feat: add Secrets Manager browser (M3.9)

- Add SecretsManagerClientAPI interface and client to AwsRepository
- Implement ListSecrets() and GetSecretDetail() with JSON key/value parsing
- Register ServiceSecretsManager and FeatureSecretsBrowser in domain catalog
- Add screenSecretList and screenSecretDetail TUI screens with filter support
- Add Secret and SecretDetail models with DisplayTitle() and FilterText()
- Add mock-based tests for list, get, and model methods

Author: jjjjjjeonda86

PLAN.md

@@ -161,6 +161,10 @@ unic/
 - Graph rendering: Bubbletea viewport with braille/block characters
 - Multiple metrics overlay on single chart
 
+**M3.9 — Secrets Manager**
+- List secrets
+- Drill into secret detail: name, key/value pairs, encryption key (KMS key ID)
+
 ---
 
 ### M4 — Polish & Release

go.mod

@@ -24,6 +24,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
 	github.com/aws/smithy-go v1.24.2 // indirect

go.sum

@@ -20,6 +20,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 h1:2HvVAIq+
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20/go.mod h1:V4X406Y666khGa8ghKmphma/7C0DAtEQYhkq9z4vpbk=
 github.com/aws/aws-sdk-go-v2/service/rds v1.116.3 h1:H/ZYZ6QR4EXJAYElI5xkIM/yCz+A4uHIvWpzl+IfJks=
 github.com/aws/aws-sdk-go-v2/service/rds v1.116.3/go.mod h1:QbXW4coAMakHQhf1qhE0eVVCen9gwB/Kvn+HHHKhpGY=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4 h1:9aZbO86sraeCIHHCpZhxwN9tnVy9POkSKzi4/TpT54A=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4/go.mod h1:cxiXDhEzIq7Xx1BtmC4lGBK3SwAZ79+EUWiKawYHo14=
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 h1:0GFOLzEbOyZABS3PhYfBIx2rNBACYcKty+XGkTgw1ow=
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.8/go.mod h1:LXypKvk85AROkKhOG6/YEcHFPoX+prKTowKnVdcaIxE=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.68.3 h1:bBoWhx8lsFLTXintRX64ZBXcmFZbGqUmaPUrjXECqIc=

internal/app/app.go

@@ -28,6 +28,8 @@ const (
 	screenRDSList
 	screenRDSDetail
 	screenRDSConfirm
+	screenSecretList
+	screenSecretDetail
 	screenContextPicker
 	screenContextAdd
 	screenLoading
@@ -96,6 +98,14 @@ type rdsTickMsg struct {
 	instanceID string
 }
 
+type secretsLoadedMsg struct {
+	secrets []awsservice.Secret
+}
+
+type secretDetailLoadedMsg struct {
+	detail *awsservice.SecretDetail
+}
+
 // Model is the root Bubbletea model.
 type Model struct {
 	cfg      *config.Config
@@ -146,6 +156,14 @@ type Model struct {
 	rdsConfirmInput string // typed input for destructive action confirmation
 	rdsPolling      bool
 
+	// Secrets Manager browser state
+	secrets        []awsservice.Secret
+	filteredSecrets []awsservice.Secret
+	secretIdx      int
+	secretFilter   string
+	secretFilterActive bool
+	selectedSecret *awsservice.SecretDetail
+
 	// Context picker
 	configPath         string
 	ctxList            []config.ContextInfo
@@ -251,6 +269,18 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		m.screen = screenRDSList
 		return m, nil
 
+	case secretsLoadedMsg:
+		m.secrets = msg.secrets
+		m.filteredSecrets = msg.secrets
+		m.secretIdx = 0
+		m.screen = screenSecretList
+		return m, nil
+
+	case secretDetailLoadedMsg:
+		m.selectedSecret = msg.detail
+		m.screen = screenSecretDetail
+		return m, nil
+
 	case rdsActionDoneMsg:
 		if msg.err != nil {
 			m.errMsg = msg.err.Error()
@@ -366,6 +396,10 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 			return m.updateRDSDetail(msg)
 		case screenRDSConfirm:
 			return m.updateRDSConfirm(msg)
+		case screenSecretList:
+			return m.updateSecretList(msg)
+		case screenSecretDetail:
+			return m.updateSecretDetail(msg)
 		case screenContextPicker:
 			return m.updateContextPicker(msg)
 		case screenContextAdd:
@@ -429,6 +463,9 @@ func (m Model) updateFeatureList(msg tea.KeyMsg) (tea.Model, tea.Cmd) {
 			case domain.FeatureRDSBrowser:
 				m.screen = screenLoading
 				return m, m.loadRDSInstances()
+			case domain.FeatureSecretsBrowser:
+				m.screen = screenLoading
+				return m, m.loadSecrets()
 			}
 		}
 	}
@@ -1021,6 +1058,10 @@ func (m Model) View() string {
 		v = m.viewRDSDetail()
 	case screenRDSConfirm:
 		v = m.viewRDSConfirm()
+	case screenSecretList:
+		v = m.viewSecretList()
+	case screenSecretDetail:
+		v = m.viewSecretDetail()
 	case screenContextPicker:
 		v = m.viewContextPicker()
 	case screenContextAdd:
@@ -1698,3 +1739,209 @@ func (m Model) viewRDSConfirm() string {
 	}
 	return b.String()
 }
+
+func (m Model) loadSecrets() tea.Cmd {
+	return func() tea.Msg {
+		ctx := context.Background()
+		repo, err := awsservice.NewAwsRepository(ctx, m.cfg)
+		if err != nil {
+			return errMsg{err: err}
+		}
+		secrets, err := repo.ListSecrets(ctx)
+		if err != nil {
+			return errMsg{err: err}
+		}
+		if len(secrets) == 0 {
+			return errMsg{err: fmt.Errorf("no secrets found")}
+		}
+		return secretsLoadedMsg{secrets: secrets}
+	}
+}
+
+func (m Model) loadSecretDetail(name string) tea.Cmd {
+	return func() tea.Msg {
+		ctx := context.Background()
+		repo := m.awsRepo
+		if repo == nil {
+			var err error
+			repo, err = awsservice.NewAwsRepository(ctx, m.cfg)
+			if err != nil {
+				return errMsg{err: err}
+			}
+		}
+		detail, err := repo.GetSecretDetail(ctx, name)
+		if err != nil {
+			return errMsg{err: err}
+		}
+		return secretDetailLoadedMsg{detail: detail}
+	}
+}
+
+func (m Model) updateSecretList(msg tea.KeyMsg) (tea.Model, tea.Cmd) {
+	key := msg.String()
+
+	if m.secretFilterActive {
+		switch key {
+		case "esc":
+			m.secretFilterActive = false
+		case "enter":
+			m.secretFilterActive = false
+		case "backspace":
+			if len(m.secretFilter) > 0 {
+				m.secretFilter = m.secretFilter[:len(m.secretFilter)-1]
+				m.applySecretFilter()
+			}
+		default:
+			if len(key) == 1 {
+				m.secretFilter += key
+				m.applySecretFilter()
+			}
+		}
+		return m, nil
+	}
+
+	switch key {
+	case "q", "esc":
+		m.screen = screenFeatureList
+		m.secretFilter = ""
+		m.filteredSecrets = m.secrets
+		m.secretIdx = 0
+	case "up", "k":
+		if m.secretIdx > 0 {
+			m.secretIdx--
+		}
+	case "down", "j":
+		if m.secretIdx < len(m.filteredSecrets)-1 {
+			m.secretIdx++
+		}
+	case "/":
+		m.secretFilterActive = true
+	case "enter":
+		if len(m.filteredSecrets) > 0 && m.secretIdx < len(m.filteredSecrets) {
+			selected := m.filteredSecrets[m.secretIdx]
+			m.screen = screenLoading
+			return m, m.loadSecretDetail(selected.Name)
+		}
+	}
+	return m, nil
+}
+
+func (m Model) updateSecretDetail(msg tea.KeyMsg) (tea.Model, tea.Cmd) {
+	switch msg.String() {
+	case "q", "esc":
+		m.selectedSecret = nil
+		m.screen = screenSecretList
+	}
+	return m, nil
+}
+
+func (m *Model) applySecretFilter() {
+	if m.secretFilter == "" {
+		m.filteredSecrets = m.secrets
+	} else {
+		query := strings.ToLower(m.secretFilter)
+		var result []awsservice.Secret
+		for _, s := range m.secrets {
+			if strings.Contains(s.FilterText(), query) {
+				result = append(result, s)
+			}
+		}
+		m.filteredSecrets = result
+	}
+	m.secretIdx = 0
+}
+
+func (m Model) viewSecretList() string {
+	var b strings.Builder
+	b.WriteString(m.renderStatusBar())
+	b.WriteString(titleStyle.Render("Secrets Manager"))
+	b.WriteString("\n")
+
+	if m.secretFilterActive {
+		b.WriteString(filterStyle.Render(fmt.Sprintf("Filter: %s▏", m.secretFilter)))
+	} else if m.secretFilter != "" {
+		b.WriteString(dimStyle.Render(fmt.Sprintf("Filter: %s", m.secretFilter)))
+	}
+	b.WriteString("\n\n")
+
+	if len(m.filteredSecrets) == 0 {
+		b.WriteString(dimStyle.Render("  No matching secrets"))
+		b.WriteString("\n")
+	} else {
+		visibleLines := max(m.height-8, 5)
+		start := 0
+		if m.secretIdx >= visibleLines {
+			start = m.secretIdx - visibleLines + 1
+		}
+		end := min(start+visibleLines, len(m.filteredSecrets))
+
+		for i := start; i < end; i++ {
+			s := m.filteredSecrets[i]
+			cursor := "  "
+			style := normalStyle
+			if i == m.secretIdx {
+				cursor = "> "
+				style = selectedStyle
+			}
+			b.WriteString(style.Render(fmt.Sprintf("%s%s", cursor, s.DisplayTitle())))
+			b.WriteString("\n")
+		}
+
+		b.WriteString("\n")
+		b.WriteString(dimStyle.Render(fmt.Sprintf("  %d/%d secrets", len(m.filteredSecrets), len(m.secrets))))
+	}
+
+	b.WriteString("\n")
+	b.WriteString(dimStyle.Render("↑/↓: navigate • /: filter • enter: detail • esc: back • H: home"))
+	return b.String()
+}
+
+func (m Model) viewSecretDetail() string {
+	if m.selectedSecret == nil {
+		return ""
+	}
+	d := m.selectedSecret
+	var b strings.Builder
+	b.WriteString(m.renderStatusBar())
+	b.WriteString(titleStyle.Render("Secret Detail"))
+	b.WriteString("\n\n")
+
+	labelStyle := lipgloss.NewStyle().Width(14)
+	b.WriteString(normalStyle.Render(fmt.Sprintf("  %s%s", labelStyle.Render("Name"), d.Name)))
+	b.WriteString("\n")
+
+	kmsKey := d.KMSKeyID
+	if kmsKey == "" {
+		kmsKey = dimStyle.Render("(aws/secretsmanager)")
+	}
+	b.WriteString(normalStyle.Render(fmt.Sprintf("  %s%s", labelStyle.Render("Encryption Key"), kmsKey)))
+	b.WriteString("\n\n")
+
+	if len(d.Values) > 0 {
+		b.WriteString(titleStyle.Render("Key / Value"))
+		b.WriteString("\n\n")
+
+		keys := make([]string, 0, len(d.Values))
+		for k := range d.Values {
+			keys = append(keys, k)
+		}
+		for i := 1; i < len(keys); i++ {
+			for j := i; j > 0 && keys[j] < keys[j-1]; j-- {
+				keys[j], keys[j-1] = keys[j-1], keys[j]
+			}
+		}
+
+		for _, k := range keys {
+			b.WriteString(fmt.Sprintf("  %s  %s\n", dimStyle.Render(k), normalStyle.Render(d.Values[k])))
+		}
+	} else if d.Raw != "" {
+		b.WriteString(titleStyle.Render("Value"))
+		b.WriteString("\n\n")
+		b.WriteString(normalStyle.Render(fmt.Sprintf("  %s", d.Raw)))
+		b.WriteString("\n")
+	}
+
+	b.WriteString("\n")
+	b.WriteString(dimStyle.Render("esc: back • H: home"))
+	return b.String()
+}

internal/domain/catalog.go

@@ -30,5 +30,14 @@ func Catalog() []Service {
 				},
 			},
 		},
+		{
+			Name: ServiceSecretsManager,
+			Features: []Feature{
+				{
+					Kind:        FeatureSecretsBrowser,
+					Description: "Browse secrets and view key/value pairs",
+				},
+			},
+		},
 	}
 }

internal/domain/model.go

@@ -4,18 +4,20 @@ package domain
 type AwsService string
 
 const (
-	ServiceEC2 AwsService = "EC2"
-	ServiceVPC AwsService = "VPC"
-	ServiceRDS AwsService = "RDS"
+	ServiceEC2            AwsService = "EC2"
+	ServiceVPC            AwsService = "VPC"
+	ServiceRDS            AwsService = "RDS"
+	ServiceSecretsManager AwsService = "Secrets Manager"
 )
 
 // FeatureKind represents a specific feature within a service.
 type FeatureKind string
 
 const (
-	FeatureSSMSession  FeatureKind = "SSM Sessions Manager"
-	FeatureVPCBrowser  FeatureKind = "VPC Browser"
-	FeatureRDSBrowser  FeatureKind = "RDS Browser"
+	FeatureSSMSession      FeatureKind = "SSM Sessions Manager"
+	FeatureVPCBrowser      FeatureKind = "VPC Browser"
+	FeatureRDSBrowser      FeatureKind = "RDS Browser"
+	FeatureSecretsBrowser  FeatureKind = "Secrets Manager Browser"
 )
 
 // Feature describes a selectable feature under an AWS service.