feat: per-user secrets (API keys) for sessions#64
Merged
Conversation
- Add getUserSecretName, ensureUserSecret, deleteUserSecret, getUserSecret functions - Add GET/POST/DELETE /api/user/secret API endpoints - Update ensurePod to mount user secret via envFrom - Update session creation to pass user secret to pods
Backend (opencode-router): - Add getUserSecretName, ensureUserSecret, deleteUserSecret, getUserSecret functions in pod-manager.ts - Add GET/POST/DELETE /api/user/secret API endpoints in api.ts - Update ensurePod to mount user secret via envFrom - Update startSession and resumeSession to pass userSecret to pods Frontend (opencode-router-app): - Add getUserSecret, setUserSecret, deleteUserSecret API functions - Add settings button next to welcome heading - Add settings dialog with API key management (set/update/delete) - Add i18n translations for settings UI
- Change user secrets from single string to Record<string, string> format
- K8s secret keys map directly to env var names (e.g. OPENAI_API_KEY)
- Update API endpoints: POST accepts { secrets: { KEY: value } }, GET returns keys[]
- Add /settings route for navigating to settings dialog
- Update settings UI with env var name + value input fields
- Fix tests and mock to handle new multi-key format
- Fix: adding a new env var now merges with existing secrets instead of overwriting - Fix: getUserSecret reads from K8s data (base64) not stringData - Fix: GET /api/user/secret returns secrets object for frontend merging - Fix: individual key deletion removes only that key, keeps others - Fix: frontend properly loads existing keys on mount and in settings dialog
mrsimpson
force-pushed
the
feat/per-user-secrets
branch
from
b189c14 to
d97253f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Allow users to maintain their own API keys as environment variables that are automatically injected into all their sessions.
Features
opencode-user-<email-hash>mirroring existing GitHub token patternOPENAI_API_KEY,ANTHROPIC_API_KEY) — keys map directly to environment variable namesGET /api/user/secret— returns{ hasSecret, keys[] }(keys only, no values exposed)POST /api/user/secret— sets secrets via{ secrets: { KEY: value } }DELETE /api/user/secret— removes all user secrets/settingsrouteenvFromto all their session podsCommits
b50332799— wip: per-user secrets backend implementation3a08fd234— feat: per-user secrets for session pods50dbb1d2f— docs: update development plan with completed commitsab6d2b496— feat: support multiple env vars in user secretsTests