cuga-project · sami-marreed · Mar 4, 2026 · Mar 2, 2026 · Mar 2, 2026 · Mar 2, 2026
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "(.*pnpm-lock.*|.*js.*|node_modules|.venv|.*jinja2.*|.*woff2.*)|^.secrets.baseline$|^.env$",
     "lines": null
   },
-  "generated_at": "2026-02-27T23:20:16Z",
+  "generated_at": "2026-03-04T13:25:55Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -330,15 +330,15 @@
         "hashed_secret": "75b08fd0503a80e9dff9529ec051878b3c156802",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 125,
+        "line_number": 132,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "cff0d14e4337fa8bdb68dfa906f04b0df6fad72f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 155,
+        "line_number": 162,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -424,7 +424,73 @@
         "hashed_secret": "829c3804401b0727f70f73d4415e162400cbe57b",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 458,
+        "line_number": 522,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "src/cuga/backend/secrets/seed.py": [
+      {
+        "hashed_secret": "34fdaba0f5e1a8e596fd1b5464ccb26735f16124",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 10,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "d5c2ed8d21390c7349954b681276adabf345cd5f",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 11,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "f7f71c7b39b889f796dda3ff85c60627bf327c75",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 12,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "c94055f8ca03dd00999828feb2eaead9acb1302e",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 13,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "3fd1df3d95a156a37d3edd4527feba9a820c56b8",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 14,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "414d33be518726d57e9c2af24a85c0f5ba6ce4ca",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 16,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "085f4f2247c901ccbb7612ff72b316d20492295b",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 17,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "9633a20f8ffd7c00aa793ca8f32f6a0afba0b3ac",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 18,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -472,23 +538,31 @@
         "hashed_secret": "6c965552a3682c9ca3435cdfd55af289b8c3b869",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 27,
+        "line_number": 30,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
-        "hashed_secret": "757ee73c75239ecfe670d76a3f10ede81de1d485",
+        "hashed_secret": "77fd040d42b4e7a0ee8adf486b9e89841fba1f65",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 112,
+        "line_number": 92,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "1bcc59b324708cc856541522bd845c53a709d932",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 107,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "d0ba47ccbefb78340565269f5b73af6f1afa4396",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 129,
+        "line_number": 166,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -498,31 +572,31 @@
         "hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 83,
+        "line_number": 105,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "d0a3e7f81a9885e99049d1cae0336d269d5e47a9",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 111,
+        "line_number": 145,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "48bf2239eea43073d82dc9a4ad45200b8e297363",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 183,
+        "line_number": 235,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "6947818ac409551f11fbaa78f0ea6391960aa5b8",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 184,
+        "line_number": 236,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -535,6 +609,58 @@
         "line_number": 32,
         "type": "Secret Keyword",
         "verified_result": null
+      },
+      {
+        "hashed_secret": "f5cbae85fb47446511da4c9974e2da448caee7e1",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 132,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "tests/integration/test_llm_config_publish.py": [
+      {
+        "hashed_secret": "18ddbc9bbacbf4a9baa379b0a09880dfffede940",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 245,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "tests/unit/test_llm_override.py": [
+      {
+        "hashed_secret": "d02a1215a382dd014f4e48cb99f6896462b12d30",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 104,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "68ae90e9a866a86ce4d62f491670b83b80973d3f",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 123,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "fc59ee2d2451a12914d0ef4029dbcb5261cf483e",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 128,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "18ddbc9bbacbf4a9baa379b0a09880dfffede940",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 190,
+        "type": "Secret Keyword",
+        "verified_result": null
       }
     ]
   },

diff --git a/deployment/helm/deploy-openshift.sh b/deployment/helm/deploy-openshift.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 # CUGA OpenShift Deployment Script
 #
 # Usage:
-#   ./deploy-openshift.sh [path/to/openshift.env] [--with-postgres]
+#   ./deploy-openshift.sh [path/to/openshift.env] [--with-postgres] [--with-vault]
 #
 # Prerequisites:
 #   - Logged in to OpenShift cluster via `oc login` or `kubectl` with valid kubeconfig
@@ -15,10 +15,13 @@ set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 WITH_POSTGRES=false
+WITH_VAULT=false
 ENV_FILE=""
 for arg in "$@"; do
   if [[ "$arg" == "--with-postgres" ]]; then
     WITH_POSTGRES=true
+  elif [[ "$arg" == "--with-vault" ]]; then
+    WITH_VAULT=true
   else
     [[ -z "$ENV_FILE" ]] && ENV_FILE="$arg"
   fi
@@ -81,6 +84,7 @@ ENV_SECRET_NAME="${INSTANCE_ID}-env-secret"
 CHART_PATH="${SCRIPT_DIR}/cuga"
 TOTAL_STEPS=6
 [[ "$WITH_POSTGRES" != true ]] && TOTAL_STEPS=5
+[[ "$WITH_VAULT" == true ]] && TOTAL_STEPS=$((TOTAL_STEPS + 1))
 
 echo ""
 echo "========================================"
@@ -92,6 +96,9 @@ echo "  Hostname  : ${ROUTE_HOSTNAME:-<auto-assigned by OpenShift>}"
 if [[ "$WITH_POSTGRES" == true ]]; then
   echo "  Postgres  : enabled (shared per namespace)"
 fi
+if [[ "$WITH_VAULT" == true ]]; then
+  echo "  Vault     : enabled"
+fi
 echo "========================================"
 echo ""
 
@@ -155,6 +162,8 @@ SECRET_ARGS=(
 [[ -n "${OIDC_CLIENT_SECRET:-}" ]]        && SECRET_ARGS+=("--from-literal=OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}")
 [[ -n "${OIDC_DISCOVERY_URL:-}" ]]        && SECRET_ARGS+=("--from-literal=OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL}")
 [[ -n "${OIDC_REDIRECT_URI:-}" ]]         && SECRET_ARGS+=("--from-literal=OIDC_REDIRECT_URI=${OIDC_REDIRECT_URI}")
+[[ -n "${VAULT_TOKEN:-}" ]]               && SECRET_ARGS+=("--from-literal=VAULT_TOKEN=${VAULT_TOKEN}")
+[[ -n "${CUGA_SECRET_KEY:-}" ]]           && SECRET_ARGS+=("--from-literal=CUGA_SECRET_KEY=${CUGA_SECRET_KEY}")
 
 if [[ "$WITH_POSTGRES" == true ]]; then
   PG_URL="postgresql://${POSTGRES_USER:-cuga}:${POSTGRES_PASSWORD}@postgres-pgvector.${NAMESPACE}.svc.cluster.local:5432/${POSTGRES_DB:-cuga}"
@@ -169,6 +178,35 @@ kubectl create secret generic "${ENV_SECRET_NAME}" \
   --dry-run=client -o yaml | kubectl apply -f -
 ((STEP++))
 
+# ---------------------------------------------------------------------------
+# Optional: Vault deployment
+# ---------------------------------------------------------------------------
+
+if [[ "$WITH_VAULT" == true ]]; then
+  echo "[${STEP}/${TOTAL_STEPS}] Deploying HashiCorp Vault"
+  VAULT_CHART_PATH="${SCRIPT_DIR}/vault"
+
+  helm repo add hashicorp https://helm.releases.hashicorp.com 2>/dev/null || true
+  helm repo update hashicorp 2>/dev/null || true
+  helm dependency update "${VAULT_CHART_PATH}" 2>/dev/null || true
+
+  helm upgrade --install vault "${VAULT_CHART_PATH}" \
+    --namespace "${NAMESPACE}" \
+    -f "${VAULT_CHART_PATH}/values.openshift.yaml" \
+    ${VAULT_TOKEN:+--set "vault.server.extraEnvironmentVars.VAULT_DEV_ROOT_TOKEN_ID=${VAULT_TOKEN}"}
+  ((STEP++))
+
+  echo ""
+  echo "  Vault deployed. Initialize it (first time only):"
+  echo "    kubectl exec -n ${NAMESPACE} -it vault-0 -- vault operator init"
+  echo ""
+  echo "  Add to your env file:"
+  echo "    VAULT_TOKEN=<root-token>"
+  echo "    DYNACONF_SECRETS__MODE=vault"
+  echo "    DYNACONF_SECRETS__VAULT_ADDR=http://vault.${NAMESPACE}.svc.cluster.local:8200"
+  echo ""
+fi
+
 # ---------------------------------------------------------------------------
 # 5. Helm deploy (cuga)
 # ---------------------------------------------------------------------------
@@ -196,6 +234,19 @@ HELM_ARGS=(
   --set "route.enabled=true"
 )
 
+if [[ "$WITH_VAULT" == true ]]; then
+  VAULT_INTERNAL_ADDR="http://vault.${NAMESPACE}.svc.cluster.local:8200"
+  HELM_ARGS+=(
+    "--set" "env.DYNACONF_SECRETS__MODE=vault"
+    "--set" "env.DYNACONF_SECRETS__VAULT_ADDR=${VAULT_ADDR:-${VAULT_INTERNAL_ADDR}}"
+    "--set" "env.DYNACONF_SECRETS__VAULT_TOKEN_ENV=VAULT_TOKEN"
+  )
+fi
+
+if [[ -n "${DYNACONF_SECRETS__MODE:-}" ]]; then
+  HELM_ARGS+=("--set" "env.DYNACONF_SECRETS__MODE=${DYNACONF_SECRETS__MODE}")
+fi
+
 if [[ -n "${ROUTE_HOSTNAME:-}" ]]; then
   HELM_ARGS+=("--set" "route.hostname=${ROUTE_HOSTNAME}")
 fi

diff --git a/deployment/helm/openshift.example.env b/deployment/helm/openshift.example.env
@@ -54,3 +54,13 @@ POSTGRES_DB=cuga
 # Leave DYNACONF_STORAGE__POSTGRES_URL empty — auto-built from the above when --with-postgres
 # Only set this if connecting to an EXTERNAL postgres (not the in-cluster one)
 DYNACONF_STORAGE__POSTGRES_URL=
+
+# --- Vault (required only when using --with-vault flag) ---
+# Root or app token for HashiCorp Vault. Injected as VAULT_TOKEN env var in the CUGA pod.
+VAULT_TOKEN=
+# Override Vault address if deploying externally (auto-set to in-cluster addr when --with-vault)
+VAULT_ADDR=
+# Fernet encryption key for local DB secrets store (generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())")
+CUGA_SECRET_KEY=
+# Secrets mode: local (default) | vault | aws
+DYNACONF_SECRETS__MODE=local
diff --git a/deployment/helm/vault/Chart.yaml b/deployment/helm/vault/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+name: vault
+description: HashiCorp Vault sub-chart for CUGA secret management
+type: application
+version: 0.1.0
+appVersion: "1.15.0"
+dependencies:
+  - name: vault
+    version: "0.28.0"
+    repository: "https://helm.releases.hashicorp.com"
diff --git a/deployment/helm/vault/templates/NOTES.txt b/deployment/helm/vault/templates/NOTES.txt
@@ -0,0 +1,12 @@
+HashiCorp Vault has been deployed.
+
+To initialize and unseal Vault (first time only):
+  kubectl exec -n {{ .Release.Namespace }} -it vault-0 -- vault operator init
+  kubectl exec -n {{ .Release.Namespace }} -it vault-0 -- vault operator unseal <unseal-key>
+
+Then configure CUGA to use it by setting in openshift.env:
+  VAULT_ADDR=http://vault.<namespace>.svc.cluster.local:8200
+  VAULT_TOKEN=<root-or-app-token>
+  DYNACONF_SECRETS__MODE=vault
+  DYNACONF_SECRETS__VAULT_ADDR=http://vault.{{ .Release.Namespace }}.svc.cluster.local:8200
+  DYNACONF_SECRETS__VAULT_TOKEN_ENV=VAULT_TOKEN