feat: Add OPA (Okta Privileged Access) secret management integration

[iamspathan]

Summary

Integrates Okta Privileged Access (OPA) for secure LLM credential management, replacing plain-text .env file storage with enterprise-grade secret management.

Problem

Before this integration, LLM credentials were stored in .env files:

• Easy to accidentally commit to git
• Visible in plain text on the filesystem
• No audit trail of who accessed them
• No centralized management across environments

Solution

OPA provides enterprise-grade secret management:

• Secrets are encrypted at rest (JWE: RSA-OAEP-256 + A256GCM)
• Access is controlled by policies
• Full audit logging of secret access
• Centralized management with revocation capability

Architecture

SETUP TIME (One-time):
┌──────────────┐    Encrypt & Store    ┌──────────────────┐
│ LLM API Key  │ ──────────────────►   │   OPA Vault      │
│ (plaintext)  │                       │ (encrypted JWE)  │
└──────────────┘                       └──────────────────┘
                                               │
                                       Returns Secret ID
                                               ▼
                                       ┌──────────────────┐
                                       │   .env.opa       │
                                       │ (stores IDs only)│
                                       └──────────────────┘

RUNTIME (Every startup):
┌──────────────┐    Request Secret     ┌──────────────────┐
│   Agent0     │ ──────────────────►   │   OPA Vault      │
│              │    (with token)       │                  │
│              │ ◄──────────────────   │                  │
└──────────────┘   Decrypted Value     └──────────────────┘
        │
        ▼
Initialize LLM client with retrieved credentials

Changes

New Files

File	Purpose
scripts/lib/opa-api.ts	OPA REST API client with JWE encryption
scripts/setup-opa-secrets.ts	Interactive script to store secrets in OPA
scripts/validate-opa-secrets.ts	Validates OPA configuration
packages/agent0/src/secrets/opa-api.ts	Runtime OPA client
packages/agent0/src/secrets/opa-secrets.ts	Secret fetching logic
docs/opa-secret-management.md	Full documentation

Modified Files

File	Changes
packages/agent0/src/agent.ts	Async LLM config initialization with OPA fallback to env vars
packages/agent0/package.json	Added jose dependency for JWE
.gitignore	Added .env.opa

Additional Scripts

Script	Purpose
bootstrap-okta-tenant.js	Automated Okta tenant setup
rollback-okta-config.js	Rollback Okta configuration
validate-okta-config.js	Validate Okta setup

Usage

Setup (one-time)

pnpm run setup:opa-secrets

Runtime

Agent0 automatically:

1. Checks if OPA is configured (.env.opa exists)
2. Fetches credentials from OPA vault
3. Falls back to environment variables if OPA fails

Configuration

.env.opa example:

OPA_TEAM_NAME=your-team
OPA_API_TOKEN=your-token
OPA_SECRET_ID=secret-id-from-setup

Documentation

See docs/opa-secret-management.md for full implementation details.