Implement secrets management (#10)

Implements a set of secrets management commands, along with a flag for
`run` which allows secrets to be injected as environment variables.

Note that this implementation stores the secrets to an unencrypted file
on disk. This will be changed in an upcoming PR.

Example of use:

```
$ bin/vt secret list
Available secrets:
  - fizz
  - foo
$ bin/vt run --secret=foo,target=FOO --secret=fizz,target=FIZZ alpine -- env
Logging to: /tmp/vibetool-alpine.log
MCP server alpine-1742982443 is running in the background (PID: 18425)
Use 'vibetool stop alpine-1742982443' to stop the server
$ docker ps -a
CONTAINER ID   IMAGE                           COMMAND                  CREATED              STATUS                          PORTS     NAMES
ed1bda951b03   alpine                          "env"                    About a minute ago   Exited (0) About a minute ago             alpine-1742982443
$ docker logs ed1bda951b03
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=ed1bda951b03
FOO=bar
FIZZ=buzz
MCP_TRANSPORT=stdio
HOME=/root
```

Author: dmjb

Taskfile.yml

@@ -7,6 +7,11 @@ tasks:
       - golangci-lint run ./...
       - go vet ./...
 
+  lint-fix:
+    desc: Run linting tools, and apply fixes.
+    cmds:
+      - golangci-lint run --fix ./...
+
   test:
     desc: Run tests
     cmds:

cmd/vt/main.go

@@ -43,6 +43,7 @@ func init() {
 	rootCmd.AddCommand(rmCmd)
 	rootCmd.AddCommand(proxyCmd)
 	rootCmd.AddCommand(versionCmd)
+	rootCmd.AddCommand(newSecretCommand())
 }
 
 func main() {

cmd/vt/run.go

@@ -25,6 +25,7 @@ var (
 	runNoClientConfig    bool
 	runForeground        bool
 	runVolumes           []string
+	runSecrets           []string
 )
 
 func init() {
@@ -59,6 +60,12 @@ func init() {
 		[]string{},
 		"Mount a volume into the container (format: host-path:container-path[:ro])",
 	)
+	runCmd.Flags().StringArrayVar(
+		&runSecrets,
+		"secret",
+		[]string{},
+		"Specify a secret to be fetched from the secrets manager and set as an environment variable (format: NAME,target=TARGET)",
+	)
 
 	// Add OIDC validation flags
 	AddOIDCFlags(runCmd)
@@ -101,6 +108,7 @@ func runCmdFunc(cmd *cobra.Command, args []string) error {
 		OIDCClientID:      oidcClientID,
 		Debug:             debugMode,
 		Volumes:           runVolumes,
+		Secrets:           runSecrets,
 	}
 
 	// Run the MCP server

cmd/vt/run_common.go

@@ -20,6 +20,7 @@ import (
 	"github.com/stacklok/vibetool/pkg/networking"
 	"github.com/stacklok/vibetool/pkg/permissions"
 	"github.com/stacklok/vibetool/pkg/process"
+	"github.com/stacklok/vibetool/pkg/secrets"
 	"github.com/stacklok/vibetool/pkg/transport"
 )
 
@@ -73,6 +74,10 @@ type RunOptions struct {
 	// Volumes are the directory mounts to pass to the container
 	// Format: "host-path:container-path[:ro]"
 	Volumes []string
+
+	// Secrets are the secret parameters to pass to the container
+	// Format: "<secret name>,target=<target environment variable>"
+	Secrets []string
 }
 
 // RunMCPServer runs an MCP server with the specified options
@@ -106,6 +111,22 @@ func RunMCPServer(ctx context.Context, cmd *cobra.Command, options RunOptions) e
 	// Generate a container name if not provided
 	containerName, baseName := container.GetOrGenerateContainerName(options.Name, options.Image)
 
+	// If any secrets are specified, attempt to load them, and add to list of environment variables.
+	if len(runSecrets) > 0 {
+		secretManager, err := secrets.CreateDefaultSecretsManager()
+		if err != nil {
+			return fmt.Errorf("error instantiating secret manager %v", err)
+		}
+		secretVariables, err := environment.ParseSecretParameters(runSecrets, secretManager)
+		if err != nil {
+			return fmt.Errorf("failed to get secrets: %v", err)
+		}
+
+		for key, value := range secretVariables {
+			runEnv = append(runEnv, fmt.Sprintf("%s=%s", key, value))
+		}
+	}
+
 	// Parse transport mode
 	transportType, err := transport.ParseTransportType(options.Transport)
 	if err != nil {

cmd/vt/secret.go

@@ -0,0 +1,145 @@
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/stacklok/vibetool/pkg/secrets"
+)
+
+func newSecretCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "secret",
+		Short: "Manage secrets",
+		Long:  "The secret command provides subcommands to set, get, delete, and list secrets.",
+	}
+
+	cmd.AddCommand(
+		newSecretSetCommand(),
+		newSecretGetCommand(),
+		newSecretDeleteCommand(),
+		newSecretListCommand(),
+	)
+
+	return cmd
+}
+
+func newSecretSetCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "set <name> <value>",
+		Short: "Set a secret",
+		Args:  cobra.ExactArgs(2),
+		Run: func(cmd *cobra.Command, args []string) {
+			name, value := args[0], args[1]
+
+			// Validate input
+			if name == "" {
+				cmd.Println("Error: Secret name cannot be empty")
+				return
+			}
+
+			manager, err := secrets.CreateDefaultSecretsManager()
+			if err != nil {
+				cmd.Printf("Failed to create secrets manager: %v\n", err)
+				return
+			}
+
+			err = manager.SetSecret(name, value)
+			if err != nil {
+				cmd.Printf("Failed to set secret %s: %v\n", name, err)
+				return
+			}
+			cmd.Printf("Secret %s set successfully\n", name)
+		},
+	}
+}
+
+func newSecretGetCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "get <name>",
+		Short: "Get a secret",
+		Args:  cobra.ExactArgs(1),
+		Run: func(cmd *cobra.Command, args []string) {
+			name := args[0]
+
+			// Validate input
+			if name == "" {
+				cmd.Println("Error: Secret name cannot be empty")
+				return
+			}
+
+			manager, err := secrets.CreateDefaultSecretsManager()
+			if err != nil {
+				cmd.Printf("Failed to create secrets manager: %v\n", err)
+				return
+			}
+
+			value, err := manager.GetSecret(name)
+			if err != nil {
+				cmd.Printf("Failed to get secret %s: %v\n", name, err)
+				return
+			}
+			cmd.Printf("Secret %s: %s\n", name, value)
+		},
+	}
+}
+
+func newSecretDeleteCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "delete <name>",
+		Short: "Delete a secret",
+		Args:  cobra.ExactArgs(1),
+		Run: func(cmd *cobra.Command, args []string) {
+			name := args[0]
+
+			// Validate input
+			if name == "" {
+				cmd.Println("Error: Secret name cannot be empty")
+				return
+			}
+
+			manager, err := secrets.CreateDefaultSecretsManager()
+			if err != nil {
+				cmd.Printf("Failed to create secrets manager: %v\n", err)
+				return
+			}
+
+			err = manager.DeleteSecret(name)
+			if err != nil {
+				cmd.Printf("Failed to delete secret %s: %v\n", name, err)
+				return
+			}
+			cmd.Printf("Secret %s deleted successfully\n", name)
+		},
+	}
+}
+
+func newSecretListCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "list",
+		Short: "List all available secrets",
+		Args:  cobra.NoArgs,
+		Run: func(cmd *cobra.Command, _ []string) {
+			manager, err := secrets.CreateDefaultSecretsManager()
+			if err != nil {
+				cmd.Printf("Failed to create secrets manager: %v\n", err)
+				return
+			}
+
+			secretNames, err := manager.ListSecrets()
+			if err != nil {
+				cmd.Printf("Failed to list secrets: %v\n", err)
+				return
+			}
+
+			if len(secretNames) == 0 {
+				cmd.Println("No secrets found")
+				return
+			}
+
+			cmd.Println("Available secrets:")
+			for _, name := range secretNames {
+				cmd.Printf("  - %s\n", name)
+			}
+		},
+	}
+}

go.mod

@@ -13,6 +13,7 @@ require (
 
 require (
 	github.com/Microsoft/go-winio v0.4.14 // indirect
+	github.com/adrg/xdg v0.5.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect

go.sum

@@ -1,5 +1,7 @@
 github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
+github.com/adrg/xdg v0.5.3 h1:xRnxJXne7+oWDatRhR1JLnvuccuIeCoBu2rtuLqQB78=
+github.com/adrg/xdg v0.5.3/go.mod h1:nlTsY+NNiCBGCK2tpm09vRqfVzrc2fLmXGpBLF0zlTQ=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

pkg/environment/environment.go

@@ -5,8 +5,33 @@ package environment
 import (
 	"fmt"
 	"strings"
+
+	"github.com/stacklok/vibetool/pkg/secrets"
 )
 
+// ParseSecretParameters parses the secret parameters from the command line,
+// fetches them from the secrets manager, and returns a map of secrets and
+// their environment variable names.
+func ParseSecretParameters(parameters []string, secretsManager secrets.Manager) (map[string]string, error) {
+	secretVariables := make(map[string]string, len(parameters))
+
+	for _, param := range parameters {
+		parameter, err := secrets.ParseSecretParameter(param)
+		if err != nil {
+			return nil, err
+		}
+
+		secret, err := secretsManager.GetSecret(parameter.Name)
+		if err != nil {
+			return nil, err
+		}
+
+		secretVariables[parameter.Target] = secret
+	}
+
+	return secretVariables, nil
+}
+
 // ParseEnvironmentVariables parses environment variables from a slice of strings
 // in the format KEY=VALUE
 func ParseEnvironmentVariables(envVars []string) (map[string]string, error) {