feat: file based secret management by kmendell · Pull Request #1486 · getarcaneapp/arcane

kmendell · 2026-01-15T05:02:51Z

Update Documentation
Add E2E Tests

Disclaimer Greptiles Reviews use AI, make sure to check over its work

Greptile Summary

This PR implements a comprehensive file-based secret management system for Arcane, allowing users to securely store and mount secrets into Docker containers.

Key Changes:

Adds encrypted secret storage with AES-GCM encryption, storing secrets both in the database and as encrypted files on disk
Implements Docker secret mounting at /run/secrets/<name> with read-only permissions (0400)
Creates plaintext temporary files for container mounts with automatic cleanup on container stop/delete
Adds compose-compatible secret files in a separate directory for docker-compose integration
Provides full CRUD API endpoints for secret management with proper authentication
Includes database migrations for both PostgreSQL and SQLite
Adds complete frontend UI for secret management with proper validation

Security Considerations:

Secrets are encrypted using AES-GCM before storage in both database and files
Encrypted files use restrictive 0400 permissions (read-only for owner)
Plaintext temporary files created for container mounts are properly tracked and cleaned up
Compose secret files use 0600 permissions to allow docker-compose read access
Secret names are validated to prevent path traversal attacks

Architecture:

SecretService manages the full lifecycle: creation, encryption, file persistence, container mounting, and cleanup
Temporary files are tracked per container ID and cleaned up when containers stop or are deleted
Supports configurable secrets directory via settings (default: /app/data/secrets)
Integrates with existing container lifecycle in ContainerService

Confidence Score: 4/5

This PR is largely safe to merge with one minor security issue that should be addressed
The implementation is well-structured with proper encryption, error handling, and cleanup mechanisms. One race condition exists in the temp file creation where permissions are set after writing content, which could briefly expose secrets. The rest of the code follows Go best practices and handles edge cases appropriately.
Pay attention to backend/internal/utils/crypto/file_encryption.go which has a permission race condition in DecryptToTempFile

Important Files Changed

Filename	Overview
backend/internal/utils/crypto/file_encryption.go	Adds file-based encryption utilities; contains a race condition in `DecryptToTempFile` where permissions are set after content is written
backend/internal/services/secret_service.go	Implements comprehensive secret management service with proper encryption, file handling, and cleanup mechanisms
backend/internal/huma/handlers/secrets.go	Adds REST API handlers for secret CRUD operations with proper authentication and error handling
backend/internal/services/container_service.go	Integrates secret cleanup with container lifecycle (stop/restart/delete operations)
backend/internal/huma/handlers/containers.go	Adds secret mount preparation during container creation with proper cleanup on errors

Context used:

Rule from dashboard - GoLang Best Practices

description: 'Instructions for writing Go code following idiomatic Go pra... (source)

kmendell · 2026-01-15T05:03:06Z

feat: file based secret management #1486 👈 (View in Graphite)
main

This stack of pull requests is managed by Graphite. Learn more about stacking.

github-actions · 2026-01-15T05:03:50Z

🔍 Deadcode Analysis

Found 1 unreachable functions in the backend.

View details

internal/utils/crypto/file_encryption.go:29:6: unreachable func: DecryptToTempFile

Only remove deadcode that you know is 100% no longer used.

Analysis from commit 4c13db5

greptile-apps

_{34 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

backend/internal/services/container_service.go

getarcaneappbot · 2026-01-15T05:07:11Z

Container images for this PR have been built successfully!

Manager: ghcr.io/getarcaneapp/arcane:pr-1486
Agent: ghcr.io/getarcaneapp/arcane-headless:pr-1486

Built from commit ad28d45

kmendell · 2026-01-15T05:17:46Z

@greptileai

greptile-apps

_{34 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

backend/internal/utils/crypto/file_encryption.go

github-actions · 2026-01-15T05:24:11Z

This pull request has merge conflicts. Please resolve the conflicts so the PR can stay up-to-date and reviewed.

backend/internal/utils/crypto/file_encryption.go

+	if err != nil {
+		return "", err
+	}
+	defer tmpFile.Close()


getarcaneappbot · 2026-02-01T04:13:52Z

Container images for this PR have been built successfully!

Manager: ghcr.io/getarcaneapp/arcane:pr-1486
Agent: ghcr.io/getarcaneapp/arcane-headless:pr-1486

Built from commit 82c5d24

getarcaneappbot · 2026-02-01T18:13:03Z

Container images for this PR have been built successfully!

Manager: ghcr.io/getarcaneapp/arcane:pr-1486
Agent: ghcr.io/getarcaneapp/arcane-headless:pr-1486

Built from commit 5d31679

getarcaneappbot · 2026-02-01T20:19:46Z

Container images for this PR have been built successfully!

Manager: ghcr.io/getarcaneapp/arcane:pr-1486
Agent: ghcr.io/getarcaneapp/arcane-headless:pr-1486

Built from commit d0227c5

getarcaneappbot · 2026-02-01T20:32:16Z

Container images for this PR have been built successfully!

Manager: ghcr.io/getarcaneapp/arcane:pr-1486
Agent: ghcr.io/getarcaneapp/arcane-headless:pr-1486

Built from commit 709a320

getarcaneappbot · 2026-02-01T22:57:41Z

Container images for this PR have been built successfully!

Manager: ghcr.io/getarcaneapp/arcane:pr-1486
Agent: ghcr.io/getarcaneapp/arcane-headless:pr-1486

Built from commit 73bf2e3

getarcaneappbot · 2026-02-02T05:03:05Z

Container images for this PR have been built successfully!

Manager: ghcr.io/getarcaneapp/arcane:pr-1486
Agent: ghcr.io/getarcaneapp/arcane-headless:pr-1486

Built from commit ef936c1

getarcaneappbot · 2026-02-03T05:07:56Z

Container images for this PR have been built successfully!

Manager: ghcr.io/getarcaneapp/arcane:pr-1486
Agent: ghcr.io/getarcaneapp/arcane-headless:pr-1486

Built from commit 0b05013

getarcaneappbot · 2026-02-03T05:34:31Z

Container images for this PR have been built successfully!

Manager: ghcr.io/getarcaneapp/arcane:pr-1486
Agent: ghcr.io/getarcaneapp/arcane-headless:pr-1486

Built from commit a77b176

getarcaneappbot · 2026-02-03T05:47:47Z

Container images for this PR have been built successfully!

Manager: ghcr.io/getarcaneapp/arcane:pr-1486
Agent: ghcr.io/getarcaneapp/arcane-headless:pr-1486

Built from commit f142c2f

getarcaneappbot · 2026-02-04T02:29:57Z

Container images for this PR have been built successfully!

Manager: ghcr.io/getarcaneapp/arcane:pr-1486
Agent: ghcr.io/getarcaneapp/arcane-headless:pr-1486

Built from commit 52889c2

kmendell · 2026-02-05T02:57:58Z

Will make this better in the future... Closing this for now.

kmendell marked this pull request as ready for review January 15, 2026 05:03

kmendell requested a review from a team January 15, 2026 05:03

kmendell force-pushed the feat/file-based-secrets branch from c0633ae to 34d0ebf Compare January 15, 2026 05:04

greptile-apps bot reviewed Jan 15, 2026

View reviewed changes

backend/internal/services/container_service.go Outdated Show resolved Hide resolved

kmendell added this to the v1.14.0 milestone Jan 15, 2026

kmendell force-pushed the feat/file-based-secrets branch from 34d0ebf to 51c35f0 Compare January 15, 2026 05:17

greptile-apps bot reviewed Jan 15, 2026

View reviewed changes

backend/internal/utils/crypto/file_encryption.go Outdated Show resolved Hide resolved

kmendell force-pushed the feat/file-based-secrets branch from 51c35f0 to d9c2fb5 Compare January 15, 2026 05:21

github-actions bot added the merge conflict label Jan 15, 2026

github-actions bot removed the merge conflict label Jan 15, 2026

kmendell force-pushed the feat/file-based-secrets branch 2 times, most recently from 970aecc to a40d961 Compare January 15, 2026 05:57

github-code-quality bot found potential problems Jan 15, 2026

View reviewed changes

backend/internal/utils/crypto/file_encryption.go

if err != nil {

return "", err

}

defer tmpFile.Close()

kmendell force-pushed the feat/file-based-secrets branch 3 times, most recently from 6bb2a44 to fd6bbc5 Compare January 18, 2026 03:13

kmendell changed the base branch from main to graphite-base/1486 January 18, 2026 03:13

kmendell changed the base branch from graphite-base/1486 to release/v1.14.0 January 18, 2026 03:13

kmendell force-pushed the feat/file-based-secrets branch 7 times, most recently from 5da1163 to 524cd63 Compare January 19, 2026 18:41

kmendell force-pushed the feat/file-based-secrets branch 4 times, most recently from 2d2c20e to 82c5d24 Compare February 1, 2026 04:09

kmendell force-pushed the feat/file-based-secrets branch from 82c5d24 to 5d31679 Compare February 1, 2026 18:09

kmendell force-pushed the feat/file-based-secrets branch from 5d31679 to d0227c5 Compare February 1, 2026 20:15

kmendell force-pushed the feat/file-based-secrets branch from d0227c5 to 709a320 Compare February 1, 2026 20:28

kmendell force-pushed the feat/file-based-secrets branch from 709a320 to 73bf2e3 Compare February 1, 2026 22:54

kmendell force-pushed the feat/file-based-secrets branch from 73bf2e3 to ef936c1 Compare February 2, 2026 05:00

kmendell force-pushed the feat/file-based-secrets branch 2 times, most recently from 658dc30 to 0b05013 Compare February 3, 2026 05:03

kmendell force-pushed the feat/file-based-secrets branch from 0b05013 to a77b176 Compare February 3, 2026 05:30

kmendell force-pushed the feat/file-based-secrets branch from a77b176 to f142c2f Compare February 3, 2026 05:43

kmendell force-pushed the feat/file-based-secrets branch from f142c2f to 52889c2 Compare February 4, 2026 02:26

kmendell force-pushed the feat/file-based-secrets branch 2 times, most recently from 7ce6658 to 4e7cf37 Compare February 4, 2026 23:25

feat: file based secret management

ad28d45

kmendell force-pushed the feat/file-based-secrets branch from 4e7cf37 to ad28d45 Compare February 4, 2026 23:37

kmendell closed this Feb 5, 2026

Uh oh!

Conversation

kmendell commented Jan 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Greptile Summary

Confidence Score: 4/5

Important Files Changed

Uh oh!

kmendell commented Jan 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Jan 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Deadcode Analysis

Uh oh!

greptile-apps bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

getarcaneappbot commented Jan 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kmendell commented Jan 15, 2026

Uh oh!

greptile-apps bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

github-actions bot commented Jan 15, 2026

Uh oh!

getarcaneappbot commented Feb 1, 2026

Uh oh!

getarcaneappbot commented Feb 1, 2026

Uh oh!

getarcaneappbot commented Feb 1, 2026

Uh oh!

getarcaneappbot commented Feb 1, 2026

Uh oh!

getarcaneappbot commented Feb 1, 2026

Uh oh!

getarcaneappbot commented Feb 2, 2026

Uh oh!

getarcaneappbot commented Feb 3, 2026

Uh oh!

getarcaneappbot commented Feb 3, 2026

Uh oh!

getarcaneappbot commented Feb 3, 2026

Uh oh!

getarcaneappbot commented Feb 4, 2026

Uh oh!

kmendell commented Feb 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

kmendell commented Jan 15, 2026 •

edited

Loading

kmendell commented Jan 15, 2026 •

edited

Loading

github-actions bot commented Jan 15, 2026 •

edited

Loading

getarcaneappbot commented Jan 15, 2026 •

edited

Loading