Skip to main content
← Back to list
01Issue
BugShippedSwamp CLI
Assigneesstack72

Relationships

#914 swamp serve: model resource vault-backed sensitive fields resolve empty during served/workflow execution (readResource)

Opened by magistr · 7/2/2026· Shipped 7/2/2026

Description

When a model method is executed by swamp serve (its internal workflow scheduler, or a --server client), readResource(<id>) on a model resource whose schema has a vault-backed sensitive field (stored as a ${{ vault.get(<vault>, <key>) }} reference) resolves that field to empty. The exact same method/workflow run by a plain out-of-serve CLI process (docker exec <container> swamp ...) resolves it correctly and succeeds.

Steps to reproduce

  1. A model with a resource whose schema field is sensitive and thus stored as a vault ref — e.g. @magistr/google-health, resource oauth-current, field refreshToken.
  2. Populate it (the model's authorize+exchange) so HC Vault holds the secret and readResource works from the CLI.
  3. Run a workflow whose step calls that method (here google-health sync, which does readResource("oauth-current") and throws if refreshToken is empty), THREE ways:
    • docker exec <serve-container> swamp workflow run <wf> (fresh CLI, same container/env) → succeeds, secret resolves.
    • serve internal scheduler (workflow trigger.schedule) → fails: field is empty.
    • swamp workflow run <wf> --server wss://...fails: field is empty.

Key observation

Non-sensitive vault reads work fine under serve — e.g. a globalArgument ${{ vault.get(...) }} (CLIENT_ID from the same vault/mount) resolves server-side (the model builds a correct OAuth URL). So it is specifically resource sensitive-field resolution in the served execution context, not vault connectivity. Same container, same VAULT_TOKEN, same HC Vault KV-v2 mount, same datastore.

Environment

  • swamp serve stable channel 20260629.*, Linux (debian-slim container), --auth-mode token, Traefik-fronted.
  • datastore: @keeb/mongodb-datastore
  • vault backend: @webframp/hashicorp-vault (KV v2, per-mount)

Impact / workaround

Any scheduled or served workflow that reads a model resource's vault-backed secret fails. Workaround: trigger the workflow outside serve (e.g. Unraid cron → docker exec <container> swamp workflow run <wf>), which uses the working CLI resolution path. Related serve issues: #889 / #890.

02Bog Flow
OPENTRIAGEDIN PROGRESSSHIPPED+ 1 MOREASSIGNED+ 2 MOREREVIEW+ 4 MOREPR_MERGED+ 1 MORECONTRIBUTOR_NOTIFIED

Shipped

7/2/2026, 5:44:42 PM

Click a lifecycle step above to view its details.

03Sludge Pulse
stack72 assigned stack727/2/2026, 3:24:27 PM
Editable. Press Enter to edit.

stack72 commented 7/2/2026, 5:44:52 PM

Thanks @magistr for reporting this! The fix has been merged and a release is on its way. We appreciate your contribution to swamp.

Sign in to post a ripple.