GitCaddy/GitCaddy Vault
Limited
2
0
Fork 0
Code Issues Releases 9

refactor: compile vault into server instead of dynamic plugin

Browse Source 
- Change package from main to vault for import compatibility
- Add init() auto-registration when package is imported
- Remove plugin build jobs from CI (no longer needed)
- Update README for compiled-in architecture
- Add BSL 1.1 license

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
David H. Friedel Jr.
2026-01-17 22:12:41 -05:00
parent 8c0023a3ab
commit b369d9ffbe
5 changed files with 230 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
.gitea/workflows/build.yml
View File

@@ -12,8 +12,6 @@ on:
env: env:
GOPROXY: https://proxy.golang.org,direct GOPROXY: https://proxy.golang.org,direct
GOPRIVATE: git.marketally.com
GONOSUMDB: git.marketally.com
GO_VERSION: "1.25" GO_VERSION: "1.25"
jobs: jobs:
@@ -74,10 +72,12 @@ jobs:
- name: Run tests - name: Run tests
run: go test -race -v ./... run: go test -race -v ./...
# Create release for Go module versioning
create-release: create-release:
name: Create Release name: Create Release
runs-on: linux-latest runs-on: linux-latest
if: startsWith(github.ref, 'refs/tags/v') if: startsWith(github.ref, 'refs/tags/v')
needs: [lint, test]
outputs: outputs:
release_id: ${{ steps.create.outputs.release_id }} release_id: ${{ steps.create.outputs.release_id }}
steps: steps:
@@ -104,7 +104,7 @@ jobs:
RESPONSE=$(curl -sf -X POST \ RESPONSE=$(curl -sf -X POST \
-H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \ -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d '{"tag_name":"'"$TAG"'","name":"GitCaddy Vault '"$TAG"'","body":"Official release of GitCaddy Vault plugin '"$TAG"'.","draft":false,"prerelease":false}' \ -d '{"tag_name":"'"$TAG"'","name":"GitCaddy Vault '"$TAG"'","body":"GitCaddy Vault '"$TAG"'\n\nThis release is automatically compiled into GitCaddy Server. No separate installation required.\n\nSee the [GitCaddy Server releases](https://git.marketally.com/gitcaddy/gitcaddy-server/releases) for download.","draft":false,"prerelease":false}' \
"https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases" 2>&1) "https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases" 2>&1)
if echo "$RESPONSE" | grep -q '"id":[0-9]'; then if echo "$RESPONSE" | grep -q '"id":[0-9]'; then
@@ -116,152 +116,7 @@ jobs:
exit 1 exit 1
fi fi
# Build Go plugin for Linux amd64 (native) # Build keygen utility for license management
build-linux-amd64:
name: Build Plugin (linux/amd64)
runs-on: linux-latest
needs: [lint, test, create-release]
if: startsWith(github.ref, 'refs/tags/v') && needs.lint.result == 'success' && needs.create-release.result == 'success'
steps:
- name: Get latest server version
id: server
run: |
VERSION=$(curl -sf "https://direct.git.marketally.com/api/v1/repos/gitcaddy/gitcaddy-server/releases/latest" | grep -o '"tag_name":"[^"]*"' | cut -d'"' -f4)
echo "version=$VERSION"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Clear server module cache and update
run: |
SERVER_VERSION="${{ steps.server.outputs.version }}"
echo "Building against server $SERVER_VERSION"
# Clear any cached version of the server module
rm -rf ~/go/pkg/mod/git.marketally.com/gitcaddy/gitcaddy-server* || true
rm -rf ~/go/pkg/mod/cache/download/git.marketally.com/gitcaddy/gitcaddy-server* || true
# Update go.mod with the server version
sed -i "s|replace code.gitcaddy.com/server/v3 => ../gitcaddy-server|replace code.gitcaddy.com/server/v3 => git.marketally.com/gitcaddy/gitcaddy-server/v3 $SERVER_VERSION|" go.mod
cat go.mod | grep -A2 "^replace"
go mod tidy
- name: Build plugin
env:
CGO_ENABLED: 1
run: |
VERSION=$(git describe --tags --always 2>/dev/null || echo "dev")
LDFLAGS="-X git.marketally.com/gitcaddy/vault.PluginVersion=${VERSION}"
OUTPUT="gitcaddy-vault-${VERSION}-linux-amd64.so"
echo "Building plugin: $OUTPUT"
go build -buildmode=plugin -trimpath -ldflags "${LDFLAGS}" -o "dist/${OUTPUT}" .
cd dist && sha256sum "${OUTPUT}" > "${OUTPUT}.sha256"
echo "Build complete: dist/${OUTPUT}"
ls -la
- name: Upload to release
env:
RELEASE_ID: ${{ needs.create-release.outputs.release_id }}
run: |
for file in dist/*; do
if [ -f "$file" ]; then
filename=$(basename "$file")
echo "Uploading $filename..."
curl -sf -X POST \
-H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
-F "attachment=@$file" \
"https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=$filename" || true
fi
done
# Build Go plugin for Linux arm64 (Docker container on macOS ARM64)
build-linux-arm64:
name: Build Plugin (linux/arm64)
runs-on: macos
container:
image: node:20-bookworm
needs: [lint, test, create-release]
if: startsWith(github.ref, 'refs/tags/v') && needs.lint.result == 'success' && needs.create-release.result == 'success'
env:
CGO_ENABLED: 1
GOPROXY: https://proxy.golang.org,direct
GOPRIVATE: git.marketally.com
GONOSUMDB: git.marketally.com
steps:
- name: Install build dependencies
run: |
apt-get update
apt-get install -y build-essential curl ca-certificates
- name: Get latest server version
id: server
run: |
VERSION=$(curl -sf "https://direct.git.marketally.com/api/v1/repos/gitcaddy/gitcaddy-server/releases/latest" | grep -o '"tag_name":"[^"]*"' | cut -d'"' -f4)
echo "version=$VERSION"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Install Go
run: |
curl -fsSL "https://go.dev/dl/go1.25.6.linux-arm64.tar.gz" -o go.tar.gz
tar -C /usr/local -xzf go.tar.gz
rm go.tar.gz
echo "/usr/local/go/bin" >> $GITHUB_PATH
/usr/local/go/bin/go version
- name: Checkout code
uses: actions/checkout@v4
- name: Clear server module cache and update
run: |
SERVER_VERSION="${{ steps.server.outputs.version }}"
echo "Building against server $SERVER_VERSION"
# Clear any cached version of the server module
rm -rf ~/go/pkg/mod/git.marketally.com/gitcaddy/gitcaddy-server* || true
rm -rf ~/go/pkg/mod/cache/download/git.marketally.com/gitcaddy/gitcaddy-server* || true
# Update go.mod with the server version
sed -i "s|replace code.gitcaddy.com/server/v3 => ../gitcaddy-server|replace code.gitcaddy.com/server/v3 => git.marketally.com/gitcaddy/gitcaddy-server/v3 $SERVER_VERSION|" go.mod
cat go.mod | grep -A2 "^replace"
/usr/local/go/bin/go mod tidy
- name: Build plugin
run: |
VERSION=$(git describe --tags --always 2>/dev/null || echo "dev")
LDFLAGS="-X git.marketally.com/gitcaddy/vault.PluginVersion=${VERSION}"
OUTPUT="gitcaddy-vault-${VERSION}-linux-arm64.so"
echo "Building plugin: $OUTPUT"
mkdir -p dist
/usr/local/go/bin/go build -buildmode=plugin -trimpath -ldflags "${LDFLAGS}" -o "dist/${OUTPUT}" .
cd dist && sha256sum "${OUTPUT}" > "${OUTPUT}.sha256"
echo "Build complete: dist/${OUTPUT}"
ls -la
- name: Upload to release
env:
RELEASE_ID: ${{ needs.create-release.outputs.release_id }}
run: |
for file in dist/*; do
if [ -f "$file" ]; then
filename=$(basename "$file")
echo "Uploading $filename..."
curl -sf -X POST \
-H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
-F "attachment=@$file" \
"https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=$filename" || true
fi
done
# Build keygen utility
build-keygen: build-keygen:
name: Build Keygen Utility name: Build Keygen Utility
runs-on: linux-latest runs-on: linux-latest

129
COMMERICAL_LICENSE.md Normal file
View File

@@ -0,0 +1,129 @@
# GitCaddy Vault Commercial License Agreement
**Effective Date:** January 2026
This Commercial License Agreement (the “Agreement”) is entered into between **MarketAlly** (“Licensor”) and the individual or entity obtaining a commercial license (“Licensee”). This Agreement governs production use of **GitCaddy Vault** beyond the limits permitted by the Business Source License 1.1.
---
## 1. Grant of License
Subject to payment of applicable fees and compliance with this Agreement, Licensor grants Licensee a non-exclusive, non-transferable, non-sublicensable license to use GitCaddy Vault in production according to the purchased subscription tier.
---
## 2. License Tiers and Entitlements
### 2.1 Solo (Free)
No commercial license required.
- Up to 1 user
- Up to 5 secrets per repository
- Limited audit history
- Non-production and small personal production use
### 2.2 Pro
- Up to 5 users
- Unlimited secrets
- Extended audit history
- CI/CD tokens and automation features
### 2.3 Team
- Up to 25 users
- Unlimited secrets
- Extended audit history (up to 1 year)
- SSO/SAML integration
- Priority support
### 2.4 Enterprise
- Custom user limits
- Custom audit retention
- Advanced security features
- SLA-backed support
- Dedicated support channel
Specific limits and features are defined by the Licensees purchase confirmation or order form.
---
## 3. Fees and Payment
Licensee agrees to pay the fees associated with the selected tier on a monthly or annual subscription basis, as published at the time of purchase or agreed in writing.
Subscriptions renew automatically unless canceled prior to the renewal date.
---
## 4. License Enforcement
GitCaddy Vault uses a signed license file to enable commercial features. Licensee agrees not to bypass, disable, or tamper with license verification mechanisms.
Expired licenses are subject to a grace period. After the grace period, commercial features may be disabled while preserving access to existing data.
---
## 5. Ownership and Intellectual Property
GitCaddy Vault is licensed, not sold. All right, title, and interest in the software remain with Licensor.
This Agreement does not grant Licensee any rights to Licensor trademarks, logos, or branding.
---
## 6. Restrictions
Licensee may not:
- Redistribute GitCaddy Vault as a standalone product
- Offer GitCaddy Vault as a managed or hosted service without an Enterprise agreement
- Remove or alter license notices
---
## 7. Support
Support is provided according to the purchased tier. Community support is available for Solo users. Paid tiers include email or priority support as specified.
---
## 8. Termination
Licensor may terminate this Agreement if Licensee materially breaches its terms and fails to cure such breach within thirty (30) days of notice.
Upon termination, Licensee must cease production use beyond the limits of the Business Source License.
---
## 9. Warranty Disclaimer
THE SOFTWARE IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. LICENSOR DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
---
## 10. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY LAW, LICENSOR SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING FROM USE OF THE SOFTWARE.
---
## 11. Governing Law
This Agreement is governed by the laws of the State of Florida, USA, without regard to conflict-of-law principles.
---
## 12. Contact
For licensing questions or enterprise agreements, contact:
**MarketAlly** \
Email: licensing@gitcaddy.com
---
By using GitCaddy Vault in production beyond the free tier, you agree to the terms of this Agreement.

54
LICENSE.md Normal file
View File

@@ -0,0 +1,54 @@
# Business Source License 1.1
License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
“Business Source License” is a trademark of MariaDB Corporation Ab.
---
## Parameters
**Licensor:** \
MarketAlly
**Licensed Work:** \
GitCaddy Vault
The Licensed Work is (c) 2026 MarketAlly
**Additional Use Grant:** \
You may use the Licensed Work for non-production purposes, including development, testing, personal projects, educational use, and internal evaluation.
You may also use the Licensed Work for production use with **up to five (5) users** at no cost (the “Solo Tier”). Production use beyond five (5) users, or use that exceeds Solo Tier limits, requires a valid commercial license obtained from the Licensor.
**Change Date:** \
January 17, 2030
**Change License:** \
Apache License, Version 2.0
---
## Terms
The Licensor hereby grants you the right to copy, modify, create derivative works, redistribute, and make non-production use of the Licensed Work. The Licensor makes an Additional Use Grant, above, permitting limited production use.
Effective on the Change Date, or the fourth anniversary of the first publicly available distribution of a specific version of the Licensed Work under this License, whichever comes first, the Licensor hereby grants you the rights described in the Change License.
The rights granted under this License will terminate automatically if you violate any of the restrictions of this License. Upon termination, you must cease all use of the Licensed Work and destroy all copies.
This License does not grant you any right in any trademark or logo of the Licensor or its affiliates.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE.
MariaDB hereby grants you permission to use this Licenses text to license your works, and to refer to it using the trademark “Business Source License”, as long as you comply with the Covenants of Licensor below.
---
## Covenants of Licensor
In consideration of the right to use this Licenses text and the “Business Source License” name and trademark, Licensor covenants to MariaDB, and to all other recipients of the Licensed Work, that Licensor will:
1. Specify as the Change License a license that is compatible with version 2.0 of the Apache License, GPL version 2.0 or later, or a license that is OSI-approved.
2. Specify as the Change Date a date no later than four years after the first publicly available distribution of a specific version of the Licensed Work.
3. Not modify this License in any other way.

56
README.md
View File

@@ -2,7 +2,7 @@
**Encrypted Secrets Management for GitCaddy** **Encrypted Secrets Management for GitCaddy**
GitCaddy Vault is a commercial plugin that provides enterprise-grade secrets management directly within your GitCaddy repositories. Store, version, and securely access credentials, API keys, certificates, and other sensitive data without leaving your Git workflow. GitCaddy Vault is a commercial module compiled directly into GitCaddy Server that provides enterprise-grade secrets management within your GitCaddy repositories. Store, version, and securely access credentials, API keys, certificates, and other sensitive data without leaving your Git workflow.
## Features ## Features
@@ -38,16 +38,14 @@ GitCaddy Vault is a commercial plugin that provides enterprise-grade secrets man
│ ┌────────▼────────┐ │ │ ┌────────▼────────┐ │
│ │ Vault Service │ │ │ │ Vault Service │ │
│ └────────┬────────┘ │ │ └────────┬────────┘ │
├────────────────────────────┼────────────────────────────┤ │ │ │
│ ┌────────▼────────┐ │
│ │ GitCaddy Vault │ (Plugin) │
│ │ Plugin │ │
│ └────────┬────────┘ │
│ ┌──────────────────┼──────────────────┐ │ │ ┌──────────────────┼──────────────────┐ │
│ ┌─────▼─────┐ ┌──────▼──────┐ ┌──────▼──────┐ │ │ ┌─────▼─────┐ ┌──────▼──────┐ ┌──────▼──────┐ │
│ │ Crypto │ │ Models │ │ License │ │ │ │ Crypto │ │ Models │ │ License │ │
│ │ Engine │ │ (XORM) │ │ Manager │ │ │ │ Engine │ │ (XORM) │ │ Manager │ │
│ └───────────┘ └─────────────┘ └─────────────┘ │ │ └───────────┘ └─────────────┘ └─────────────┘ │
│ │
│ (Compiled into GitCaddy Server) │
└─────────────────────────────────────────────────────────┘ └─────────────────────────────────────────────────────────┘
``` ```
@@ -60,17 +58,14 @@ GitCaddy Vault is a commercial plugin that provides enterprise-grade secrets man
### Requirements ### Requirements
- GitCaddy Server v1.0.0 or later - GitCaddy Server v1.0.0 or later (Vault is included automatically)
- Valid GitCaddy Vault license - Valid GitCaddy Vault license
### Setup ### Setup
1. Place the vault plugin binary in your GitCaddy plugins directory: GitCaddy Vault is compiled directly into GitCaddy Server - no separate installation required.
```bash
cp gitcaddy-vault.so /path/to/gitcaddy/plugins/
```
2. Add your license key via environment variable or file: 1. Add your license key via environment variable or file:
```bash ```bash
# Option 1: Environment variable # Option 1: Environment variable
export GITCADDY_LICENSE_KEY="<your-base64-license>" export GITCADDY_LICENSE_KEY="<your-base64-license>"
@@ -79,7 +74,7 @@ GitCaddy Vault is a commercial plugin that provides enterprise-grade secrets man
cp license.key /etc/gitcaddy/license.key cp license.key /etc/gitcaddy/license.key
``` ```
3. Restart GitCaddy Server 2. Restart GitCaddy Server to activate the license
## Configuration ## Configuration
@@ -94,7 +89,7 @@ GitCaddy Vault is a commercial plugin that provides enterprise-grade secrets man
### License File Locations ### License File Locations
The plugin searches for license files in this order: GitCaddy Server searches for license files in this order:
1. Path specified by `GITCADDY_LICENSE_FILE` 1. Path specified by `GITCADDY_LICENSE_FILE`
2. `/etc/gitcaddy/license.key` 2. `/etc/gitcaddy/license.key`
3. `./custom/license.key` 3. `./custom/license.key`
@@ -236,7 +231,7 @@ Token scopes control access to secrets using a simple grammar:
## Database Schema ## Database Schema
The plugin creates the following tables: GitCaddy Vault uses the following tables:
- `vault_secret` - Secret metadata - `vault_secret` - Secret metadata
- `vault_secret_version` - Versioned secret values (encrypted) - `vault_secret_version` - Versioned secret values (encrypted)
@@ -248,18 +243,33 @@ The plugin creates the following tables:
### Building ### Building
```bash The Vault module is compiled directly into GitCaddy Server. To build the server with Vault:
# Clone the repository
git clone https://git.marketally.com/gitcaddy/vault.git
cd vault
# Build the plugin ```bash
go build -buildmode=plugin -o gitcaddy-vault.so ./plugin # Clone GitCaddy Server (includes Vault)
git clone https://git.marketally.com/gitcaddy/server.git
cd server
# Build the server (Vault is included automatically)
make build
# Run tests # Run tests
go test ./... go test ./...
``` ```
### Keygen Utility
The license key generation tool is built separately:
```bash
# Clone the vault repository
git clone https://git.marketally.com/gitcaddy/vault.git
cd vault
# Build the keygen utility
go build -o keygen ./cmd/keygen
```
### Generating License Keys ### Generating License Keys
```bash ```bash
@@ -298,6 +308,6 @@ export GITCADDY_DEV_MODE=1
## License ## License
Copyright 2026 MarketAlly. All rights reserved. Business Source License 1.1 - See LICENSE file for details.
This software is proprietary and confidential. See LICENSE file for details. Copyright 2026 MarketAlly. All rights reserved.

15
plugin.go
View File

@@ -1,7 +1,7 @@
// Copyright 2026 MarketAlly. All rights reserved. // Copyright 2026 MarketAlly. All rights reserved.
// Proprietary and confidential. // Business Source License 1.1 - See LICENSE file for details.
package main package vault
import ( import (
"context" "context"
@@ -22,6 +22,14 @@ const (
PluginVersion = "1.0.0" PluginVersion = "1.0.0"
) )
// PluginVersion can be set at build time
var Version = PluginVersion
// init automatically registers the vault when this package is imported
func init() {
Register()
}
// VaultPlugin is the main entry point for the GitCaddy Vault plugin // VaultPlugin is the main entry point for the GitCaddy Vault plugin
type VaultPlugin struct { type VaultPlugin struct {
license *license.Manager license *license.Manager
@@ -129,6 +137,3 @@ var (
func Register() { func Register() {
plugins.Register(New()) plugins.Register(New())
} }
// Plugin is the exported symbol that GitCaddy loads
var Plugin = New()