Skip to content

fix: Resolve Qdrant API key profile isolation issue (#5442) #5443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: Resolve Qdrant API key profile isolation issue (#5442) #5443

wants to merge 1 commit into from

Conversation

@roomote
Copy link
Collaborator

@roomote roomote commented Jul 7, 2025
edited by ellipsis-dev bot
Loading

Description

Fixes #5442

This PR implements profile-aware secret storage to ensure that Qdrant API keys (and all other secrets) are properly isolated between different VSCode profiles (local, WSL, remote, etc.).

Problem

Previously, VSCode's built-in secrets API stored secrets globally across all profiles, causing Qdrant API keys set in one profile to appear in other profiles. This violated user expectations of profile isolation.

Solution

Profile-Aware Secret Storage

  • Unique Profile IDs: Generate profile-specific identifiers using VSCode's machineId, appName, and uriScheme
  • Prefixed Secret Keys: Store secrets with profile-specific prefixes (e.g., abc123def456:codeIndexQdrantApiKey)
  • Environment Isolation: Different VSCode environments (local vs WSL) generate different profile IDs

Automatic Migration

  • Backward Compatibility: Existing global secrets are automatically migrated to profile-specific storage
  • Safe Migration: Legacy secrets are migrated on first access and then cleaned up
  • No Data Loss: Users retain their existing API keys during the upgrade

Changes Made

Core Implementation

  • src/core/config/ContextProxy.ts:
    • Added generateProfileId() method using crypto hash of environment identifiers
    • Modified storeSecret() and getSecret() to use profile-specific keys
    • Implemented migration logic in initialize() and refreshSecrets()
    • Updated resetAllState() to handle profile-specific secret deletion

Testing

  • src/core/config/tests/ContextProxy.spec.ts:
    • Updated existing tests to expect profile-specific secret keys
    • Added comprehensive tests for profile isolation
    • Added migration testing for both initialization and refresh scenarios
    • Added tests for different VSCode environment isolation

Testing

  • All existing tests pass (28 ContextProxy tests)
  • All core/config tests pass (156 tests total)
  • All webview message handler tests pass (10 tests)
  • Linting passes across all packages
  • Type checking passes across all packages
  • Profile isolation verified through unit tests
  • Migration logic tested for both initialization and refresh scenarios

Verification of Acceptance Criteria

  • Profile Isolation: Qdrant API keys are now isolated between VSCode profiles
  • WSL vs Local: Different environments generate different profile IDs
  • Backward Compatibility: Existing secrets are automatically migrated
  • No Breaking Changes: All existing functionality preserved
  • Comprehensive Testing: Full test coverage for new functionality

Checklist

  • Code follows project style guidelines
  • Self-review completed
  • Comments added for complex logic
  • No breaking changes
  • All tests passing
  • Type checking passes
  • Linting passes

Impact

This fix ensures that users working with multiple VSCode profiles (especially common with WSL development) will have properly isolated API keys and secrets, resolving the confusion and security concerns raised in issue #5442.

Important

Implements profile-aware secret storage in ContextProxy to isolate Qdrant API keys across VSCode profiles with automatic migration and comprehensive testing.

  • Behavior:
    • Implements profile-aware secret storage in ContextProxy to isolate Qdrant API keys across VSCode profiles.
    • Uses profile-specific identifiers generated from machineId, appName, and uriScheme.
    • Secrets are stored with profile-specific prefixes.
    • Automatic migration of existing global secrets to profile-specific storage.
  • Core Implementation:
    • Adds generateProfileId() and getProfileSpecificSecretKey() methods in ContextProxy.
    • Modifies storeSecret(), getSecret(), initialize(), and refreshSecrets() to handle profile-specific keys.
    • Updates resetAllState() to delete profile-specific secrets.
  • Testing:
    • Updates tests in ContextProxy.spec.ts to verify profile-specific secret handling and migration.
    • Adds tests for different VSCode environments to ensure profile isolation.
    • Comprehensive testing for migration logic during initialization and refresh.

This description was created by Ellipsis for 3845f34. You can customize this summary. It will automatically update as commits are pushed.

@roomote
fix: implement profile-aware secret storage for VSCode profile isolat…
3845f34 
…ion (#5442)

- Add profile-specific secret key generation using machineId, appName, and uriScheme
- Implement automatic migration from legacy global secrets to profile-specific storage
- Ensure Qdrant API keys and other secrets are isolated between VSCode profiles (local, WSL, etc.)
- Add comprehensive tests for profile isolation and migration functionality
- Maintain backward compatibility with existing secret storage

Fixes #5442
@roomote roomote requested review from cte, jr and mrubens as code owners July 7, 2025 07:42
@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Jul 7, 2025
@roomote roomote mentioned this pull request Jul 7, 2025
Closed
@dosubot dosubot bot added the bug Something isn't working label Jul 7, 2025
@delve-auditor
Copy link

delve-auditor bot commented Jul 7, 2025

No security or compliance issues detected. Reviewed everything up to 3845f34.

Security Overview
  • 🔎 Scanned files: 2 changed file(s)
Detected Code Changes
Change Type Relevant files
Enhancement ► ContextProxy.ts
    Add profile-specific secret storage
    Implement automatic migration from legacy global secrets
    Add profile ID generation functionality

Reply to this PR with @delve-auditor followed by a description of what change you want and we'll auto-submit a change to this PR to implement it.

@hannesrudolph hannesrudolph added the Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. label Jul 7, 2025
@github-project-automation github-project-automation bot moved this from Triage to Done in Roo Code Roadmap Jul 7, 2025
@github-project-automation github-project-automation bot moved this from New to Done in Roo Code Roadmap Jul 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens is a code owner

@cte cte Awaiting requested review from cte cte is a code owner

@jr jr Awaiting requested review from jr jr is a code owner

Assignees

No one assigned

Labels

bug Something isn't working Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. size:L This PR changes 100-499 lines, ignoring generated files.

Projects

Roo Code Roadmap
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Qdrant API Keys are saved across VSCode profiles

3 participants

@roomote @hannesrudolph