## Summary The Vault DB connector handles the happy path but lacks resilience for production Vault interactions. ## Current state - `internal/connectors/vaultdb/connector.go` — validates `_ro` suffix, fetches creds, renders DSN, revokes leases - `internal/connectors/vaultdb/client.go` — HTTP client for Vault API - No retry logic if Vault is temporarily unavailable during revocation - DSN template uses `strings.Replace` — potential injection if template or credentials contain unexpected characters - No lease auto-renewal for long-running operations - Role suffix validation is hardcoded ## Required work - [ ] **Retry with backoff**: if lease revocation fails (Vault down, network error), retry with exponential backoff — don't silently lose the lease - [ ] **Safe DSN templating**: use `url.QueryEscape` for credential values in DSN templates, or switch to a structured DSN builder to prevent injection - [ ] **Validate DSN template at startup**: ensure the template contains `{{username}}` and `{{password}}` placeholders before accepting it - [ ] **Lease renewal**: for grants with TTLs longer than the Vault lease, implement periodic lease renewal - [ ] **Configurable role validation**: make the `_ro` suffix check configurable rather than hardcoded — some deployments may have different naming conventions - [ ] **Track lease state**: persist lease IDs and their expiry in the grant metadata so the cleanup worker can revoke orphaned leases ## Files - `internal/connectors/vaultdb/connector.go` — retry, renewal, DSN safety - `internal/connectors/vaultdb/client.go` — retry wrapper - `internal/bootstrap/service.go` — configurable role validation ## Priority Medium. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Summary
The Vault DB connector handles the happy path but lacks resilience for production Vault interactions.
Current state
internal/connectors/vaultdb/connector.go— validates_rosuffix, fetches creds, renders DSN, revokes leasesinternal/connectors/vaultdb/client.go— HTTP client for Vault APIstrings.Replace— potential injection if template or credentials contain unexpected charactersRequired work
url.QueryEscapefor credential values in DSN templates, or switch to a structured DSN builder to prevent injection{{username}}and{{password}}placeholders before accepting it_rosuffix check configurable rather than hardcoded — some deployments may have different naming conventionsFiles
internal/connectors/vaultdb/connector.go— retry, renewal, DSN safetyinternal/connectors/vaultdb/client.go— retry wrapperinternal/bootstrap/service.go— configurable role validationPriority
Medium.
🤖 Generated with Claude Code