summary="Delete a secret",
+)
async def secrets_delete(
secret_id: UUID,
db: Session = Depends(get_db),
@@ -168,7 +204,12 @@
db.commit()
-@router.post("/secrets/{secret_id}/reveal", response_model=SecretReveal)
+@router.post(
+ "/secrets/{secret_id}/reveal",
+ response_model=SecretReveal,
+ tags=["secrets"],
+ summary="Reveal secret values",
+)
async def secrets_reveal(
secret_id: UUID,
db: Session = Depends(get_db),
@@ -179,7 +220,12 @@
return result
-@router.get("/secrets/{secret_id}/versions", response_model=list[SecretVersionRead])
+@router.get(
+ "/secrets/{secret_id}/versions",
+ response_model=list[SecretVersionRead],
+ tags=["secrets"],
+ summary="List secret versions",
+)
async def versions_list(
secret_id: UUID,
db: Session = Depends(get_db),
@@ -188,7 +234,12 @@
return list_versions(db, actor, secret_id)
-@router.get("/secrets/{secret_id}/versions/{version_id}", response_model=SecretVersionRead)
+@router.get(
+ "/secrets/{secret_id}/versions/{version_id}",
+ response_model=SecretVersionRead,
+ tags=["secrets"],
+ summary="Get a specific version",
+)
async def versions_get(
secret_id: UUID,
version_id: UUID,
@@ -198,7 +249,12 @@
return get_version(db, actor, secret_id, version_id)
-@router.post("/secrets/{secret_id}/versions/{version_id}/reveal", response_model=SecretReveal)
+@router.post(
+ "/secrets/{secret_id}/versions/{version_id}/reveal",
+ response_model=SecretReveal,
+ tags=["secrets"],
+ summary="Reveal a specific version",
+)
async def versions_reveal(
secret_id: UUID,
version_id: UUID,
@@ -210,7 +266,7 @@
return result
-@router.get("/categories", response_model=list[str])
+@router.get("/categories", response_model=list[str], tags=["taxonomy"], summary="List categories")
async def categories(
db: Session = Depends(get_db), actor: Actor = Depends(actor_from_request)
) -> list[str]:
@@ -224,7 +280,7 @@
)
-@router.get("/tags", response_model=list[str])
+@router.get("/tags", response_model=list[str], tags=["taxonomy"], summary="List tags")
async def tags(
db: Session = Depends(get_db),
actor: Actor = Depends(actor_from_request),
@@ -239,7 +295,12 @@
)
-@router.get("/suggestions")
+@router.get(
+ "/suggestions",
+ response_model=dict[str, list[str]],
+ tags=["taxonomy"],
+ summary="Search suggestions",
+)
async def suggestions(
q: str = Query("", max_length=120),
db: Session = Depends(get_db),
@@ -265,53 +326,68 @@
return {"categories": list(category_rows), "tags": list(tag_rows)}
-@router.get("/audit-events", response_model=Page)
+@router.get(
+ "/audit-events",
+ response_model=Page[AuditEventRead],
+ tags=["audit"],
+ summary="List audit events",
+)
async def audit_events(
offset: int = Query(0, ge=0),
limit: int = Query(50, ge=1, le=200),
db: Session = Depends(get_db),
actor: Actor = Depends(actor_from_request),
-) -> Page:
- actor.require(Scope.admin)
+) -> Page[AuditEventRead]:
+ actor.require(Scope.read)
stmt = select(AuditEvent).where(AuditEvent.user_id == actor.user.id)
total = db.scalar(select(func.count()).select_from(stmt.subquery())) or 0
rows = db.scalars(stmt.order_by(AuditEvent.created_at.desc()).offset(offset).limit(limit))
return Page(
- items=[_audit_read(row) for row in rows],
+ items=[AuditEventRead.model_validate(row, from_attributes=True) for row in rows],
total=total,
offset=offset,
limit=limit,
)
-@router.get("/secrets/{secret_id}/audit-events", response_model=Page)
+@router.get(
+ "/secrets/{secret_id}/audit-events",
+ response_model=Page[AuditEventRead],
+ tags=["audit"],
+ summary="List audit events for a secret",
+)
async def secret_audit_events(
secret_id: UUID,
offset: int = Query(0, ge=0),
limit: int = Query(50, ge=1, le=200),
db: Session = Depends(get_db),
actor: Actor = Depends(actor_from_request),
-) -> Page:
- actor.require(Scope.admin)
+) -> Page[AuditEventRead]:
+ actor.require(Scope.read)
stmt = select(AuditEvent).where(
AuditEvent.user_id == actor.user.id, AuditEvent.secret_id == secret_id
)
total = db.scalar(select(func.count()).select_from(stmt.subquery())) or 0
rows = db.scalars(stmt.order_by(AuditEvent.created_at.desc()).offset(offset).limit(limit))
return Page(
- items=[_audit_read(row) for row in rows],
+ items=[AuditEventRead.model_validate(row, from_attributes=True) for row in rows],
total=total,
offset=offset,
limit=limit,
)
-@router.get("/api-tokens", response_model=list[ApiTokenRead])
+@router.get(
+ "/api-tokens",
+ response_model=list[ApiTokenRead],
+ tags=["tokens"],
+ summary="List API tokens",
+)
async def api_tokens_list(
db: Session = Depends(get_db),
actor: Actor = Depends(actor_from_request),
):
- actor.require(Scope.admin)
+ actor.require(Scope.read)
rows = db.scalars(
select(ApiToken)
.where(ApiToken.user_id == actor.user.id)
@@ -320,7 +396,12 @@
return [ApiTokenRead.model_validate(row, from_attributes=True) for row in rows]
-@router.post("/api-tokens", response_model=ApiTokenCreated)
+@router.post(
+ "/api-tokens",
+ response_model=ApiTokenCreated,
+ tags=["tokens"],
+ summary="Create an API token",
+)
async def api_tokens_create(
payload: ApiTokenCreate,
db: Session = Depends(get_db),
@@ -340,13 +421,18 @@
)
-@router.delete("/api-tokens/{token_id}", status_code=204)
-async def api_tokens_delete(
+@router.patch(
+ "/api-tokens/{token_id}/revoke",
+ status_code=204,
+ tags=["tokens"],
+ summary="Revoke an API token",
+)
+async def api_tokens_revoke(
token_id: UUID,
db: Session = Depends(get_db),
actor: Actor = Depends(actor_from_request),
) -> None:
- actor.require(Scope.admin)
+ actor.require(Scope.write)
row = db.get(ApiToken, token_id)
if row and row.user_id == actor.user.id:
row.revoked_at = datetime.now(UTC)
@@ -354,11 +440,13 @@
db.commit()
-@router.post("/export")
+@router.post(
+ "/export", response_model=ExportResponse, tags=["data"], summary="Export all secrets"
+)
async def export_data(
db: Session = Depends(get_db),
actor: Actor = Depends(actor_from_request),
-) -> dict:
+) -> ExportResponse:
actor.require(Scope.reveal)
check_actor_rate_limit(db, actor, "export")
rows = db.scalars(
@@ -370,15 +458,15 @@
exported = [_export_secret(row, actor, db) for row in rows]
audit(db, actor, action="export.created")
db.commit()
- return {
- "format": "gnexus-creds-export",
- "version": 1,
- "exported_at": datetime.now(UTC),
- "secrets": exported,
- }
+ return ExportResponse(
+ format="gnexus-creds-export",
+ version=1,
+ exported_at=datetime.now(UTC),
+ secrets=exported,
+ )
-@router.post("/import")
+@router.post("/import", tags=["data"], summary="Import secrets")
async def import_data(
payload: ImportPayload,
db: Session = Depends(get_db),
@@ -387,8 +475,6 @@
actor.require(Scope.write)
check_actor_rate_limit(db, actor, "import")
if payload.format != "gnexus-creds-export" or payload.version != 1:
- from gnexus_creds.errors import AppError
-
raise AppError("unsupported_import_format", "Unsupported import format.", status_code=400)
created = 0
for item in payload.secrets:
@@ -398,11 +484,16 @@
return {"created": created}
-@router.delete("/account-data", status_code=204)
+@router.delete(
+ "/account-data",
+ status_code=204,
+ tags=["account"],
+ summary="Delete all account secrets",
+)
async def delete_account_data(
db: Session = Depends(get_db), actor: Actor = Depends(actor_from_request)
) -> None:
- actor.require(Scope.admin)
+ actor.require(Scope.write)
db.query(Secret).filter(Secret.user_id == actor.user.id).delete(synchronize_session=False)
audit(db, actor, action="account_data.deleted")
db.commit()
@@ -411,29 +502,75 @@
admin_router = APIRouter(prefix="/api/v1/admin", dependencies=[Depends(require_admin)])
-@admin_router.get("/users", response_model=Page)
+@admin_router.get("/users", response_model=Page[UserRead], tags=["admin"], summary="List all users")
async def admin_users(
offset: int = Query(0, ge=0),
limit: int = Query(50, ge=1, le=200),
db: Session = Depends(get_db),
-) -> Page:
+) -> Page[UserRead]:
stmt = select(User)
total = db.scalar(select(func.count()).select_from(stmt.subquery())) or 0
rows = db.scalars(stmt.order_by(User.created_at.desc()).offset(offset).limit(limit))
return Page(
items=[
- {
- "id": row.id,
- "email": row.email,
- "display_name": row.display_name,
- "status": row.status,
- "role": row.system_role,
- "created_at": row.created_at,
- "last_seen_at": row.last_seen_at,
- }
+ UserRead(
+ id=row.id,
+ email=row.email,
+ display_name=row.display_name,
+ locale=row.locale,
+ status=row.status,
+ role=row.system_role,
+ )
for row in rows
],
total=total,
offset=offset,
limit=limit,
)
+
+
+@admin_router.post("/backup", tags=["admin"], summary="Create database backup")
+async def admin_backup() -> dict:
+ return create_backup()
+
+
+@admin_router.get("/backups", tags=["admin"], summary="List database backups")
+async def admin_backups() -> list[dict]:
+ return list_backups()
+
+
+@admin_router.post("/restore", tags=["admin"], summary="Restore database from backup")
+async def admin_restore(payload: dict) -> dict:
+ result = restore_backup(payload["filename"])
+ return {"restored": True, **result}
+
+
+@admin_router.get("/backups/{filename}", tags=["admin"], summary="Download a backup file")
+async def admin_download_backup(filename: str) -> FileResponse:
+ backups = list_backups()
+ match = next((b for b in backups if b["filename"] == filename), None)
+ if not match:
+ raise AppError("backup_not_found", "Backup file not found.", status_code=404)
+ return FileResponse(match["path"], filename=filename)
+
+
+@router.get("/stats", response_model=StatsRead, tags=["stats"], summary="Get user statistics")
+async def stats(
+ db: Session = Depends(get_db),
+ actor: Actor = Depends(actor_from_request),
+) -> StatsRead:
+ actor.require(Scope.read)
+ total = db.scalar(
+ select(func.count()).where(Secret.user_id == actor.user.id)
+ ) or 0
+ active = db.scalar(
+ select(func.count()).where(Secret.user_id == actor.user.id, Secret.archived.is_(False))
+ ) or 0
+ mcp = db.scalar(
+ select(func.count()).where(Secret.user_id == actor.user.id, Secret.allow_mcp.is_(True))
+ ) or 0
+ return StatsRead(
+ total_secrets=total,
+ active_secrets=active,
+ mcp_enabled_secrets=mcp,
+ )
diff --git a/gnexus_creds/backup.py b/gnexus_creds/backup.py
new file mode 100644
index 0000000..8caac16
--- /dev/null
+++ b/gnexus_creds/backup.py
@@ -0,0 +1,109 @@
+"""Database backup and restore helpers."""
+
+import os
+import shutil
+import subprocess
+from datetime import UTC, datetime
+from pathlib import Path
+
+from gnexus_creds.config import Settings, get_settings
+
+
+def _backup_dir(settings: Settings | None = None) -> Path:
+ settings = settings or get_settings()
+ path = Path(settings.backup_dir)
+ path.mkdir(parents=True, exist_ok=True)
+ return path
+
+
+def _normalize_pg_url(url: str) -> str:
+ """Strip SQLAlchemy driver suffix so pg_dump/psql accept the URL."""
+ return url.replace("postgresql+psycopg://", "postgresql://")
+
+
+def create_backup(settings: Settings | None = None) -> dict:
+ """Create a database backup and return metadata."""
+ settings = settings or get_settings()
+ url = settings.database_url
+ timestamp = datetime.now(UTC).strftime("%Y%m%d_%H%M%S")
+ backup_dir = _backup_dir(settings)
+
+ if url.startswith("sqlite"):
+ db_path = url.replace("sqlite:///", "").replace("sqlite://", "")
+ filename = f"backup_{timestamp}.db"
+ dest = backup_dir / filename
+ shutil.copy2(db_path, dest)
+ return {
+ "filename": filename,
+ "path": str(dest),
+ "size": dest.stat().st_size,
+ "created_at": datetime.now(UTC).isoformat(),
+ "engine": "sqlite",
+ }
+
+ if url.startswith("postgresql"):
+ filename = f"backup_{timestamp}.sql"
+ dest = backup_dir / filename
+ normalized = _normalize_pg_url(url)
+ result = subprocess.run(
+ ["pg_dump", "--if-exists", "--clean", "--no-owner", normalized],
+ capture_output=True,
+ text=True,
+ )
+ if result.returncode != 0:
+ raise RuntimeError(f"pg_dump failed: {result.stderr}")
+ dest.write_text(result.stdout, encoding="utf-8")
+ return {
+ "filename": filename,
+ "path": str(dest),
+ "size": dest.stat().st_size,
+ "created_at": datetime.now(UTC).isoformat(),
+ "engine": "postgresql",
+ }
+
+ raise RuntimeError(f"Unsupported database URL: {url}")
+
+
+def list_backups(settings: Settings | None = None) -> list[dict]:
+ """List available backup files."""
+ backup_dir = _backup_dir(settings)
+ backups = []
+ for path in sorted(backup_dir.iterdir(), key=lambda p: p.stat().st_mtime, reverse=True):
+ if path.is_file() and path.name.startswith("backup_"):
+ backups.append(
+ {
+ "filename": path.name,
+ "path": str(path),
+ "size": path.stat().st_size,
+ "created_at": datetime.fromtimestamp(path.stat().st_mtime, UTC).isoformat(),
+ }
+ )
+ return backups
+
+
+def restore_backup(file_path: str | Path, settings: Settings | None = None) -> dict:
+ """Restore database from a backup file."""
+ settings = settings or get_settings()
+ url = settings.database_url
+ path = Path(file_path)
+
+ if not path.exists():
+ raise FileNotFoundError(f"Backup file not found: {path}")
+
+ if url.startswith("sqlite"):
+ db_path = url.replace("sqlite:///", "").replace("sqlite://", "")
+ shutil.copy2(str(path), db_path)
+ return {"engine": "sqlite", "restored": db_path}
+
+ if url.startswith("postgresql"):
+ normalized = _normalize_pg_url(url)
+ result = subprocess.run(
+ ["psql", normalized, "-f", str(path)],
+ capture_output=True,
+ text=True,
+ )
+ if result.returncode != 0:
+ raise RuntimeError(f"psql failed: {result.stderr}")
+ return {"engine": "postgresql", "restored": normalized}
+
+ raise RuntimeError(f"Unsupported database URL: {url}")
diff --git a/gnexus_creds/config.py b/gnexus_creds/config.py
index 5a58c57..74f2d41 100644
--- a/gnexus_creds/config.py
+++ b/gnexus_creds/config.py
@@ -32,6 +32,8 @@
)
auth_webhook_secret: str = Field(default="change-me", alias="GNEXUS_AUTH_WEBHOOK_SECRET")
mcp_resource_url: str = "http://localhost:8000/mcp-protocol/"
+ cors_origins: list[str] = Field(default=["*"], alias="GNEXUS_CREDS_CORS_ORIGINS")
+ backup_dir: str = Field(default="./backups", alias="GNEXUS_CREDS_BACKUP_DIR")
rate_limit_window_seconds: int = 60
rate_limit_max_sensitive_requests: int = 120
diff --git a/gnexus_creds/main.py b/gnexus_creds/main.py
index 0767ce6..8c9b8da 100644
--- a/gnexus_creds/main.py
+++ b/gnexus_creds/main.py
@@ -1,10 +1,12 @@
"""FastAPI application entrypoint."""
+import logging
from contextlib import asynccontextmanager
from pathlib import Path
from fastapi import FastAPI
from fastapi.exceptions import RequestValidationError
+from fastapi.middleware.cors import CORSMiddleware
from fastapi.responses import FileResponse
from fastapi.staticfiles import StaticFiles
from sqlalchemy import text
@@ -33,11 +35,21 @@
@asynccontextmanager
async def lifespan(_: FastAPI):
+ configure_logging()
async with mcp_protocol_server.session_manager.run():
yield
+ logger = logging.getLogger("gnexus_creds")
+ logger.info("Shutting down gracefully")
app = FastAPI(title=settings.app_name, version="0.1.0", lifespan=lifespan)
app.state.mcp_protocol_server = mcp_protocol_server
+ app.add_middleware(
+ CORSMiddleware,
+ allow_origins=settings.cors_origins,
+ allow_credentials=True,
+ allow_methods=["*"],
+ allow_headers=["*"],
+ )
app.add_exception_handler(AppError, app_error_handler)
app.add_exception_handler(RequestValidationError, validation_error_handler)
app.include_router(auth_router)
diff --git a/gnexus_creds/mcp.py b/gnexus_creds/mcp.py
index 3cdd1f1..45305ee 100644
--- a/gnexus_creds/mcp.py
+++ b/gnexus_creds/mcp.py
@@ -45,6 +45,26 @@
return actor
+def _require_arg(args: dict, key: str):
+ if key not in args:
+ raise AppError("bad_request", f"Missing required argument: {key}.", status_code=400)
+ return args[key]
+
+
+def _parse_uuid(value) -> UUID:
+ try:
+ return UUID(value)
+ except (ValueError, TypeError) as exc:
+ raise AppError("bad_request", "Invalid UUID format.", status_code=400) from exc
+
+
+def _parse_status(value):
+ try:
+ return SecretStatus(value)
+ except ValueError as exc:
+ raise AppError("bad_request", "Invalid status value.", status_code=400) from exc
+
+
@router.get("/sse")
async def mcp_sse(actor: Actor = Depends(actor_from_request)) -> StreamingResponse:
_mcp_actor(actor)
@@ -72,12 +92,13 @@
actor = _mcp_actor(actor)
args = call.arguments
if tool_name == "search_secrets":
+ status_raw = args.get("status")
items, total = list_secrets(
db,
actor,
q=args.get("q"),
category=args.get("category"),
- status=SecretStatus(args["status"]) if args.get("status") else None,
+ status=_parse_status(status_raw) if status_raw and str(status_raw).strip() else None,
include_archived=False,
offset=int(args.get("offset", 0)),
limit=int(args.get("limit", 20)),
@@ -85,10 +106,10 @@
)
return {"items": [item.model_dump(mode="json") for item in items], "total": total}
if tool_name == "get_secret":
- result = get_secret(db, actor, UUID(args["secret_id"]), mcp=True)
+ result = get_secret(db, actor, _parse_uuid(_require_arg(args, "secret_id")), mcp=True)
return result.model_dump(mode="json")
if tool_name == "reveal_secret":
- result = reveal_secret(db, actor, UUID(args["secret_id"]), mcp=True)
+ result = reveal_secret(db, actor, _parse_uuid(_require_arg(args, "secret_id")), mcp=True)
db.commit()
return result.model_dump(mode="json")
if tool_name == "create_secret":
@@ -96,24 +117,25 @@
db.commit()
return result.model_dump(mode="json")
if tool_name == "update_secret":
- secret_id = UUID(args.pop("secret_id"))
+ secret_id = _parse_uuid(args.pop("secret_id", None) or _require_arg(args, "secret_id"))
get_secret(db, actor, secret_id, mcp=True)
result = update_secret(db, actor, secret_id, SecretUpdate(**args))
db.commit()
return result.model_dump(mode="json")
if tool_name == "set_secret_status":
- secret_id = UUID(args["secret_id"])
+ secret_id = _parse_uuid(_require_arg(args, "secret_id"))
+ status = _parse_status(_require_arg(args, "status"))
get_secret(db, actor, secret_id, mcp=True)
result = update_secret(
db,
actor,
secret_id,
- SecretUpdate(status=SecretStatus(args["status"])),
+ SecretUpdate(status=status),
)
db.commit()
return result.model_dump(mode="json")
if tool_name == "archive_secret":
- secret_id = UUID(args["secret_id"])
+ secret_id = _parse_uuid(_require_arg(args, "secret_id"))
get_secret(db, actor, secret_id, mcp=True)
result = update_secret(db, actor, secret_id, SecretUpdate(archived=True))
db.commit()
diff --git a/gnexus_creds/mcp_descriptions.py b/gnexus_creds/mcp_descriptions.py
index db10cec..83d7429 100644
--- a/gnexus_creds/mcp_descriptions.py
+++ b/gnexus_creds/mcp_descriptions.py
@@ -1,7 +1,8 @@
"""Human-facing MCP instructions and tool descriptions."""
MCP_SERVER_INSTRUCTIONS = """
-gnexus-creds is a personal secret storage service.
+gnexus-creds is a personal secret storage service. You can access only secrets
+that belong to the authenticated user.
Use search_secrets first to find candidate secrets. Use get_secret for metadata
and non-revealed fields. Use reveal_secret only when the user explicitly needs
@@ -27,6 +28,16 @@
Return concise results. Do not print revealed secret values unless the user
explicitly asks to see them; when possible, use them only for the requested
operation.
+
+search_secrets supports pagination with offset and limit. The maximum limit is
+50. If many secrets match, iterate with offset increments.
+
+The fields argument for create_secret and update_secret is a list of objects:
+- name (string, required)
+- value (string, required)
+- encrypted (boolean, optional, default false)
+- masked (boolean, optional, default false)
+- position (integer, optional, default 0)
""".strip()
diff --git a/gnexus_creds/mcp_protocol.py b/gnexus_creds/mcp_protocol.py
index ad7c9a6..d489a3c 100644
--- a/gnexus_creds/mcp_protocol.py
+++ b/gnexus_creds/mcp_protocol.py
@@ -6,9 +6,8 @@
from mcp.server.auth.middleware.auth_context import get_access_token
from mcp.server.auth.provider import AccessToken
from mcp.server.auth.settings import AuthSettings
-from mcp.server.fastmcp import FastMCP
+from mcp.server.fastmcp import Context, FastMCP
from sqlalchemy.orm import Session
-from starlette.applications import Starlette
from gnexus_creds.auth import require_enabled_user
from gnexus_creds.config import get_settings
@@ -42,19 +41,35 @@
)
-def _actor_from_mcp_context(db: Session) -> Actor:
+def _actor_from_mcp_context(
+ db: Session,
+ *,
+ ip_address: str | None = None,
+ user_agent: str | None = None,
+) -> Actor:
access_token = get_access_token()
if access_token is None:
raise ValueError("MCP authentication context is missing.")
actor = authenticate_api_token(db, access_token.token)
if actor is None or actor.api_token is None or Scope.mcp.value not in actor.api_token.scopes:
raise ValueError("MCP token is invalid or missing required scope.")
- db.commit()
require_enabled_user(actor.user)
actor.channel = "mcp"
+ actor.ip_address = ip_address
+ actor.user_agent = user_agent
+ db.commit()
return actor
+def _request_from_ctx(ctx: Context | None) -> Any:
+ if ctx is None:
+ return None
+ try:
+ return ctx.request_context.request
+ except ValueError:
+ return None
+
+
def create_mcp_protocol_server() -> FastMCP:
settings = get_settings()
server = FastMCP(
@@ -78,6 +93,7 @@
status: str | None = None,
offset: int = 0,
limit: int = 20,
+ ctx: Context = None, # type: ignore[assignment]
) -> dict[str, Any]:
"""Search MCP-available, non-archived secrets.
@@ -85,14 +101,17 @@
encrypted values. Use this before get_secret or reveal_secret to find
candidate secrets.
"""
+ request = _request_from_ctx(ctx)
+ ip = request.client.host if request and request.client else None
+ ua = request.headers.get("user-agent") if request else None
with SessionLocal() as db:
- actor = _actor_from_mcp_context(db)
+ actor = _actor_from_mcp_context(db, ip_address=ip, user_agent=ua)
items, total = list_secrets(
db,
actor,
q=q,
category=category,
- status=SecretStatus(status) if status else None,
+ status=SecretStatus(status.strip()) if status and status.strip() else None,
include_archived=False,
offset=offset,
limit=limit,
@@ -101,26 +120,32 @@
return {"items": [item.model_dump(mode="json") for item in items], "total": total}
@server.tool(name="get_secret")
- async def get_secret_tool(secret_id: str) -> dict[str, Any]:
+ async def get_secret_tool(secret_id: str, ctx: Context = None) -> dict[str, Any]: # type: ignore[assignment]
"""Get metadata and public or masked fields for one MCP-available secret.
This does not decrypt encrypted values. Use reveal_secret only when the
user explicitly needs the actual secret value.
"""
+ request = _request_from_ctx(ctx)
+ ip = request.client.host if request and request.client else None
+ ua = request.headers.get("user-agent") if request else None
with SessionLocal() as db:
- actor = _actor_from_mcp_context(db)
+ actor = _actor_from_mcp_context(db, ip_address=ip, user_agent=ua)
result = get_secret(db, actor, UUID(secret_id), mcp=True)
return result.model_dump(mode="json")
@server.tool(name="reveal_secret")
- async def reveal_secret_tool(secret_id: str) -> dict[str, Any]:
+ async def reveal_secret_tool(secret_id: str, ctx: Context = None) -> dict[str, Any]: # type: ignore[assignment]
"""Return decrypted field values for one MCP-available secret.
Use only when the user explicitly needs secret values. This creates an
audit event with channel=mcp.
"""
+ request = _request_from_ctx(ctx)
+ ip = request.client.host if request and request.client else None
+ ua = request.headers.get("user-agent") if request else None
with SessionLocal() as db:
- actor = _actor_from_mcp_context(db)
+ actor = _actor_from_mcp_context(db, ip_address=ip, user_agent=ua)
result = reveal_secret(db, actor, UUID(secret_id), mcp=True)
db.commit()
return result.model_dump(mode="json")
@@ -137,6 +162,7 @@
allow_rest_api: bool = True,
allow_mcp: bool = False,
fields: list[dict[str, Any]] | None = None,
+ ctx: Context = None, # type: ignore[assignment]
) -> dict[str, Any]:
"""Create a secret through MCP.
@@ -146,8 +172,11 @@
Non-sensitive identifiers such as usernames can remain unencrypted for
search.
"""
+ request = _request_from_ctx(ctx)
+ ip = request.client.host if request and request.client else None
+ ua = request.headers.get("user-agent") if request else None
with SessionLocal() as db:
- actor = _actor_from_mcp_context(db)
+ actor = _actor_from_mcp_context(db, ip_address=ip, user_agent=ua)
result = create_secret(
db,
actor,
@@ -168,53 +197,94 @@
return result.model_dump(mode="json")
@server.tool(name="update_secret")
- async def update_secret_tool(secret_id: str, payload: dict[str, Any]) -> dict[str, Any]:
+ async def update_secret_tool(
+ secret_id: str,
+ title: str | None = None,
+ purpose: str | None = None,
+ category: str | None = None,
+ source: str | None = None,
+ notes: str | None = None,
+ tags: list[str] | None = None,
+ status: str | None = None,
+ archived: bool | None = None,
+ allow_ui: bool | None = None,
+ allow_rest_api: bool | None = None,
+ allow_mcp: bool | None = None,
+ fields: list[dict[str, Any]] | None = None,
+ ctx: Context = None, # type: ignore[assignment]
+ ) -> dict[str, Any]:
"""Update metadata or fields for one MCP-available secret.
Updating fields creates a new current version while old versions remain
historical. Use only with explicit user intent.
"""
+ request = _request_from_ctx(ctx)
+ ip = request.client.host if request and request.client else None
+ ua = request.headers.get("user-agent") if request else None
+ payload: dict[str, Any] = {}
+ for key, value in [
+ ("title", title),
+ ("purpose", purpose),
+ ("category", category),
+ ("source", source),
+ ("notes", notes),
+ ("tags", tags),
+ ("status", SecretStatus(status) if status and status.strip() else None),
+ ("archived", archived),
+ ("allow_ui", allow_ui),
+ ("allow_rest_api", allow_rest_api),
+ ("allow_mcp", allow_mcp),
+ ("fields", fields),
+ ]:
+ if value is not None:
+ payload[key] = value
with SessionLocal() as db:
- actor = _actor_from_mcp_context(db)
+ actor = _actor_from_mcp_context(db, ip_address=ip, user_agent=ua)
get_secret(db, actor, UUID(secret_id), mcp=True)
result = update_secret(db, actor, UUID(secret_id), SecretUpdate(**payload))
db.commit()
return result.model_dump(mode="json")
@server.tool()
- async def set_secret_status(secret_id: str, status: str) -> dict[str, Any]:
+ async def set_secret_status(
+ secret_id: str,
+ status: str,
+ ctx: Context = None, # type: ignore[assignment]
+ ) -> dict[str, Any]:
"""Set a secret status to actual, outdated, or archived through MCP.
Use only when the user explicitly asks for a status change.
"""
+ request = _request_from_ctx(ctx)
+ ip = request.client.host if request and request.client else None
+ ua = request.headers.get("user-agent") if request else None
with SessionLocal() as db:
- actor = _actor_from_mcp_context(db)
+ actor = _actor_from_mcp_context(db, ip_address=ip, user_agent=ua)
get_secret(db, actor, UUID(secret_id), mcp=True)
result = update_secret(
db,
actor,
UUID(secret_id),
- SecretUpdate(status=SecretStatus(status)),
+ SecretUpdate(status=SecretStatus(status.strip()) if status.strip() else None),
)
db.commit()
return result.model_dump(mode="json")
@server.tool()
- async def archive_secret(secret_id: str) -> dict[str, Any]:
+ async def archive_secret(secret_id: str, ctx: Context = None) -> dict[str, Any]: # type: ignore[assignment]
"""Archive one MCP-available secret.
Archived secrets are unavailable through normal MCP access. Use only
when the user explicitly asks to archive it.
"""
+ request = _request_from_ctx(ctx)
+ ip = request.client.host if request and request.client else None
+ ua = request.headers.get("user-agent") if request else None
with SessionLocal() as db:
- actor = _actor_from_mcp_context(db)
+ actor = _actor_from_mcp_context(db, ip_address=ip, user_agent=ua)
get_secret(db, actor, UUID(secret_id), mcp=True)
result = update_secret(db, actor, UUID(secret_id), SecretUpdate(archived=True))
db.commit()
return result.model_dump(mode="json")
return server
-
-
-def create_mcp_protocol_app() -> Starlette:
- return create_mcp_protocol_server().streamable_http_app()
diff --git a/gnexus_creds/oauth.py b/gnexus_creds/oauth.py
index a854605..37b73c7 100644
--- a/gnexus_creds/oauth.py
+++ b/gnexus_creds/oauth.py
@@ -2,7 +2,7 @@
from datetime import UTC, datetime, timedelta
-from fastapi import APIRouter, Depends, Request
+from fastapi import APIRouter, Depends, Request, Response
from fastapi.responses import RedirectResponse
from gnexus_gauth.config import GAuthConfig
from gnexus_gauth.oauth import AuthorizationUrlBuilder, HttpTokenEndpoint, PkceGenerator
@@ -14,7 +14,13 @@
from gnexus_creds.db import get_db
from gnexus_creds.errors import AppError
from gnexus_creds.models import OAuthState, User, utcnow
-from gnexus_creds.services import create_session, delete_session, is_expired, upsert_user_from_auth
+from gnexus_creds.services import (
+ check_rate_limit,
+ create_session,
+ delete_session,
+ is_expired,
+ upsert_user_from_auth,
+)
router = APIRouter(prefix="/auth", tags=["auth"])
webhook_router = APIRouter(prefix="/webhooks", tags=["webhooks"])
@@ -30,8 +36,24 @@
)
+def _validate_return_to(value: str) -> str:
+ if not value.startswith("/") or value.startswith("//") or "\\" in value:
+ return "/"
+ return value
+
+
+def _client_ip(request: Request) -> str:
+ return request.client.host if request.client else "anonymous"
+
+
@router.get("/login")
-async def login(return_to: str = "/", db: Session = Depends(get_db)) -> RedirectResponse:
+async def login(
+ request: Request, return_to: str = "/", db: Session = Depends(get_db)
+) -> RedirectResponse:
+ check_rate_limit(
+ db, key=f"oauth_login:{_client_ip(request)}", max_requests=20, window_seconds=60
+ )
+ return_to = _validate_return_to(return_to)
config = _config()
state = PkceGenerator.generate_state()
verifier = PkceGenerator.generate_verifier()
@@ -56,7 +78,12 @@
@router.get("/callback")
-async def callback(code: str, state: str, db: Session = Depends(get_db)) -> RedirectResponse:
+async def callback(
+ request: Request, code: str, state: str, db: Session = Depends(get_db)
+) -> RedirectResponse:
+ check_rate_limit(
+ db, key=f"oauth_callback:{_client_ip(request)}", max_requests=20, window_seconds=60
+ )
settings = get_settings()
saved = db.get(OAuthState, state)
if saved is None or is_expired(saved.expires_at, now=datetime.now(UTC)):
@@ -78,7 +105,7 @@
if user.status == "disabled":
raise AppError("user_disabled", "User is disabled.", status_code=403)
session = create_session(db, user, settings.session_ttl_seconds)
- return_to = saved.return_to or "/"
+ return_to = _validate_return_to(saved.return_to or "/")
db.delete(saved)
db.commit()
response = RedirectResponse(return_to)
@@ -94,11 +121,18 @@
@router.post("/logout")
-async def logout(request: Request, db: Session = Depends(get_db)) -> dict[str, str]:
+async def logout(request: Request, db: Session = Depends(get_db)) -> Response:
settings = get_settings()
delete_session(db, request.cookies.get(settings.session_cookie_name))
db.commit()
- return {"status": "ok"}
+ response = Response(content='{"status":"ok"}', media_type="application/json")
+ response.delete_cookie(
+ settings.session_cookie_name,
+ httponly=True,
+ samesite="lax",
+ secure=settings.is_production,
+ )
+ return response
@webhook_router.post("/gnexus-auth")
diff --git a/gnexus_creds/schemas.py b/gnexus_creds/schemas.py
index ef06c13..d6ba71d 100644
--- a/gnexus_creds/schemas.py
+++ b/gnexus_creds/schemas.py
@@ -2,9 +2,12 @@
from datetime import datetime
from enum import StrEnum
+from typing import Generic, TypeVar
from uuid import UUID
-from pydantic import BaseModel, Field, field_validator
+from pydantic import BaseModel, ConfigDict, Field, field_validator
+
+T = TypeVar("T")
class SecretStatus(StrEnum):
@@ -112,8 +115,8 @@
fields: list[SecretFieldOut]
-class Page(BaseModel):
- items: list
+class Page(BaseModel, Generic[T]):
+ items: list[T]
total: int
offset: int
limit: int
@@ -139,6 +142,8 @@
class AuditEventRead(BaseModel):
+ model_config = ConfigDict(from_attributes=True)
+
id: UUID
user_id: UUID | None
actor_user_id: UUID | None
@@ -148,12 +153,41 @@
action: str
ip_address: str | None
user_agent: str | None
- metadata: dict
+ audit_metadata: dict = Field(serialization_alias="metadata")
created_at: datetime
+class UserRead(BaseModel):
+ id: UUID
+ email: str
+ display_name: str | None
+ locale: str | None
+ role: str
+ status: str
+ avatar_url: str | None = None
+ auth_profile_url: str | None = None
+
+
+class UserUpdate(BaseModel):
+ display_name: str | None = Field(default=None, max_length=120)
+ locale: str | None = Field(default=None, max_length=10)
+
+
+class ExportResponse(BaseModel):
+ format: str
+ version: int
+ exported_at: datetime
+ secrets: list[dict]
+
+
class ImportPayload(BaseModel):
format: str
version: int
exported_at: datetime
secrets: list[SecretCreate]
+
+
+class StatsRead(BaseModel):
+ total_secrets: int
+ active_secrets: int
+ mcp_enabled_secrets: int
diff --git a/gnexus_creds/services.py b/gnexus_creds/services.py
index 3190cf1..e907d71 100644
--- a/gnexus_creds/services.py
+++ b/gnexus_creds/services.py
@@ -214,7 +214,7 @@
def _store_fields(db: Session, user: User, fields: list[SecretFieldIn]) -> list[dict]:
key_id, key = get_user_key(db, user)
stored = []
- for index, field in enumerate(sorted(fields, key=lambda item: item.position)):
+ for index, field in enumerate(sorted(fields, key=lambda item: (item.position, item.name))):
payload: dict[str, Any] = {
"name": field.name,
"encrypted": field.encrypted,
@@ -358,8 +358,11 @@
offset: int = 0,
limit: int = 50,
mcp: bool = False,
+ sort_by: str = "updated_at",
+ sort_dir: str = "desc",
) -> tuple[list[SecretRead], int]:
actor.require(Scope.read)
+ limit = min(max(limit, 1), 50)
stmt = select(Secret).where(Secret.user_id == actor.user.id)
if not include_archived:
stmt = stmt.where(Secret.archived.is_(False))
@@ -382,11 +385,12 @@
Secret.versions.any(SecretVersion.search_text.ilike(like)),
)
)
+ sort_column = getattr(Secret, sort_by, Secret.updated_at)
+ stmt = stmt.order_by(sort_column.desc() if sort_dir == "desc" else sort_column.asc())
count_stmt = select(func.count()).select_from(stmt.subquery())
total = db.scalar(count_stmt) or 0
rows = db.scalars(
stmt.options(selectinload(Secret.versions), selectinload(Secret.tags))
- .order_by(Secret.updated_at.desc())
.offset(offset)
.limit(limit)
).unique()
diff --git a/tests/test_api.py b/tests/test_api.py
index 20c07be..f7ae04c 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -179,7 +179,7 @@
)
token_id = token_create_response.json()["id"]
token_list_response = await client.get("/api/v1/api-tokens")
- revoke_response = await client.delete(f"/api/v1/api-tokens/{token_id}")
+ revoke_response = await client.patch(f"/api/v1/api-tokens/{token_id}/revoke")
assert categories_response.status_code == 200
assert categories_response.json() == ["infra"]
@@ -284,3 +284,29 @@
assert response.status_code == 200
assert response.json()["total"] == 1
assert response.json()["items"][0]["email"] == "user@example.test"
+
+
+@pytest.mark.anyio
+async def test_stats_returns_user_counts(app):
+ async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
+ await client.post(
+ "/api/v1/secrets",
+ json={
+ "title": "Stat Test 1",
+ "fields": [{"name": "key", "value": "val", "encrypted": False}],
+ },
+ )
+ await client.post(
+ "/api/v1/secrets",
+ json={
+ "title": "Stat Test 2",
+ "allow_mcp": True,
+ "fields": [{"name": "key", "value": "val", "encrypted": False}],
+ },
+ )
+ stats_response = await client.get("/api/v1/stats")
+ assert stats_response.status_code == 200
+ data = stats_response.json()
+ assert data["total_secrets"] == 2
+ assert data["active_secrets"] == 2
+ assert data["mcp_enabled_secrets"] == 1
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 716f155..2462347 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -75,7 +75,34 @@
db_session.expire_all()
assert db_session.query(User).filter(User.auth_subject == "auth-subject").count() == 1
assert db_session.query(SessionRecord).count() == 1
- assert db_session.get(OAuthState, "oauth-state") is None
+
+
+@pytest.mark.anyio
+async def test_logout_clears_session_and_cookie(auth_app, db_session, user):
+ session = SessionRecord(
+ id="test-session-id",
+ user_id=user.id,
+ data={},
+ expires_at=utcnow() + timedelta(days=1),
+ )
+ db_session.add(session)
+ db_session.commit()
+
+ async with AsyncClient(
+ transport=ASGITransport(app=auth_app), base_url="http://test"
+ ) as client:
+ client.cookies.set("gnexus_creds_session", "test-session-id")
+ response = await client.post("/auth/logout")
+
+ assert response.status_code == 200
+ assert response.json()["status"] == "ok"
+
+ set_cookie = response.headers.get("set-cookie", "")
+ assert "gnexus_creds_session" in set_cookie
+ assert "Max-Age=0" in set_cookie or "expires=" in set_cookie.lower()
+
+ db_session.expire_all()
+ assert db_session.get(SessionRecord, "test-session-id") is None
@pytest.mark.anyio
diff --git a/tests/test_backup.py b/tests/test_backup.py
new file mode 100644
index 0000000..a686f84
--- /dev/null
+++ b/tests/test_backup.py
@@ -0,0 +1,208 @@
+"""Tests for backup module."""
+
+import json
+from pathlib import Path
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+from gnexus_creds import backup as backup_module
+from gnexus_creds.backup import _backup_dir, create_backup, list_backups, restore_backup
+
+
+@pytest.fixture
+def sqlite_settings():
+ s = MagicMock()
+ s.database_url = "sqlite:///./test_data.db"
+ s.backup_dir = "./test_backups"
+ return s
+
+
+@pytest.fixture
+def pg_settings():
+ s = MagicMock()
+ s.database_url = "postgresql+psycopg://user:pass@localhost/db"
+ s.backup_dir = "./test_backups"
+ return s
+
+
+@pytest.fixture(autouse=True)
+def clean_test_backups(tmp_path):
+ backup_dir = tmp_path / "test_backups"
+ backup_dir.mkdir(exist_ok=True)
+ with patch.object(backup_module, "get_settings") as mock:
+ s = MagicMock()
+ s.backup_dir = str(backup_dir)
+ mock.return_value = s
+ yield
+
+
+class TestNormalizePgUrl:
+ def test_strips_psycopg_suffix(self):
+ result = backup_module._normalize_pg_url("postgresql+psycopg://user:pass@localhost/db")
+ assert result == "postgresql://user:pass@localhost/db"
+
+ def test_leaves_plain_postgresql(self):
+ result = backup_module._normalize_pg_url("postgresql://user:pass@localhost/db")
+ assert result == "postgresql://user:pass@localhost/db"
+
+
+class TestBackupDir:
+ def test_creates_directory_if_missing(self, tmp_path):
+ settings = MagicMock()
+ settings.backup_dir = str(tmp_path / "new_backups")
+ result = _backup_dir(settings)
+ assert result.exists()
+ assert result.is_dir()
+
+
+class TestCreateBackupSqlite:
+ def test_copies_db_file(self, tmp_path):
+ db_path = tmp_path / "test.db"
+ db_path.write_text("sqlite content")
+
+ settings = MagicMock()
+ settings.database_url = f"sqlite:///{db_path}"
+ settings.backup_dir = str(tmp_path / "backups")
+
+ result = create_backup(settings)
+
+ assert result["engine"] == "sqlite"
+ assert result["filename"].startswith("backup_")
+ assert result["filename"].endswith(".db")
+ assert Path(result["path"]).exists()
+ assert Path(result["path"]).read_text() == "sqlite content"
+
+
+class TestCreateBackupPostgresql:
+ def test_runs_pg_dump(self, tmp_path):
+ settings = MagicMock()
+ settings.database_url = "postgresql+psycopg://user:pass@localhost/db"
+ settings.backup_dir = str(tmp_path / "backups")
+
+ with patch("gnexus_creds.backup.subprocess.run") as mock_run:
+ mock_run.return_value = MagicMock(returncode=0, stdout="-- pg_dump output")
+ result = create_backup(settings)
+
+ assert result["engine"] == "postgresql"
+ assert result["filename"].startswith("backup_")
+ assert result["filename"].endswith(".sql")
+ assert Path(result["path"]).exists()
+ assert Path(result["path"]).read_text() == "-- pg_dump output"
+
+ mock_run.assert_called_once()
+ args = mock_run.call_args[0][0]
+ assert args[0] == "pg_dump"
+ assert "postgresql://user:pass@localhost/db" in args
+
+ def test_raises_on_pg_dump_failure(self, tmp_path):
+ settings = MagicMock()
+ settings.database_url = "postgresql+psycopg://user:pass@localhost/db"
+ settings.backup_dir = str(tmp_path / "backups")
+
+ with patch("gnexus_creds.backup.subprocess.run") as mock_run:
+ mock_run.return_value = MagicMock(returncode=1, stderr="connection failed")
+ with pytest.raises(RuntimeError, match="pg_dump failed"):
+ create_backup(settings)
+
+
+class TestListBackups:
+ def test_lists_backup_files(self, tmp_path):
+ backup_dir = tmp_path / "backups"
+ backup_dir.mkdir()
+ (backup_dir / "backup_20260101_120000.sql").write_text("content")
+ (backup_dir / "other_file.txt").write_text("ignore me")
+
+ settings = MagicMock()
+ settings.backup_dir = str(backup_dir)
+
+ result = list_backups(settings)
+
+ assert len(result) == 1
+ assert result[0]["filename"] == "backup_20260101_120000.sql"
+ assert "path" in result[0]
+ assert "size" in result[0]
+ assert "created_at" in result[0]
+
+ def test_returns_empty_list_when_no_backups(self, tmp_path):
+ backup_dir = tmp_path / "backups"
+ backup_dir.mkdir()
+
+ settings = MagicMock()
+ settings.backup_dir = str(backup_dir)
+
+ result = list_backups(settings)
+ assert result == []
+
+
+class TestRestoreBackupSqlite:
+ def test_copies_backup_to_db_path(self, tmp_path):
+ backup_file = tmp_path / "backup_20260101_120000.db"
+ backup_file.write_text("restored content")
+
+ db_path = tmp_path / "target.db"
+ settings = MagicMock()
+ settings.database_url = f"sqlite:///{db_path}"
+
+ result = restore_backup(str(backup_file), settings)
+
+ assert result["engine"] == "sqlite"
+ assert db_path.read_text() == "restored content"
+
+ def test_raises_on_missing_file(self, tmp_path):
+ settings = MagicMock()
+ settings.database_url = "sqlite:///./test.db"
+
+ with pytest.raises(FileNotFoundError):
+ restore_backup(str(tmp_path / "missing.db"), settings)
+
+
+class TestRestoreBackupPostgresql:
+ def test_runs_psql(self, tmp_path):
+ backup_file = tmp_path / "backup.sql"
+ backup_file.write_text("-- restore script")
+
+ settings = MagicMock()
+ settings.database_url = "postgresql+psycopg://user:pass@localhost/db"
+
+ with patch("gnexus_creds.backup.subprocess.run") as mock_run:
+ mock_run.return_value = MagicMock(returncode=0)
+ result = restore_backup(str(backup_file), settings)
+
+ assert result["engine"] == "postgresql"
+ mock_run.assert_called_once()
+ args = mock_run.call_args[0][0]
+ assert args[0] == "psql"
+ assert "postgresql://user:pass@localhost/db" in args
+ assert str(backup_file) in args
+
+ def test_raises_on_psql_failure(self, tmp_path):
+ backup_file = tmp_path / "backup.sql"
+ backup_file.write_text("-- restore script")
+
+ settings = MagicMock()
+ settings.database_url = "postgresql+psycopg://user:pass@localhost/db"
+
+ with patch("gnexus_creds.backup.subprocess.run") as mock_run:
+ mock_run.return_value = MagicMock(returncode=1, stderr="restore failed")
+ with pytest.raises(RuntimeError, match="psql failed"):
+ restore_backup(str(backup_file), settings)
+
+
+class TestUnsupportedDatabase:
+ def test_create_backup_raises(self):
+ settings = MagicMock()
+ settings.database_url = "mysql://localhost/db"
+ settings.backup_dir = "./backups"
+
+ with pytest.raises(RuntimeError, match="Unsupported database URL"):
+ create_backup(settings)
+
+ def test_restore_backup_raises(self, tmp_path):
+ backup_file = tmp_path / "backup.sql"
+ backup_file.write_text("-- script")
+ settings = MagicMock()
+ settings.database_url = "mysql://localhost/db"
+
+ with pytest.raises(RuntimeError, match="Unsupported database URL"):
+ restore_backup(str(backup_file), settings)
diff --git a/tests/test_mcp.py b/tests/test_mcp.py
index 573757e..56e6e96 100644
--- a/tests/test_mcp.py
+++ b/tests/test_mcp.py
@@ -1,4 +1,5 @@
import json
+import uuid
import pytest
from httpx import ASGITransport, AsyncClient
@@ -213,7 +214,7 @@
http_client = AsyncClient(
transport=ASGITransport(app=app),
base_url="http://127.0.0.1:8000",
- headers={"Authorization": f"Bearer {token}"},
+ headers={"Authorization": f"Bearer {token}", "User-Agent": "mcp-test/1.0"},
)
async with app.router.lifespan_context(app):
@@ -260,3 +261,119 @@
)
assert not created.isError
assert created.structuredContent["title"] == "Protocol created"
+
+
+@pytest.mark.anyio
+async def test_mcp_legacy_invalid_uuid(app, actor):
+ actor.channel = "mcp"
+ actor.api_token = ApiToken(
+ user_id=actor.user.id,
+ public_id="mcp",
+ name="mcp",
+ token_hash="hash",
+ scopes=["mcp", "read"],
+ )
+ async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
+ response = await client.post(
+ "/mcp/tools/get_secret",
+ json={"arguments": {"secret_id": "not-a-uuid"}},
+ )
+ assert response.status_code == 400
+ assert "UUID" in response.json()["error"]["message"]
+
+
+@pytest.mark.anyio
+async def test_mcp_legacy_missing_secret_id(app, actor):
+ actor.channel = "mcp"
+ actor.api_token = ApiToken(
+ user_id=actor.user.id,
+ public_id="mcp",
+ name="mcp",
+ token_hash="hash",
+ scopes=["mcp", "read"],
+ )
+ async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
+ response = await client.post(
+ "/mcp/tools/get_secret",
+ json={"arguments": {}},
+ )
+ assert response.status_code == 400
+ assert "secret_id" in response.json()["error"]["message"]
+
+
+@pytest.mark.anyio
+async def test_mcp_legacy_invalid_status(app, actor):
+ actor.channel = "mcp"
+ actor.api_token = ApiToken(
+ user_id=actor.user.id,
+ public_id="mcp",
+ name="mcp",
+ token_hash="hash",
+ scopes=["mcp", "read", "write"],
+ )
+ async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
+ response = await client.post(
+ "/mcp/tools/set_secret_status",
+ json={"arguments": {"secret_id": str(uuid.uuid4()), "status": "nope"}},
+ )
+ assert response.status_code == 400
+ assert "status" in response.json()["error"]["message"]
+
+
+@pytest.mark.anyio
+async def test_mcp_legacy_archived_secret_not_found(app, db_session, actor):
+ actor.channel = "mcp"
+ actor.api_token = ApiToken(
+ user_id=actor.user.id,
+ public_id="mcp",
+ name="mcp",
+ token_hash="hash",
+ scopes=["mcp", "read"],
+ )
+ secret = create_secret(
+ db_session,
+ Actor(user=actor.user, channel="ui"),
+ SecretCreate(
+ title="Archived",
+ allow_mcp=True,
+ archived=True,
+ fields=[SecretFieldIn(name="pass", value="x", encrypted=True)],
+ ),
+ )
+ db_session.commit()
+
+ async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
+ response = await client.post(
+ "/mcp/tools/get_secret",
+ json={"arguments": {"secret_id": str(secret.id)}},
+ )
+ assert response.status_code == 404
+
+
+@pytest.mark.anyio
+async def test_mcp_legacy_disallowed_mcp_secret_not_found(app, db_session, actor):
+ actor.channel = "mcp"
+ actor.api_token = ApiToken(
+ user_id=actor.user.id,
+ public_id="mcp",
+ name="mcp",
+ token_hash="hash",
+ scopes=["mcp", "read"],
+ )
+ secret = create_secret(
+ db_session,
+ Actor(user=actor.user, channel="ui"),
+ SecretCreate(
+ title="UI only",
+ allow_mcp=False,
+ fields=[SecretFieldIn(name="pass", value="x", encrypted=True)],
+ ),
+ )
+ db_session.commit()
+
+ async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
+ response = await client.post(
+ "/mcp/tools/get_secret",
+ json={"arguments": {"secret_id": str(secret.id)}},
+ )
+ assert response.status_code == 404
-
-
-
-
-
-
+
+
+
+
-
-
-
+
+
+
+
+
-
+
+ Actual
+
+
+ Outdated
+
+
+
+
+
+
+ Visible in the user interface.
+
+
+ Available to external clients using API tokens.
+
+
+ Available to MCP clients when token scopes allow it.
+
-
-
-
- Available from the web interface after login.
-
-
- Available to external clients using API tokens.
-
-
- Available to MCP clients when token scopes allow it.
-
-
-
-
-
-
-
-
-
-
-
-
-
- Actual
+
+ Cancel
+
+ Save metadata
+
+
+
+
+ Cancel
+ Delete
+
+
+
+
+ Cancel
+ Delete
+
+
+
+
+
- Outdated
+ Create token
-
- This permanently removes all secrets and versions. Audit records remain.
+ ++ This permanently deletes + {{ pendingDeleteSecret?.title }} + and all its versions. Audit records remain. +
+ +
+
+ + API tokens let external clients and MCP tools authenticate with gnexus-creds without a browser session. Pick a descriptive name and select the scopes this token should have. +
+
+
+
+
+
+ Copy this token now. It will not be shown again. +
+
-
-
-
- Visible in the user interface.
-
-
- Available to external clients using API tokens.
-
-
- Available to MCP clients when token scopes allow it.
- This permanently removes all secrets and versions. Audit records remain.
- -
+
+
+ - This permanently deletes - {{ pendingDeleteSecret?.title }} - and all its versions. Audit records remain. -
- -+ This will overwrite the current database with + {{ pendingRestoreFile }}. + All existing data will be replaced. +
+ +
+
+
+
+
+ {{ secret.status }}
+
+
+
+
+
+
+ {{ isVisible(item.key) ? item.raw.value : maskValue(item.raw.value) }}
+
+