fix(secrets): prevent duplicate DO Spaces key creation (#732)

* fix(secrets): prevent duplicate DO Spaces key creation

DO does not enforce name uniqueness on Spaces keys. The
provider_credential bootstrap path POSTed blindly every run; if the
bootstrap layer failed to persist the access_key+secret_key pair to
the configured store (or skipped existsInProvider for any reason),
the next run created another key with the same name. Repeated runs
accreted orphaned keys until the account hit DO's 200-key quota.

Each orphan is unrecoverable — DO returns secret_key once at
creation time, and List returns access_key only.

Changes:

- generateDOSpacesKey() now does a list-then-create. Pre-create call
  to https://api.digitalocean.com/v2/spaces/keys checks for a
  matching name; if found, returns an error naming the existing
  access_key with explicit recovery guidance (delete via console OR
  --force-rotate). The POST is never attempted in the conflict case.
- New lookupExistingSpacesKey() helper paginates through Spaces keys
  (10 × 100 cap) matching by exact name. Used by the pre-check AND
  by the 403 error branch (account-quota vs name-conflict
  disambiguation hint).
- Improved error wrapping: every "DO spaces key create" error now
  includes name=%q so the operator can correlate logs with DO
  console entries.
- stderr trace line on every create attempt: name + bucket + grant
  permission, so the failure mode is visible without re-running
  with extra flags.

Tests:
- TestGenerateDOSpacesKey_RejectsDuplicateNameBeforeCreate verifies
  the pre-check short-circuits and POST is never attempted when a
  duplicate exists. (postCalls == 0 asserted.)
- TestGenerateDOSpacesKey_403QuotaWithoutNameConflict covers the
  fallback hint when no name match but DO still returns 403.
- TestLookupExistingSpacesKey_PaginatedHit + _Miss cover the pager
  helper.
- Existing TestGenerateSecret_ProviderCredential_DOSpaces and
  _NoBucket / _WithBucket tests pass without changes — their GET
  handlers return 404 (no existing key) so the create path proceeds.
- TestGenerateDOSpacesKey_IncludesCreatedAt updated to stub both
  the new GET and the existing POST.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(secrets): require explicit name for DO Spaces key + fullaccess warning

Two follow-ups to the duplicate-creation fix:

1. Refuse the default name fallback. The prior default
   \`workflow-spaces-key\` was project-shared; multiple workflow-
   managed projects in one DO account would all try to create or
   adopt the same key. Force the caller to set a project-unique
   slug (e.g. \`multisite-deploy-key\`, \`wfcompute-deploy-key\`).

2. Emit a stderr WARN when permission=fullaccess is granted
   (i.e. no \`bucket:\` configured). Bootstrap necessarily uses
   fullaccess because the IaC state bucket does not exist yet,
   but once it does the operator should rotate to a bucket-
   scoped key via \`wfctl secrets rotate --target SPACES --bucket
   <state-bucket>\` to limit blast radius. The warning includes
   the exact rotate command.

Test updates:
- WithBucket / IncludesCreatedAt / NoBucket tests now pass an
  explicit name (was relying on the default).
- New TestGenerateDOSpacesKey_RequiresName covers the refuse-
  default-name path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(wfctl): transactional rollback + list-orphans for provider_credential

Round 2 of the DO Spaces orphan fix (workflow#732 follow-up).

Round 1 (already in this PR) added a list-before-create pre-check so
the generator refuses to POST a duplicate name. That prevents NEW
orphans whose root cause is a save-failure-after-mint loop.

This round closes the other half: the orphan-creation event itself.

cmd/wfctl/infra_bootstrap.go — bootstrapSecrets provider_credential
path now:

1. Extracts access_key + created_at BEFORE the Set loop (was inside
   the loop, so a first-iteration Set failure left the rollback path
   blind to the just-minted credential).
2. On ANY Set failure inside the loop, invokes credRevoker.
   RevokeProviderCredential with the just-minted access_key. If no
   revoker is registered, emits a loud ORPHANED-CREDENTIAL warning
   to stderr with the wfctl list-orphans recovery command pre-filled.
3. Rollback is best-effort: failure does not mask the original Set
   error.

cmd/wfctl/secrets_orphans.go — new \`wfctl secrets list-orphans\`
subcommand:

  wfctl secrets list-orphans --source digitalocean.spaces \
    --name workflow-spaces-key                # dry-run
  wfctl secrets list-orphans --source digitalocean.spaces \
    --name workflow-spaces-key --delete       # delete all matches

Lists every upstream credential whose name field equals --name
(DO Spaces does not enforce name uniqueness, so a single name can
map to many access_keys after the orphan loop). Bounded pager
(100 × 100 = 10 000 keys). Per-orphan delete continues on failure
to surface every recoverable orphan.

Currently supports digitalocean.spaces; extending to other sources
adds one switch arm.

Tests:

- TestBootstrapSecrets_ProviderCredential_RollbackOnSetFailure —
  Set(SPACES_secret_key) returns error; assert revoker invoked with
  AK_ORPHAN; assert original error surfaces.
- TestBootstrapSecrets_ProviderCredential_RollbackOnFirstSetFailure —
  Set(SPACES_access_key) (the very first call) returns error;
  asserts the access_key extraction reorder is correct (revoker
  must receive AK_FIRST even though we never even reached the
  access_key iteration).

These two tests reproduce the pre-fix orphan-creation bug
(generator succeeds + Set fails → DO key remains, no rollback
attempted). Without the rollback wiring they fail with
"expected 1 rollback-revoke call; got 0".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(lint): annotate ghAPICmd #nosec G204

Pre-existing G204 false positive on a fixed-binary + url-escaped
endpoint subprocess. Documented inline; no behaviour change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(secrets): follow DO pagination + raise per_page to 200

list-orphans was using local page-counter increments. Earlier runs
truncated at 100 because per_page was 100 + the locally-bounded loop
returned after page 1. DO's Spaces Keys API allows per_page up to
200 and returns an absolute next-page URL in links.pages.next; we
now follow that URL rather than incrementing locally.

Also emits a stderr scan summary so debugging is observable from
the CI log without re-running with extra flags.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: intel352

cmd/wfctl/infra_bootstrap.go

@@ -713,19 +713,43 @@ var bootstrapSecrets = func(ctx context.Context, provider secrets.Provider, cfg
 					allowed[k] = true
 				}
 
-				// Capture access_key + created_at independently of storage so
-				// RotationResult always reports them on a force-rotate, even
-				// though access_key IS in the allowed set and created_at is
-				// NOT (per review #2 C5: stderr emission alone would skip
-				// access_key).
-				var newAccessKey, newCreatedAt string
-				for subKey, subVal := range subKeyMap {
-					if subKey == "access_key" {
-						newAccessKey = subVal
+				// Capture access_key + created_at BEFORE any Set call so the
+				// transactional rollback path has the upstream credential ID
+				// available even when the very first Set fails. Bug fix:
+				// previously these were extracted DURING iteration, so a
+				// Set("foo_access_key") failure left newAccessKey unset and
+				// the orphaned DO key invisible to the rollback path.
+				newAccessKey := subKeyMap["access_key"]
+				newCreatedAt := subKeyMap["created_at"]
+
+				// Transactional rollback: if ANY Set() inside the loop fails,
+				// revoke the just-created upstream credential before
+				// returning. The DO Spaces Keys API does NOT enforce name
+				// uniqueness, so a partially-applied generation without
+				// rollback leaves an orphaned key whose secret_key is
+				// permanently irrecoverable (see workflow#732 / SPEC V?).
+				//
+				// Rollback is best-effort — failure is logged but does not
+				// mask the original Set error. Operator can still find the
+				// orphan via the wfctl secrets list-orphans helper.
+				revokeOrphan := func(reason error) {
+					if newAccessKey == "" {
+						return
+					}
+					if credRevoker == nil {
+						fmt.Fprintf(os.Stderr, "warn: provider_credential %q minted access_key=%s but no revoker available; the upstream credential is now ORPHANED and unrecoverable. Run `wfctl secrets list-orphans --source %s --name %s` to clean up. Original error: %v\n",
+							gen.Key, newAccessKey, gen.Source, gen.Key, reason)
+						return
 					}
-					if subKey == "created_at" {
-						newCreatedAt = subVal
+					if revokeErr := credRevoker.RevokeProviderCredential(ctx, gen.Source, newAccessKey); revokeErr != nil {
+						fmt.Fprintf(os.Stderr, "warn: rollback-revoke just-minted credential %q (access_key=%s) failed: %v — manual cleanup required via `wfctl secrets list-orphans --source %s`\n",
+							gen.Key, newAccessKey, revokeErr, gen.Source)
+						return
 					}
+					fmt.Fprintf(os.Stderr, "wfctl: rolled back orphaned credential %q (access_key=%s) after Set failure\n", gen.Key, newAccessKey)
+				}
+
+				for subKey, subVal := range subKeyMap {
 					if !allowed[subKey] {
 						// Sidecar field — emit to stderr in machine-parseable form
 						// for operator observability + audit logs.
@@ -734,6 +758,7 @@ var bootstrapSecrets = func(ctx context.Context, provider secrets.Provider, cfg
 					}
 					fullKey := gen.Key + "_" + subKey
 					if setErr := provider.Set(ctx, fullKey, subVal); setErr != nil {
+						revokeOrphan(setErr)
 						return generated, rotations, fmt.Errorf("store secret %q: %w", fullKey, setErr)
 					}
 					generated[fullKey] = subVal
@@ -743,6 +768,7 @@ var bootstrapSecrets = func(ctx context.Context, provider secrets.Provider, cfg
 						fmt.Printf("  secret %q: created\n", fullKey)
 					}
 				}
+				_ = newCreatedAt // captured into RotationResult below
 				if forceRotate[gen.Key] {
 					fmt.Fprintf(os.Stderr, "wfctl: rotated provider_credential %s (replaced existing value at %s)\n", gen.Key, time.Now().UTC().Format(time.RFC3339))
 					// Record the rotation in-process so callers (rotate-and-prune)

cmd/wfctl/infra_bootstrap_secrets_test.go

@@ -265,3 +265,125 @@ func TestBootstrapSecrets_ProviderCredentialProbeIgnoresBareKey(t *testing.T) {
 		t.Fatalf("generator called %d times, want 1", generateCalls)
 	}
 }
+
+// failOnSetProvider triggers a Set() failure on the first matching key
+// — used to exercise the transactional rollback path when a
+// provider_credential creation succeeds upstream but the store-write
+// half fails (e.g. GH PAT lost permissions mid-bootstrap).
+type failOnSetProvider struct {
+	failKey  string
+	setCalls []string
+}
+
+func (p *failOnSetProvider) Name() string { return "fail-on-set" }
+func (p *failOnSetProvider) Get(_ context.Context, _ string) (string, error) {
+	return "", secrets.ErrUnsupported
+}
+func (p *failOnSetProvider) Set(_ context.Context, key, _ string) error {
+	p.setCalls = append(p.setCalls, key)
+	if key == p.failKey {
+		return errFakeStoreUnavailable
+	}
+	return nil
+}
+func (p *failOnSetProvider) Delete(_ context.Context, _ string) error { return nil }
+func (p *failOnSetProvider) List(_ context.Context) ([]string, error) {
+	return nil, secrets.ErrUnsupported
+}
+
+// recordingRevoker captures RevokeProviderCredential calls so the test
+// can assert rollback occurred. Implements interfaces.ProviderCredentialRevoker.
+type recordingRevoker struct {
+	calls []revokeCall
+}
+type revokeCall struct {
+	source       string
+	credentialID string
+}
+
+func (r *recordingRevoker) RevokeProviderCredential(_ context.Context, source, credentialID string) error {
+	r.calls = append(r.calls, revokeCall{source: source, credentialID: credentialID})
+	return nil
+}
+
+var errFakeStoreUnavailable = errFakeStore("store unavailable (simulated)")
+
+type errFakeStore string
+
+func (e errFakeStore) Error() string { return string(e) }
+
+// TestBootstrapSecrets_ProviderCredential_RollbackOnSetFailure is the
+// regression test for the orphan-key bug: when generateSecret returns a
+// fresh DO Spaces key but provider.Set fails to persist it, bootstrap
+// MUST revoke the just-minted upstream credential.
+//
+// Pre-fix behaviour: Set fails → return error → DO key remains in the
+// account with an unrecoverable secret_key. Every subsequent run mints
+// another orphan with the same name.
+//
+// Post-fix: Set failure triggers credRevoker.RevokeProviderCredential
+// with the access_key from the just-generated subKeyMap.
+func TestBootstrapSecrets_ProviderCredential_RollbackOnSetFailure(t *testing.T) {
+	withStubGenerator(t, func(_ context.Context, _ string, _ map[string]any) (string, error) {
+		out, _ := json.Marshal(map[string]string{
+			"access_key": "AK_ORPHAN",
+			"secret_key": "SK_DOOMED",
+		})
+		return string(out), nil
+	})
+
+	p := &failOnSetProvider{failKey: "SPACES_secret_key"}
+	rev := &recordingRevoker{}
+	cfg := &SecretsConfig{
+		Generate: []SecretGen{
+			{Key: "SPACES", Type: "provider_credential", Source: "digitalocean.spaces"},
+		},
+	}
+
+	_, _, err := bootstrapSecrets(context.Background(), p, cfg, nil, rev)
+	if err == nil {
+		t.Fatal("expected Set failure to surface as error")
+	}
+
+	if len(rev.calls) != 1 {
+		t.Fatalf("expected 1 rollback-revoke call; got %d", len(rev.calls))
+	}
+	if rev.calls[0].credentialID != "AK_ORPHAN" {
+		t.Errorf("rollback called with credentialID=%q want AK_ORPHAN", rev.calls[0].credentialID)
+	}
+	if rev.calls[0].source != "digitalocean.spaces" {
+		t.Errorf("rollback source=%q want digitalocean.spaces", rev.calls[0].source)
+	}
+}
+
+// TestBootstrapSecrets_ProviderCredential_RollbackOnFirstSetFailure
+// guards the most insidious shape of the bug: the very first Set call
+// fails (e.g. access_key write). The pre-fix code extracted
+// newAccessKey *during* the for-range loop, so a first-iteration
+// failure left newAccessKey empty even though the upstream key exists.
+// The fix extracts access_key BEFORE the loop.
+func TestBootstrapSecrets_ProviderCredential_RollbackOnFirstSetFailure(t *testing.T) {
+	withStubGenerator(t, func(_ context.Context, _ string, _ map[string]any) (string, error) {
+		out, _ := json.Marshal(map[string]string{
+			"access_key": "AK_FIRST",
+			"secret_key": "SK_FIRST",
+		})
+		return string(out), nil
+	})
+
+	p := &failOnSetProvider{failKey: "SPACES_access_key"}
+	rev := &recordingRevoker{}
+	cfg := &SecretsConfig{
+		Generate: []SecretGen{
+			{Key: "SPACES", Type: "provider_credential", Source: "digitalocean.spaces"},
+		},
+	}
+
+	_, _, err := bootstrapSecrets(context.Background(), p, cfg, nil, rev)
+	if err == nil {
+		t.Fatal("expected Set failure")
+	}
+	if len(rev.calls) != 1 || rev.calls[0].credentialID != "AK_FIRST" {
+		t.Errorf("rollback calls = %v; want one revoke of AK_FIRST", rev.calls)
+	}
+}

cmd/wfctl/plugin_marketplace_verify.go

@@ -85,6 +85,11 @@ Options:
 
 // ghAPICmd is the indirection point so tests can inject a fake gh binary.
 // Default is the real `gh api` CLI.
+//
+// #nosec G204 -- the binary is the fixed string "gh" and `endpoint` is
+// constructed from a literal-prefix + URL-escaped query inside this
+// package (urlQueryEscape sanitises). No user-controlled shell metachars
+// flow into the subprocess.
 var ghAPICmd = func(ctx context.Context, endpoint string) ([]byte, error) {
 	cmd := exec.CommandContext(ctx, "gh", "api", endpoint)
 	return cmd.Output()

cmd/wfctl/secrets.go

@@ -32,6 +32,8 @@ func runSecrets(args []string) error {
 		return runSecretsSync(args[1:])
 	case "setup":
 		return runSecretsSetup(args[1:])
+	case "list-orphans":
+		return runSecretsListOrphans(args[1:])
 	default:
 		return secretsUsage()
 	}
@@ -54,6 +56,7 @@ Actions:
   rotate    Trigger rotation of a secret
   sync      Copy secret structure between environments
   setup     Interactively set all secrets for an environment
+  list-orphans  List/delete duplicate-named upstream credentials (e.g. DO Spaces keys)
 
 Ad-hoc provider flags (set, get, list, delete, export):
   --provider  Override provider: keychain, env, aws
@@ -75,6 +78,8 @@ Examples:
   wfctl secrets sync --from staging --to production
   wfctl secrets setup --env local
   wfctl secrets setup --env production --auto-gen-keys
+  wfctl secrets list-orphans --source digitalocean.spaces --name workflow-spaces-key
+  wfctl secrets list-orphans --source digitalocean.spaces --name workflow-spaces-key --delete
 `)
 	return fmt.Errorf("missing or unknown action")
 }