Handle sensitive fields gracefully when no vault is configured #1047
Description
Context
Working on systeminit/swamp-extensions#29 — marking sensitive fields (passwords, private keys, API keys, access tokens) with .meta({ sensitive: true }) in generated extension models so they get auto-vaulted instead of stored in plaintext.
The codegen fix in swamp-extensions will mark ~150+ models across AWS, GCP, DigitalOcean, and Hetzner with sensitive field metadata. However, the current swamp runtime behavior blocks this rollout: if a model has sensitive fields but no vault is configured, swamp throws a hard error:
Cannot persist data: fields 'access_key' are marked as sensitive
but no vault is configured. Create a vault using: swamp vault create <type> <name>
This means marking fields as sensitive becomes a breaking change — users who haven't configured a vault can't use any model with sensitive outputs (RDS, SecretsManager, database clusters, space keys, etc.).
What needs to change
When sensitive fields are written and no vault is configured, swamp should offer a graceful fallback instead of erroring. Based on user feedback, the desired behavior is:
Option A: Auto-create a local encryption vault (recommended default)
- When the first sensitive field is encountered and no vault exists, automatically create a
local_encryptionvault - Store sensitive values encrypted locally without requiring manual vault setup
- Log a message:
Auto-created local encryption vault for sensitive data. Configure a cloud vault with 'swamp vault create <type> <name>' for production use.
Option B: Redacted plaintext fallback
- Store the field value as
***REDACTED***or similar obfuscated form - Warn the user that sensitive data was not persisted:
Warning: field 'access_key' is sensitive but no vault is configured. Value was redacted. Create a vault to persist sensitive values.
Option C: User-configurable preference
- Let the user choose their preferred behavior (auto-vault, redact, or error) via
swamp config - Remember the choice so the agent doesn't have to re-ask
User feedback
A user was asked about this and responded:
"I'd want a clear choice on whether to auto-store such things or emit them as redacted plaintext (maybe obfuscated is OK, too) — and a way to easily get my agent to remember the choice."
Relevant code
The error is thrown in src/domain/models/data_writer.ts in the processSensitiveResourceData() function (around line 355-365) when vaultService.getVaultNames() returns an empty list.
Dependency
The codegen PR in swamp-extensions (marking ~150+ models with sensitive fields) is blocked on this runtime change. Once swamp handles the no-vault case gracefully, the codegen changes can be merged and models regenerated.
🤖 Generated with Claude Code