feat: implement PAT token encryption at rest

Dockerfile

@@ -1,7 +1,7 @@
 # API server only — no UI, no web build stage.
 # The UI lives in its own container (web/Dockerfile) and proxies /api here.
 
-FROM golang:1.24-alpine AS build
+FROM golang:1.25-alpine AS build
 WORKDIR /src
 COPY go.mod go.sum ./
 RUN go mod download

pkg/api/agents.go

@@ -174,11 +174,14 @@ func (s *Server) handleCreateAgent(w http.ResponseWriter, r *http.Request) {
 		Name:       name,
 		RepoURL:    repo,
 		Ref:        ref,
-		PAT:        strings.TrimSpace(body.PAT),
 		AuthStatus: storage.AuthUntested,
 		CreatedAt:  now,
 		UpdatedAt:  now,
 	}
+	if err := a.SetPAT(strings.TrimSpace(body.PAT)); err != nil {
+		writeError(w, http.StatusInternalServerError, err)
+		return
+	}
 	if err := s.agents.Create(r.Context(), a); err != nil {
 		writeError(w, http.StatusInternalServerError, err)
 		return
@@ -202,9 +205,11 @@ func (s *Server) handleDeleteAgent(w http.ResponseWriter, r *http.Request) {
 	// dangling hooks pointing at a dead agent ID.
 	if a, err := s.agents.Get(r.Context(), id); err == nil && a.WebhookID != 0 {
 		if repo, perr := github.ParseRepo(a.RepoURL); perr == nil {
-			ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-			_ = github.NewClient(a.PAT).UninstallWebhook(ctx, repo, a.WebhookID)
-			cancel()
+			if pat, perr := a.GetPAT(); perr == nil && pat != "" {
+				ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+				_ = github.NewClient(pat).UninstallWebhook(ctx, repo, a.WebhookID)
+				cancel()
+			}
 		}
 	}
 	if err := s.agents.Delete(r.Context(), id); err != nil {
@@ -223,14 +228,19 @@ func (s *Server) handleTestAgentAuth(w http.ResponseWriter, r *http.Request) {
 		writeStorageErr(w, err, "agent not found")
 		return
 	}
+	pat, err := a.GetPAT()
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, fmt.Errorf("decrypt PAT: %w", err))
+		return
+	}
 	repo, err := github.ParseRepo(a.RepoURL)
 	if err != nil {
 		writeError(w, http.StatusBadRequest, err)
 		return
 	}
 	ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
 	defer cancel()
-	authErr := github.NewClient(a.PAT).TestAuth(ctx, repo)
+	authErr := github.NewClient(pat).TestAuth(ctx, repo)
 
 	now := time.Now().UTC()
 	a.AuthCheckedAt = &now
@@ -268,7 +278,12 @@ func (s *Server) handleInstallWebhook(w http.ResponseWriter, r *http.Request) {
 		writeStorageErr(w, err, "agent not found")
 		return
 	}
-	if a.PAT == "" {
+	pat, err := a.GetPAT()
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, fmt.Errorf("decrypt PAT: %w", err))
+		return
+	}
+	if pat == "" {
 		writeError(w, http.StatusBadRequest, errors.New("agent has no PAT — re-create with one"))
 		return
 	}
@@ -288,7 +303,7 @@ func (s *Server) handleInstallWebhook(w http.ResponseWriter, r *http.Request) {
 
 	ctx, cancel := context.WithTimeout(r.Context(), 20*time.Second)
 	defer cancel()
-	hookID, err := github.NewClient(a.PAT).InstallWebhook(ctx, repo, callback, secret)
+	hookID, err := github.NewClient(pat).InstallWebhook(ctx, repo, callback, secret)
 	if err != nil {
 		writeError(w, http.StatusBadGateway, err)
 		return
@@ -301,7 +316,7 @@ func (s *Server) handleInstallWebhook(w http.ResponseWriter, r *http.Request) {
 	a.UpdatedAt = now
 	if err := s.agents.Update(r.Context(), a); err != nil {
 		// Try to roll back the hook so we don't leak it.
-		_ = github.NewClient(a.PAT).UninstallWebhook(ctx, repo, hookID)
+		_ = github.NewClient(pat).UninstallWebhook(ctx, repo, hookID)
 		writeError(w, http.StatusInternalServerError, err)
 		return
 	}
@@ -319,14 +334,19 @@ func (s *Server) handleUninstallWebhook(w http.ResponseWriter, r *http.Request)
 		writeError(w, http.StatusBadRequest, errors.New("no webhook installed"))
 		return
 	}
+	pat, err := a.GetPAT()
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, fmt.Errorf("decrypt PAT: %w", err))
+		return
+	}
 	repo, err := github.ParseRepo(a.RepoURL)
 	if err != nil {
 		writeError(w, http.StatusBadRequest, err)
 		return
 	}
 	ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
 	defer cancel()
-	if err := github.NewClient(a.PAT).UninstallWebhook(ctx, repo, a.WebhookID); err != nil {
+	if err := github.NewClient(pat).UninstallWebhook(ctx, repo, a.WebhookID); err != nil {
 		writeError(w, http.StatusBadGateway, err)
 		return
 	}

pkg/executors/build.go

@@ -66,6 +66,11 @@ func (e *BuildExecutor) Execute(ctx context.Context, node models.NodeDef, inputs
 		return nil, fmt.Errorf("build: load agent %q: %w", agentID, err)
 	}
 
+	pat, err := a.GetPAT()
+	if err != nil {
+		return nil, fmt.Errorf("build: decrypt PAT: %w", err)
+	}
+
 	mode := strParam(node.Parameters, "mode", "docker")
 	timeoutSec := intParam(node.Parameters, "timeoutSeconds", 600)
 	if timeoutSec < 10 {
@@ -89,7 +94,7 @@ func (e *BuildExecutor) Execute(ctx context.Context, node models.NodeDef, inputs
 		"main",
 	))
 
-	cloneDir, cleanup, err := cloneRepo(ctx, a, ref, commitSHA, time.Duration(timeoutSec)*time.Second)
+	cloneDir, cleanup, err := cloneRepo(ctx, a.RepoURL, a.Name, pat, ref, commitSHA, time.Duration(timeoutSec)*time.Second)
 	if err != nil {
 		return nil, err
 	}
@@ -115,7 +120,7 @@ func (e *BuildExecutor) Execute(ctx context.Context, node models.NodeDef, inputs
 			"log_tail":  logTail,
 		}
 	case "docker", "":
-		summary, logTail, runErr = runDockerMode(hardCtx, node, a, cloneDir, ref, commitSHA)
+		summary, logTail, runErr = runDockerMode(hardCtx, node, a.Name, pat, cloneDir, ref, commitSHA)
 	default:
 		return nil, fmt.Errorf("build: unknown mode %q (want docker|shell)", mode)
 	}
@@ -175,7 +180,7 @@ func runShellMode(ctx context.Context, node models.NodeDef, a *storage.Agent, cl
 
 // --- docker (BuildKit) mode ---------------------------------------------
 
-func runDockerMode(ctx context.Context, node models.NodeDef, a *storage.Agent, cloneDir, ref, commitSHA string) (map[string]any, string, error) {
+func runDockerMode(ctx context.Context, node models.NodeDef, agentName, pat, cloneDir, ref, commitSHA string) (map[string]any, string, error) {
 	bkAddr := os.Getenv("BUILDKIT_HOST")
 	if bkAddr == "" {
 		// docker-compose publishes buildkitd on 127.0.0.1:1234, so a host
@@ -192,7 +197,7 @@ func runDockerMode(ctx context.Context, node models.NodeDef, a *storage.Agent, c
 	buildArgs := parseKVCSV(strParam(node.Parameters, "buildArgs", ""))
 
 	if imageName == "" {
-		imageName = a.Name // "owner/repo"
+		imageName = agentName // "owner/repo"
 	}
 	tag := commitSHA
 	if tag == "" {
@@ -202,7 +207,7 @@ func runDockerMode(ctx context.Context, node models.NodeDef, a *storage.Agent, c
 
 	contextDir := filepath.Join(cloneDir, filepath.Clean("/"+contextRel))
 
-	auth, insecure := authForRegistry(registry, a)
+	auth, insecure := authForRegistry(registry, pat)
 
 	slog.InfoContext(ctx, "build_run_docker",
 		slog.String("node", node.Name),
@@ -238,20 +243,16 @@ func runDockerMode(ctx context.Context, node models.NodeDef, a *storage.Agent, c
 }
 
 // authForRegistry decides what creds to send to BuildKit for `registry`.
-// ghcr.io: use the agent's PAT (must include write:packages).
+// ghcr.io: use the PAT (must include write:packages).
 // localhost:* and registry:* (compose-internal): anonymous + insecure.
 // Anything else: anonymous; user can wire a real auth path later.
-func authForRegistry(registry string, a *storage.Agent) (map[string]registryCreds, bool) {
+func authForRegistry(registry string, pat string) (map[string]registryCreds, bool) {
 	host := registryHostname(registry)
 	insecure := isInsecureRegistry(host)
 
-	if host == "ghcr.io" && a.PAT != "" {
-		owner := agentOwner(a)
-		if owner == "" {
-			owner = "x-access-token"
-		}
+	if host == "ghcr.io" && pat != "" {
 		return map[string]registryCreds{
-			"ghcr.io": {Username: owner, Password: a.PAT},
+			"ghcr.io": {Username: "x-access-token", Password: pat},
 		}, false
 	}
 	return map[string]registryCreds{}, insecure
@@ -315,16 +316,16 @@ func parseKVCSV(s string) map[string]string {
 
 // --- clone helper --------------------------------------------------------
 
-// cloneRepo shallow-clones a's repo into a fresh tmp dir, optionally
+// cloneRepo shallow-clones the repo into a fresh tmp dir, optionally
 // checking out a specific commit. Returns (cloneDir, cleanupFn, err).
-func cloneRepo(ctx context.Context, a *storage.Agent, ref, commit string, timeout time.Duration) (string, func(), error) {
+func cloneRepo(ctx context.Context, repoURL, agentName, pat, ref, commit string, timeout time.Duration) (string, func(), error) {
 	cloneDir, err := os.MkdirTemp("", "flow-build-*")
 	if err != nil {
 		return "", nil, fmt.Errorf("build: tmp dir: %w", err)
 	}
 	cleanup := func() { os.RemoveAll(cloneDir) }
 
-	cloneURL, err := authedCloneURL(a.RepoURL, a.PAT)
+	cloneURL, err := authedCloneURL(repoURL, pat)
 	if err != nil {
 		cleanup()
 		return "", nil, fmt.Errorf("build: clone url: %w", err)
@@ -334,7 +335,7 @@ func cloneRepo(ctx context.Context, a *storage.Agent, ref, commit string, timeou
 	defer cancel()
 
 	slog.InfoContext(ctx, "build_clone",
-		slog.String("agent", a.Name),
+		slog.String("agent", agentName),
 		slog.String("ref", ref),
 		slog.String("dir", cloneDir),
 	)

pkg/executors/promote.go

@@ -59,11 +59,15 @@ func (e *PromoteExecutor) Execute(ctx context.Context, node models.NodeDef, inpu
 	if err != nil {
 		return nil, fmt.Errorf("promote: load agent %q: %w", agentID, err)
 	}
+	pat, err := a.GetPAT()
+	if err != nil {
+		return nil, fmt.Errorf("promote: decrypt PAT: %w", err)
+	}
 	repo, err := github.ParseRepo(a.RepoURL)
 	if err != nil {
 		return nil, fmt.Errorf("promote: parse repo %q: %w", a.RepoURL, err)
 	}
-	if a.PAT == "" {
+	if pat == "" {
 		return nil, errors.New("promote: agent has no PAT (need 'repo' scope to open PRs / merge)")
 	}
 
@@ -93,7 +97,7 @@ func (e *PromoteExecutor) Execute(ctx context.Context, node models.NodeDef, inpu
 	logger.Log(fmt.Sprintf("[promote:%s] %s/%s: %s → %s",
 		mode, repo.Owner, repo.Name, from, to))
 
-	cli := github.NewClient(a.PAT)
+	cli := github.NewClient(pat)
 	title := strParam(node.Parameters, "title", "")
 	body := strParam(node.Parameters, "body", "")
 	commitMsg := firstNonEmptyStr(title, fmt.Sprintf("Promote %s → %s", from, to))

pkg/executors/sast.go

@@ -67,6 +67,11 @@ func (e *SastExecutor) Execute(ctx context.Context, node models.NodeDef, inputs
 		return nil, fmt.Errorf("sast: load agent %q: %w", agentID, err)
 	}
 
+	pat, err := a.GetPAT()
+	if err != nil {
+		return nil, fmt.Errorf("sast: decrypt PAT: %w", err)
+	}
+
 	tool := strings.ToLower(strParam(node.Parameters, "tool", "trivy"))
 	threshold := strings.ToUpper(strParam(node.Parameters, "severityThreshold", "HIGH"))
 	failOnFinding := boolParam(node.Parameters, "failOnFinding", true)
@@ -81,7 +86,7 @@ func (e *SastExecutor) Execute(ctx context.Context, node models.NodeDef, inputs
 	commitSHA, _ := trigger["commit"].(string)
 	ref := stripRefsHeads(strFirst(strFromAny(trigger["ref"]), a.Ref, "main"))
 
-	cloneDir, cleanup, err := cloneRepo(ctx, a, ref, commitSHA, time.Duration(timeoutSec)*time.Second)
+	cloneDir, cleanup, err := cloneRepo(ctx, a.RepoURL, a.Name, pat, ref, commitSHA, time.Duration(timeoutSec)*time.Second)
 	if err != nil {
 		return nil, err
 	}

pkg/storage/storage.go

@@ -9,6 +9,8 @@ import (
 	"errors"
 	"strings"
 	"time"
+
+	"github.com/lyzrai/flow/pkg/secrets"
 )
 
 // ErrNotFound is returned when a queried document does not exist. API
@@ -119,13 +121,14 @@ type Credential struct {
 }
 
 // Agent is an agent repo registered with Langship. The PAT and webhook
-// secret are stored server-side; the API layer scrubs them before the
+// secret are stored server-side encrypted; the API layer scrubs them before the
 // record leaves the boundary (see pkg/api/agents.go).
 type Agent struct {
 	ID                 string     `json:"id"                bson:"_id"`
 	Name               string     `json:"name"              bson:"name"`
 	RepoURL            string     `json:"repoUrl"           bson:"repo_url"`
 	Ref                string     `json:"ref,omitempty"     bson:"ref,omitempty"`
+	PATSealed          string     `json:"-"                 bson:"pat_sealed,omitempty"`
 	PAT                string     `json:"-"                 bson:"pat,omitempty"`
 	WebhookID          int64      `json:"webhookId,omitempty"        bson:"webhook_id,omitempty"`
 	WebhookSecret      string     `json:"-"                          bson:"webhook_secret,omitempty"`
@@ -146,6 +149,31 @@ type Agent struct {
 	UpdatedAt time.Time `json:"updatedAt"         bson:"updated_at"`
 }
 
+// GetPAT returns the decrypted PAT. Falls back to plaintext PAT field for
+// backwards compatibility with agents created before encryption.
+func (a *Agent) GetPAT() (string, error) {
+	if a.PATSealed != "" {
+		return secrets.OpenString(a.PATSealed)
+	}
+	return a.PAT, nil
+}
+
+// SetPAT encrypts and stores the PAT.
+func (a *Agent) SetPAT(pat string) error {
+	if pat == "" {
+		a.PATSealed = ""
+		a.PAT = ""
+		return nil
+	}
+	sealed, err := secrets.SealString(pat)
+	if err != nil {
+		return err
+	}
+	a.PATSealed = sealed
+	a.PAT = ""
+	return nil
+}
+
 // LookupCredential returns the agent's credential matching name (case-
 // insensitive) and an ok flag. Convenience for executors.
 func (a *Agent) LookupCredential(name string) (Credential, bool) {