From 7cfee608ca34bf374625fe99d13a784b05a93386 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Thu, 21 May 2026 15:08:57 +0200 Subject: [PATCH] refactor(core): Rename inbound-secrets module to runtime-credentials (no-changelog) (#30889) --- .../modules/__tests__/module-registry.test.ts | 4 +-- .../src/modules/module-registry.ts | 2 +- .../src/modules/modules.config.ts | 2 +- .../inbound-secrets/inbound-secrets.module.ts | 26 ----------------- .../__tests__/path-traversal.test.ts | 0 ...untime-credentials-access.service.test.ts} | 6 ++-- .../runtime-credentials-context-hook.test.ts} | 14 +++++----- .../runtime-credentials.module.test.ts} | 12 ++++---- .../runtime-credentials.service.test.ts} | 16 +++++------ .../path-traversal.ts | 0 .../runtime-credentials-access.service.ts} | 2 +- .../runtime-credentials-context-hook.ts} | 10 +++---- .../runtime-credentials.config.ts} | 2 +- .../runtime-credentials.module.ts | 28 +++++++++++++++++++ .../runtime-credentials.schemas.ts} | 0 .../runtime-credentials.service.ts} | 8 +++--- 16 files changed, 67 insertions(+), 65 deletions(-) delete mode 100644 packages/cli/src/modules/inbound-secrets/inbound-secrets.module.ts rename packages/cli/src/modules/{inbound-secrets => runtime-credentials}/__tests__/path-traversal.test.ts (100%) rename packages/cli/src/modules/{inbound-secrets/__tests__/inbound-secrets-access.service.test.ts => runtime-credentials/__tests__/runtime-credentials-access.service.test.ts} (91%) rename packages/cli/src/modules/{inbound-secrets/__tests__/inbound-secrets-context-hook.test.ts => runtime-credentials/__tests__/runtime-credentials-context-hook.test.ts} (83%) rename packages/cli/src/modules/{inbound-secrets/__tests__/inbound-secrets.module.test.ts => runtime-credentials/__tests__/runtime-credentials.module.test.ts} (56%) rename packages/cli/src/modules/{inbound-secrets/__tests__/inbound-secrets.service.test.ts => runtime-credentials/__tests__/runtime-credentials.service.test.ts} (92%) rename packages/cli/src/modules/{inbound-secrets => runtime-credentials}/path-traversal.ts (100%) rename packages/cli/src/modules/{inbound-secrets/inbound-secrets-access.service.ts => runtime-credentials/runtime-credentials-access.service.ts} (90%) rename packages/cli/src/modules/{inbound-secrets/inbound-secrets-context-hook.ts => runtime-credentials/runtime-credentials-context-hook.ts} (67%) rename packages/cli/src/modules/{inbound-secrets/inbound-secrets.config.ts => runtime-credentials/runtime-credentials.config.ts} (77%) create mode 100644 packages/cli/src/modules/runtime-credentials/runtime-credentials.module.ts rename packages/cli/src/modules/{inbound-secrets/inbound-secrets.schemas.ts => runtime-credentials/runtime-credentials.schemas.ts} (100%) rename packages/cli/src/modules/{inbound-secrets/inbound-secrets.service.ts => runtime-credentials/runtime-credentials.service.ts} (92%) diff --git a/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts b/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts index a9a8963f34d..d21be95facf 100644 --- a/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts +++ b/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts @@ -44,7 +44,7 @@ describe('eligibleModules', () => { 'instance-version-history', 'encryption-key-manager', 'oauth-jwe', - 'inbound-secrets', + 'runtime-credentials', 'mcp-registry', ]); }); @@ -76,7 +76,7 @@ describe('eligibleModules', () => { 'instance-version-history', 'encryption-key-manager', 'oauth-jwe', - 'inbound-secrets', + 'runtime-credentials', 'mcp-registry', 'instance-ai', ]); diff --git a/packages/@n8n/backend-common/src/modules/module-registry.ts b/packages/@n8n/backend-common/src/modules/module-registry.ts index 35e07c50dff..c08cc56056b 100644 --- a/packages/@n8n/backend-common/src/modules/module-registry.ts +++ b/packages/@n8n/backend-common/src/modules/module-registry.ts @@ -55,7 +55,7 @@ export class ModuleRegistry { 'instance-version-history', 'encryption-key-manager', 'oauth-jwe', - 'inbound-secrets', + 'runtime-credentials', 'mcp-registry', ]; diff --git a/packages/@n8n/backend-common/src/modules/modules.config.ts b/packages/@n8n/backend-common/src/modules/modules.config.ts index f12b5010387..ec54fa5624e 100644 --- a/packages/@n8n/backend-common/src/modules/modules.config.ts +++ b/packages/@n8n/backend-common/src/modules/modules.config.ts @@ -30,7 +30,7 @@ export const MODULE_NAMES = [ 'instance-version-history', 'encryption-key-manager', 'oauth-jwe', - 'inbound-secrets', + 'runtime-credentials', ] as const; export type ModuleName = (typeof MODULE_NAMES)[number]; diff --git a/packages/cli/src/modules/inbound-secrets/inbound-secrets.module.ts b/packages/cli/src/modules/inbound-secrets/inbound-secrets.module.ts deleted file mode 100644 index 0bc334867fa..00000000000 --- a/packages/cli/src/modules/inbound-secrets/inbound-secrets.module.ts +++ /dev/null @@ -1,26 +0,0 @@ -import type { ModuleInterface } from '@n8n/decorators'; -import { BackendModule } from '@n8n/decorators'; -import { Container } from '@n8n/di'; - -import { RuntimeCredentialProxyService } from '@/services/runtime-credential-proxy.service'; - -function isFeatureFlagEnabled(): boolean { - return process.env.N8N_ENV_FEAT_INBOUND_SECRETS === 'true'; -} - -@BackendModule({ name: 'inbound-secrets' }) -export class InboundSecretsModule implements ModuleInterface { - async init() { - if (!isFeatureFlagEnabled()) return; - - const { InboundSecretsService } = await import('./inbound-secrets.service'); - Container.get(InboundSecretsService).init(); - - await import('./inbound-secrets-context-hook'); - await import('./inbound-secrets.config'); - const { InboundSecretsAccessService } = await import('./inbound-secrets-access.service'); - Container.get(RuntimeCredentialProxyService).registerProvider( - Container.get(InboundSecretsAccessService), - ); - } -} diff --git a/packages/cli/src/modules/inbound-secrets/__tests__/path-traversal.test.ts b/packages/cli/src/modules/runtime-credentials/__tests__/path-traversal.test.ts similarity index 100% rename from packages/cli/src/modules/inbound-secrets/__tests__/path-traversal.test.ts rename to packages/cli/src/modules/runtime-credentials/__tests__/path-traversal.test.ts diff --git a/packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets-access.service.test.ts b/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials-access.service.test.ts similarity index 91% rename from packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets-access.service.test.ts rename to packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials-access.service.test.ts index af93db1943f..c22bf4905c2 100644 --- a/packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets-access.service.test.ts +++ b/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials-access.service.test.ts @@ -2,7 +2,7 @@ import { mock } from 'jest-mock-extended'; import type { Cipher } from 'n8n-core'; import type { IRunExecutionData } from 'n8n-workflow'; -import { InboundSecretsAccessService } from '../inbound-secrets-access.service'; +import { RuntimeCredentialsAccessService } from '../runtime-credentials-access.service'; const ENCRYPTED_BLOB = 'encrypted-blob-placeholder'; @@ -13,9 +13,9 @@ const buildRunExecutionData = (secureArtifacts: unknown): IRunExecutionData => }, }) as unknown as IRunExecutionData; -describe('InboundSecretsAccessService', () => { +describe('RuntimeCredentialsAccessService', () => { const cipher = mock(); - const service = new InboundSecretsAccessService(cipher); + const service = new RuntimeCredentialsAccessService(cipher); const plaintextArtifacts = JSON.stringify({ version: 1, diff --git a/packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets-context-hook.test.ts b/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials-context-hook.test.ts similarity index 83% rename from packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets-context-hook.test.ts rename to packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials-context-hook.test.ts index afa1ca087a8..18c1f5243a1 100644 --- a/packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets-context-hook.test.ts +++ b/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials-context-hook.test.ts @@ -3,12 +3,12 @@ import type { MockProxy } from 'jest-mock-extended'; import { mock } from 'jest-mock-extended'; import type { INode, INodeExecutionData } from 'n8n-workflow'; -import { InboundSecretContextHook } from '../inbound-secrets-context-hook'; -import type { InboundSecretsService, StripResult } from '../inbound-secrets.service'; +import { RuntimeCredentialsContextHook } from '../runtime-credentials-context-hook'; +import type { RuntimeCredentialsService, StripResult } from '../runtime-credentials.service'; -describe('InboundSecretContextHook', () => { - let service: MockProxy; - let hook: InboundSecretContextHook; +describe('RuntimeCredentialsContextHook', () => { + let service: MockProxy; + let hook: RuntimeCredentialsContextHook; const buildOptions = (triggerItems: INodeExecutionData[] | null): ContextEstablishmentOptions => ({ @@ -28,8 +28,8 @@ describe('InboundSecretContextHook', () => { ): StripResult => ({ triggerItems, artifactsByAlias }) as StripResult; beforeEach(() => { - service = mock(); - hook = new InboundSecretContextHook(service); + service = mock(); + hook = new RuntimeCredentialsContextHook(service); }); it('forwards items and trigger type to service.strip and emits the alias-keyed contextUpdate', async () => { diff --git a/packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets.module.test.ts b/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials.module.test.ts similarity index 56% rename from packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets.module.test.ts rename to packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials.module.test.ts index b045be5d248..ee3cb60f89b 100644 --- a/packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets.module.test.ts +++ b/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials.module.test.ts @@ -1,17 +1,17 @@ import { Container } from '@n8n/di'; -import { InboundSecretsModule } from '../inbound-secrets.module'; +import { RuntimeCredentialsModule } from '../runtime-credentials.module'; -describe('InboundSecretsModule', () => { - let module: InboundSecretsModule; +describe('RuntimeCredentialsModule', () => { + let module: RuntimeCredentialsModule; beforeEach(() => { Container.reset(); - module = new InboundSecretsModule(); + module = new RuntimeCredentialsModule(); }); afterEach(() => { - delete process.env.N8N_ENV_FEAT_INBOUND_SECRETS; + delete process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS; }); describe('init', () => { @@ -20,7 +20,7 @@ describe('InboundSecretsModule', () => { }); it('loads without error when the feature flag is on', async () => { - process.env.N8N_ENV_FEAT_INBOUND_SECRETS = 'true'; + process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS = 'true'; await expect(module.init()).resolves.toBeUndefined(); }); }); diff --git a/packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets.service.test.ts b/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials.service.test.ts similarity index 92% rename from packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets.service.test.ts rename to packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials.service.test.ts index da64c760758..51a397c937f 100644 --- a/packages/cli/src/modules/inbound-secrets/__tests__/inbound-secrets.service.test.ts +++ b/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials.service.test.ts @@ -3,19 +3,19 @@ import type { MockProxy } from 'jest-mock-extended'; import { mock } from 'jest-mock-extended'; import type { IDataObject, INodeExecutionData } from 'n8n-workflow'; -import type { InboundSecretsConfig } from '../inbound-secrets.config'; -import type { SensitiveFieldRules } from '../inbound-secrets.schemas'; -import { InboundSecretsService } from '../inbound-secrets.service'; +import type { RuntimeCredentialsConfig } from '../runtime-credentials.config'; +import type { SensitiveFieldRules } from '../runtime-credentials.schemas'; +import { RuntimeCredentialsService } from '../runtime-credentials.service'; const item = (json: IDataObject): INodeExecutionData => ({ json }); -describe('InboundSecretsService', () => { - let service: InboundSecretsService; - let config: MockProxy; +describe('RuntimeCredentialsService', () => { + let service: RuntimeCredentialsService; + let config: MockProxy; beforeEach(() => { - config = mock(); - service = new InboundSecretsService(mockLogger(), config); + config = mock(); + service = new RuntimeCredentialsService(mockLogger(), config); }); describe('init', () => { diff --git a/packages/cli/src/modules/inbound-secrets/path-traversal.ts b/packages/cli/src/modules/runtime-credentials/path-traversal.ts similarity index 100% rename from packages/cli/src/modules/inbound-secrets/path-traversal.ts rename to packages/cli/src/modules/runtime-credentials/path-traversal.ts diff --git a/packages/cli/src/modules/inbound-secrets/inbound-secrets-access.service.ts b/packages/cli/src/modules/runtime-credentials/runtime-credentials-access.service.ts similarity index 90% rename from packages/cli/src/modules/inbound-secrets/inbound-secrets-access.service.ts rename to packages/cli/src/modules/runtime-credentials/runtime-credentials-access.service.ts index e1d1dc6f9e9..0dfe9b704af 100644 --- a/packages/cli/src/modules/inbound-secrets/inbound-secrets-access.service.ts +++ b/packages/cli/src/modules/runtime-credentials/runtime-credentials-access.service.ts @@ -6,7 +6,7 @@ import { toSecureArtifacts } from 'n8n-workflow'; import { RuntimeCredentialProvider } from '@/services/runtime-credential-proxy.service'; @Service() -export class InboundSecretsAccessService implements RuntimeCredentialProvider { +export class RuntimeCredentialsAccessService implements RuntimeCredentialProvider { constructor(private readonly cipher: Cipher) {} async getRuntimeCredential( diff --git a/packages/cli/src/modules/inbound-secrets/inbound-secrets-context-hook.ts b/packages/cli/src/modules/runtime-credentials/runtime-credentials-context-hook.ts similarity index 67% rename from packages/cli/src/modules/inbound-secrets/inbound-secrets-context-hook.ts rename to packages/cli/src/modules/runtime-credentials/runtime-credentials-context-hook.ts index 8b373acace5..728b18ceca5 100644 --- a/packages/cli/src/modules/inbound-secrets/inbound-secrets-context-hook.ts +++ b/packages/cli/src/modules/runtime-credentials/runtime-credentials-context-hook.ts @@ -6,16 +6,16 @@ import { IContextEstablishmentHook, } from '@n8n/decorators'; -import { InboundSecretsService } from './inbound-secrets.service'; +import { RuntimeCredentialsService } from './runtime-credentials.service'; @ContextEstablishmentHook({ alwaysExecute: true, }) -export class InboundSecretContextHook implements IContextEstablishmentHook { - constructor(private readonly inboundSecretsService: InboundSecretsService) {} +export class RuntimeCredentialsContextHook implements IContextEstablishmentHook { + constructor(private readonly runtimeCredentialsService: RuntimeCredentialsService) {} hookDescription: HookDescription = { - name: 'InboundSecretContextHook', + name: 'RuntimeCredentialsContextHook', }; isApplicableToTriggerNode(_nodeType: string): boolean { @@ -24,7 +24,7 @@ export class InboundSecretContextHook implements IContextEstablishmentHook { } async execute(options: ContextEstablishmentOptions): Promise { - const { triggerItems, artifactsByAlias } = this.inboundSecretsService.strip( + const { triggerItems, artifactsByAlias } = this.runtimeCredentialsService.strip( options.triggerItems ?? [], options.triggerNode.type, ); diff --git a/packages/cli/src/modules/inbound-secrets/inbound-secrets.config.ts b/packages/cli/src/modules/runtime-credentials/runtime-credentials.config.ts similarity index 77% rename from packages/cli/src/modules/inbound-secrets/inbound-secrets.config.ts rename to packages/cli/src/modules/runtime-credentials/runtime-credentials.config.ts index 274560264e3..e8331885ebb 100644 --- a/packages/cli/src/modules/inbound-secrets/inbound-secrets.config.ts +++ b/packages/cli/src/modules/runtime-credentials/runtime-credentials.config.ts @@ -1,7 +1,7 @@ import { Config, Env } from '@n8n/config'; @Config -export class InboundSecretsConfig { +export class RuntimeCredentialsConfig { @Env('N8N_SECURITY_SENSITIVE_FIELD_RULES') sensitiveFieldRules: string = '{}'; } diff --git a/packages/cli/src/modules/runtime-credentials/runtime-credentials.module.ts b/packages/cli/src/modules/runtime-credentials/runtime-credentials.module.ts new file mode 100644 index 00000000000..c744e068d5f --- /dev/null +++ b/packages/cli/src/modules/runtime-credentials/runtime-credentials.module.ts @@ -0,0 +1,28 @@ +import type { ModuleInterface } from '@n8n/decorators'; +import { BackendModule } from '@n8n/decorators'; +import { Container } from '@n8n/di'; + +import { RuntimeCredentialProxyService } from '@/services/runtime-credential-proxy.service'; + +function isFeatureFlagEnabled(): boolean { + return process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS === 'true'; +} + +@BackendModule({ name: 'runtime-credentials' }) +export class RuntimeCredentialsModule implements ModuleInterface { + async init() { + if (!isFeatureFlagEnabled()) return; + + const { RuntimeCredentialsService } = await import('./runtime-credentials.service'); + Container.get(RuntimeCredentialsService).init(); + + await import('./runtime-credentials-context-hook'); + await import('./runtime-credentials.config'); + const { RuntimeCredentialsAccessService } = await import( + './runtime-credentials-access.service' + ); + Container.get(RuntimeCredentialProxyService).registerProvider( + Container.get(RuntimeCredentialsAccessService), + ); + } +} diff --git a/packages/cli/src/modules/inbound-secrets/inbound-secrets.schemas.ts b/packages/cli/src/modules/runtime-credentials/runtime-credentials.schemas.ts similarity index 100% rename from packages/cli/src/modules/inbound-secrets/inbound-secrets.schemas.ts rename to packages/cli/src/modules/runtime-credentials/runtime-credentials.schemas.ts diff --git a/packages/cli/src/modules/inbound-secrets/inbound-secrets.service.ts b/packages/cli/src/modules/runtime-credentials/runtime-credentials.service.ts similarity index 92% rename from packages/cli/src/modules/inbound-secrets/inbound-secrets.service.ts rename to packages/cli/src/modules/runtime-credentials/runtime-credentials.service.ts index f9187cb3ec3..626c36996fd 100644 --- a/packages/cli/src/modules/inbound-secrets/inbound-secrets.service.ts +++ b/packages/cli/src/modules/runtime-credentials/runtime-credentials.service.ts @@ -2,12 +2,12 @@ import { Logger } from '@n8n/backend-common'; import { Service } from '@n8n/di'; import { INodeExecutionData, ISecureArtifactsV1, jsonParse } from 'n8n-workflow'; -import { InboundSecretsConfig } from './inbound-secrets.config'; +import { RuntimeCredentialsConfig } from './runtime-credentials.config'; import { SensitiveFieldRules, sensitiveFieldRulesSchema, ValueLookupPath, -} from './inbound-secrets.schemas'; +} from './runtime-credentials.schemas'; import { extractAndClear } from './path-traversal'; type ArtifactItem = ISecureArtifactsV1['artifacts'][string]; @@ -18,12 +18,12 @@ export type StripResult = { }; @Service() -export class InboundSecretsService { +export class RuntimeCredentialsService { private sensitiveFieldRules: SensitiveFieldRules = {}; constructor( private readonly logger: Logger, - private readonly config: InboundSecretsConfig, + private readonly config: RuntimeCredentialsConfig, ) {} init() {