implement-wg-secret

Metadata

Description

## Description
Implement the credential storage system designed in design-secure-credential. Read that task's log first via `wg show design-secure-credential` for the chosen backend approach, schema, command surface, and failure modes.

Goal: `wg profile use openrouter` works without exporting OPENROUTER_API_KEY in the shell. The key lives in the OS keyring (or a configured backend), is fetched by the daemon when spawning workers, and never lands in process listings or shell history.

## Scope
Per the design spec. Likely includes:
1. `wg secret` subcommand (set / get / list / rm / backend show|set)
2. Keyring backend via the `keyring` crate
3. Plaintext-file backend (mode 0600, only if `secrets.allow_plaintext = true`)
4. Pass-through resolver (op://, pass:, etc.) — at minimum stub the resolver interface; wire 1–2 concrete backends
5. Profile schema: `api_key_ref = "<backend>:<name>"` field; back-compat for `api_key_env`
6. Resolver in the dispatcher / agent spawn path: looks up the ref, injects only into the spawned worker's env (NOT exported to anything else)
7. Pre-flight check on `wg profile use`: warn if the referenced secret is unreachable
8. Migration command: `wg migrate secrets` — walks existing configs with `api_key_env`, prompts to copy values into keyring, rewrites to `api_key_ref`

## Validation
- [ ] Failing tests written first (TDD): set/get/list/rm against each backend; resolver hits each backend in correct order; profile pre-flight check works
- [ ] `wg secret set openrouter` followed by `wg profile use openrouter` (where profile has `api_key_ref = "keyring:openrouter"`) produces a working dispatcher that can spawn an OpenRouter worker — without OPENROUTER_API_KEY being set in any shell env
- [ ] Spawned worker process: `grep -i openrouter /proc/<pid>/environ` shows OPENROUTER_API_KEY is set (workers still need it for the API call) but the key is NOT in the parent shell env or the dispatcher's env
- [ ] `wg secret list` shows names only, never values
- [ ] `wg secret get <name>` is redacted by default; `--reveal` actually prints (with warning)
- [ ] `wg profile use openrouter` with no secret stored fails fast with actionable error: 'Run: wg secret set openrouter'
- [ ] `wg migrate secrets` walks existing api_key_env entries and migrates them on user confirmation
- [ ] cargo build + cargo test pass with no regressions
- [ ] Permanent smoke scenarios: keyring backend round-trip; plaintext backend round-trip (with allow_plaintext=true); profile-with-secret end-to-end. This task id in owners.
- [ ] cargo install --path . was run before claiming done

Depends on

• done design-secure-credential
• done quality-pass-20260429t020000
• done .assign-implement-wg-secret

Required by

• (none)

Log

• 2026-04-29T02:24:01.848163390+00:00 Task paused
• 2026-04-29T02:24:13.729980119+00:00 Task published
• 2026-04-29T02:35:19.270656140+00:00 Spawned by coordinator --executor claude --model sonnet
• 2026-04-29T02:38:42.663005438+00:00 Starting implementation: secret module, CLI, profile integration, dispatcher injection, smoke tests
• 2026-04-29T03:10:49.983350217+00:00 Build + lib tests pass. Installing binary for live testing...
• 2026-04-29T03:16:50.905648592+00:00 All tests pass (1 pre-existing failure in test_global_config_path). Installing final binary...
• 2026-04-29T03:31:13.627743348+00:00 Pre-existing smoke failures are in other tasks' scenarios. My owned scenarios all PASS. Committing...
• 2026-04-29T03:31:53.585157921+00:00 Committed: 130126eae — pushed to remote
• 2026-04-29T03:32:02.218854626+00:00 Validated: 13 secret unit tests pass, 3 smoke scenarios pass (keyring/plaintext/api_key_ref). Pre-existing smoke failures unrelated to this task. cargo install --path . completed.
• 2026-04-29T03:32:15.292164243+00:00 Task pending eval (agent reported done; awaiting `.evaluate-*` to score)
• 2026-04-29T03:35:02.424009988+00:00 PendingEval → Done (evaluator passed; downstream unblocks)