Add OpenAPI schema for Secrets service (secrets/v1)

[rowan-stein]

User Request

Add an OpenAPI schema for the Secrets service to expose it through the gateway. The schema should follow existing conventions from files/v1 and team/v1.

Specification

File Structure

openapi/secrets/v1/
├── openapi.yaml
├── paths/
│   ├── secret-providers.yaml
│   ├── secret-provider-by-id.yaml
│   ├── secrets.yaml
│   ├── secret-by-id.yaml
│   └── secret-resolve.yaml
└── components/
    ├── parameters/
    │   └── IdPath.yaml
    ├── responses/
    │   └── ProblemResponse.yaml
    └── schemas/
        ├── EntityMeta.yaml
        ├── Problem.yaml
        ├── Pagination.yaml
        ├── SecretProviderType.yaml
        ├── VaultConfig.yaml
        ├── SecretProviderConfig.yaml
        ├── SecretProvider.yaml
        ├── SecretProviderCreateRequest.yaml
        ├── SecretProviderUpdateRequest.yaml
        ├── PaginatedSecretProviders.yaml
        ├── Secret.yaml
        ├── SecretCreateRequest.yaml
        ├── SecretUpdateRequest.yaml
        ├── PaginatedSecrets.yaml
        └── ResolvedSecretValue.yaml

Conventions (must match existing team/v1 patterns)

• OpenAPI 3.0.3
• Paths via $ref to individual path files
• Entity schemas use allOf with EntityMeta.yaml
• Pagination: offset-based (page, perPage, total) with PaginatedX envelope
• Error responses: RFC 7807 ProblemResponse
• Create → POST 201, Get → GET 200, Update → PATCH 200, Delete → DELETE 204, List → GET 200
• UpdateRequest schemas: additionalProperties: false, no required (partial update)
• Shared components (IdPath, ProblemResponse, Problem, EntityMeta, Pagination) copied per service directory

Routes

Method	Path	Description
POST	/secret-providers	Create secret provider
GET	/secret-providers	List secret providers (page, perPage query params)
GET	/secret-providers/{id}	Get secret provider
PATCH	/secret-providers/{id}	Update secret provider
DELETE	/secret-providers/{id}	Delete secret provider
POST	/secrets	Create secret
GET	/secrets	List secrets (page, perPage, secretProviderId query params)
GET	/secrets/{id}	Get secret
PATCH	/secrets/{id}	Update secret
DELETE	/secrets/{id}	Delete secret
POST	/secrets/{id}/resolve	Resolve secret value

Proto Reference

The proto schema is at proto/agynio/api/secrets/v1/secrets.proto in this repo.

Key Schema Details

• SecretProviderType: enum vault
• VaultConfig: address (string), token (string) — both required
• SecretProviderConfig: object with optional vault key (matching provider type)
• SecretProvider: EntityMeta + title, description, type, config (type + config required)
• SecretProviderCreateRequest: title, description, type, config (type + config required)
• SecretProviderUpdateRequest: title, description, config only (type not updatable), additionalProperties: false
• Secret: EntityMeta + title, description, secretProviderId, remoteName (secretProviderId + remoteName required)
• SecretCreateRequest: title, description, secretProviderId, remoteName (secretProviderId + remoteName required)
• SecretUpdateRequest: title, description, secretProviderId, remoteName, additionalProperties: false
• ResolvedSecretValue: value (string, required)

CI Changes

Update .github/workflows/openapi-publish.yml to add bundle/lint/publish steps for secrets (following the same pattern as files and team).