feat: deploy-time multi-store secret fetching

Update injectSecrets to accept *WorkflowConfig and envName, routing each
secret entry through ResolveSecretStore + getProviderForStore for correct
per-store fetching. Update runDeployPhaseWithConfig and runMultiServiceDeploy
to pass the full WorkflowConfig instead of SecretsConfig. Retain
injectSecretsLegacy for callers that only have SecretsConfig. Add
deploy_secrets_test.go for multi-store routing, env-override, legacy
provider, and unknown-store error cases.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: intel352

cmd/wfctl/ci_multiservice.go

@@ -102,9 +102,9 @@ func buildServiceBinary(name string, svc *config.ServiceConfig, verbose bool) er
 func runMultiServiceDeploy(
 	deploy *config.CIDeployConfig,
 	envName string,
-	secretsCfg *config.SecretsConfig,
+	wfCfg *config.WorkflowConfig,
 	services map[string]*config.ServiceConfig,
 	verbose bool,
 ) error {
-	return runDeployPhaseWithConfig(deploy, envName, secretsCfg, services, verbose)
+	return runDeployPhaseWithConfig(deploy, envName, wfCfg, services, verbose)
 }

cmd/wfctl/ci_run.go

@@ -61,11 +61,11 @@ func runCIRun(args []string) error {
 				return fmt.Errorf("--env is required for deploy phase")
 			}
 			if len(cfg.Services) > 0 {
-				if err := runMultiServiceDeploy(cfg.CI.Deploy, *env, cfg.Secrets, cfg.Services, *verbose); err != nil {
+				if err := runMultiServiceDeploy(cfg.CI.Deploy, *env, &cfg, cfg.Services, *verbose); err != nil {
 					return fmt.Errorf("deploy phase failed: %w", err)
 				}
 			} else {
-				if err := runDeployPhaseWithConfig(cfg.CI.Deploy, *env, cfg.Secrets, nil, *verbose); err != nil {
+				if err := runDeployPhaseWithConfig(cfg.CI.Deploy, *env, &cfg, nil, *verbose); err != nil {
 					return fmt.Errorf("deploy phase failed: %w", err)
 				}
 			}
@@ -287,7 +287,7 @@ func runDeployPhase(deploy *config.CIDeployConfig, envName string, verbose bool)
 func runDeployPhaseWithConfig(
 	deploy *config.CIDeployConfig,
 	envName string,
-	secretsCfg *config.SecretsConfig,
+	wfCfg *config.WorkflowConfig,
 	services map[string]*config.ServiceConfig,
 	verbose bool,
 ) error {
@@ -319,8 +319,8 @@ func runDeployPhaseWithConfig(
 		}
 	}
 
-	// Step 2: secret injection.
-	secrets, err := injectSecrets(ctx, secretsCfg)
+	// Step 2: secret injection — route each secret to its correct store.
+	secrets, err := injectSecrets(ctx, wfCfg, envName)
 	if err != nil {
 		return fmt.Errorf("secret injection: %w", err)
 	}

cmd/wfctl/deploy_providers.go

@@ -445,9 +445,34 @@ func pollHealthCheck(ctx context.Context, cfg DeployConfig) error {
 
 // ── secret injection ──────────────────────────────────────────────────────────
 
-// injectSecrets fetches secrets from the configured provider and returns them
-// as a name→value map for use during deployment.
-func injectSecrets(ctx context.Context, secretsCfg *config.SecretsConfig) (map[string]string, error) {
+// injectSecrets fetches secrets from the configured provider(s) and returns them
+// as a name→value map for use during deployment. When cfg contains a SecretStores
+// map or per-secret Store fields, each secret is routed to its correct store.
+// The envName parameter is used to apply environment-level SecretsStoreOverride.
+func injectSecrets(ctx context.Context, cfg *config.WorkflowConfig, envName string) (map[string]string, error) {
+	if cfg == nil || cfg.Secrets == nil || len(cfg.Secrets.Entries) == 0 {
+		return nil, nil
+	}
+
+	result := make(map[string]string, len(cfg.Secrets.Entries))
+	for _, entry := range cfg.Secrets.Entries {
+		storeName := ResolveSecretStore(entry.Name, envName, cfg)
+		provider, err := getProviderForStore(storeName, cfg)
+		if err != nil {
+			return nil, fmt.Errorf("secret %q: store %q: %w", entry.Name, storeName, err)
+		}
+		val, err := provider.Get(ctx, entry.Name)
+		if err != nil {
+			return nil, fmt.Errorf("secret %q: fetch from %q: %w", entry.Name, storeName, err)
+		}
+		result[entry.Name] = val
+	}
+	return result, nil
+}
+
+// injectSecretsLegacy is the pre-multi-store implementation kept for callers
+// that only have a SecretsConfig (not a full WorkflowConfig).
+func injectSecretsLegacy(ctx context.Context, secretsCfg *config.SecretsConfig) (map[string]string, error) {
 	if secretsCfg == nil || len(secretsCfg.Entries) == 0 {
 		return nil, nil
 	}

cmd/wfctl/deploy_providers_test.go

@@ -221,7 +221,7 @@ func TestK8sStrategy(t *testing.T) {
 // ── injectSecrets ─────────────────────────────────────────────────────────────
 
 func TestInjectSecrets_Nil(t *testing.T) {
-	secrets, err := injectSecrets(context.Background(), nil)
+	secrets, err := injectSecrets(context.Background(), nil, "")
 	if err != nil {
 		t.Fatalf("injectSecrets(nil): unexpected error: %v", err)
 	}
@@ -233,13 +233,15 @@ func TestInjectSecrets_Nil(t *testing.T) {
 func TestInjectSecrets_EnvProvider(t *testing.T) {
 	t.Setenv("TEST_SECRET_KEY", "supersecret")
 
-	secretsCfg := &config.SecretsConfig{
-		Provider: "env",
-		Entries: []config.SecretEntry{
-			{Name: "TEST_SECRET_KEY"},
+	wfCfg := &config.WorkflowConfig{
+		Secrets: &config.SecretsConfig{
+			Provider: "env",
+			Entries: []config.SecretEntry{
+				{Name: "TEST_SECRET_KEY"},
+			},
 		},
 	}
-	secrets, err := injectSecrets(context.Background(), secretsCfg)
+	secrets, err := injectSecrets(context.Background(), wfCfg, "")
 	if err != nil {
 		t.Fatalf("injectSecrets: %v", err)
 	}

cmd/wfctl/deploy_secrets_test.go

@@ -0,0 +1,118 @@
+package main
+
+import (
+	"context"
+	"testing"
+
+	"github.com/GoCodeAlone/workflow/config"
+)
+
+func TestInjectSecrets_MultiStoreRouting(t *testing.T) {
+	// Set secrets in the environment
+	t.Setenv("DB_PASS", "pg-password")
+	t.Setenv("JWT_KEY", "jwt-signing-key")
+
+	wfCfg := &config.WorkflowConfig{
+		SecretStores: map[string]*config.SecretStoreConfig{
+			"local-env": {Provider: "env"},
+		},
+		Secrets: &config.SecretsConfig{
+			DefaultStore: "local-env",
+			Entries: []config.SecretEntry{
+				{Name: "DB_PASS", Store: "local-env"},
+				{Name: "JWT_KEY"}, // uses defaultStore
+			},
+		},
+	}
+
+	secrets, err := injectSecrets(context.Background(), wfCfg, "local")
+	if err != nil {
+		t.Fatalf("injectSecrets: %v", err)
+	}
+
+	if secrets["DB_PASS"] != "pg-password" {
+		t.Errorf("DB_PASS: got %q, want pg-password", secrets["DB_PASS"])
+	}
+	if secrets["JWT_KEY"] != "jwt-signing-key" {
+		t.Errorf("JWT_KEY: got %q, want jwt-signing-key", secrets["JWT_KEY"])
+	}
+}
+
+func TestInjectSecrets_EnvOverrideRouting(t *testing.T) {
+	t.Setenv("MY_API_KEY", "api-key-value")
+
+	wfCfg := &config.WorkflowConfig{
+		SecretStores: map[string]*config.SecretStoreConfig{
+			"local": {Provider: "env"},
+		},
+		Secrets: &config.SecretsConfig{
+			DefaultStore: "local",
+			Entries: []config.SecretEntry{
+				{Name: "MY_API_KEY"},
+			},
+		},
+		Environments: map[string]*config.EnvironmentConfig{
+			"staging": {SecretsStoreOverride: "local"}, // routes to env provider
+		},
+	}
+
+	secrets, err := injectSecrets(context.Background(), wfCfg, "staging")
+	if err != nil {
+		t.Fatalf("injectSecrets: %v", err)
+	}
+	if secrets["MY_API_KEY"] != "api-key-value" {
+		t.Errorf("MY_API_KEY: got %q, want api-key-value", secrets["MY_API_KEY"])
+	}
+}
+
+func TestInjectSecrets_UnknownStore_Error(t *testing.T) {
+	wfCfg := &config.WorkflowConfig{
+		Secrets: &config.SecretsConfig{
+			Entries: []config.SecretEntry{
+				{Name: "MY_SECRET", Store: "nonexistent-provider"},
+			},
+		},
+	}
+
+	_, err := injectSecrets(context.Background(), wfCfg, "")
+	if err == nil {
+		t.Error("expected error for unknown store provider")
+	}
+}
+
+func TestInjectSecrets_LegacyProvider(t *testing.T) {
+	t.Setenv("LEGACY_SECRET", "legacy-value")
+
+	wfCfg := &config.WorkflowConfig{
+		Secrets: &config.SecretsConfig{
+			Provider: "env", // legacy field
+			Entries: []config.SecretEntry{
+				{Name: "LEGACY_SECRET"},
+			},
+		},
+	}
+
+	secrets, err := injectSecrets(context.Background(), wfCfg, "")
+	if err != nil {
+		t.Fatalf("injectSecrets (legacy): %v", err)
+	}
+	if secrets["LEGACY_SECRET"] != "legacy-value" {
+		t.Errorf("LEGACY_SECRET: got %q, want legacy-value", secrets["LEGACY_SECRET"])
+	}
+}
+
+func TestInjectSecrets_EmptyEntries(t *testing.T) {
+	wfCfg := &config.WorkflowConfig{
+		Secrets: &config.SecretsConfig{
+			Provider: "env",
+			Entries:  nil,
+		},
+	}
+	secrets, err := injectSecrets(context.Background(), wfCfg, "")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if secrets != nil {
+		t.Errorf("expected nil for empty entries, got %v", secrets)
+	}
+}