Add encrypted secret manager and ${secrets.NAME} placeholders

A Fernet-encrypted JSON vault under ~/.je_auto_control/secrets stores
named secrets behind a passphrase-derived key (PBKDF2-HMAC-SHA256,
600k iterations). Action scripts reference entries via ${secrets.NAME}
in interpolation, keeping plaintext out of the variable scope and out
of script JSON. AC_secret_init / unlock / lock / set / remove / list /
status drive it from headless code, plus a Secrets GUI tab.

Author: JE-Chen

je_auto_control/__init__.py

@@ -131,6 +131,11 @@
 from je_auto_control.utils.profiler import (
     ActionProfiler, ActionStats, default_profiler,
 )
+# Secrets (headless)
+from je_auto_control.utils.secrets import (
+    SecretManager, SecretStoreError, SecretStoreLocked,
+    default_secret_manager, default_secret_store_path,
+)
 # Run history (headless)
 from je_auto_control.utils.run_history.history_store import (
     HistoryStore, RunRecord, default_history_store,
@@ -308,6 +313,9 @@ def start_autocontrol_gui(*args, **kwargs):
     "PixelColorTrigger", "FilePathTrigger",
     # Profiler
     "ActionProfiler", "ActionStats", "default_profiler",
+    # Secret manager
+    "SecretManager", "SecretStoreError", "SecretStoreLocked",
+    "default_secret_manager", "default_secret_store_path",
     # Run history
     "HistoryStore", "RunRecord", "default_history_store",
     # Accessibility

je_auto_control/gui/language_wrapper/english.py

@@ -35,6 +35,7 @@
     "tab_vlm": "AI Locator",
     "tab_ocr_reader": "OCR Reader",
     "tab_variables": "Variables",
+    "tab_secrets": "Secrets",
     "tab_llm_planner": "LLM Planner",
     "tab_remote_desktop": "Remote Desktop",
     "tab_rest_api": "REST API",
@@ -664,6 +665,30 @@
     "rh_preview_empty": "Select a run to preview.",
     "rh_preview_no_artifact": "No screenshot for this run.",
 
+    # Secrets tab
+    "secret_unlock_group": "Vault",
+    "secret_manage_group": "Secrets",
+    "secret_passphrase_label": "Passphrase:",
+    "secret_passphrase_placeholder": "vault passphrase",
+    "secret_init": "Create vault",
+    "secret_init_done": "Vault created and unlocked.",
+    "secret_unlock": "Unlock",
+    "secret_lock": "Lock",
+    "secret_add": "Add secret",
+    "secret_remove": "Remove",
+    "secret_change_passphrase": "Change passphrase",
+    "secret_change_done": "Vault re-encrypted with the new passphrase.",
+    "secret_status_uninitialized": "Vault not created yet.",
+    "secret_status_unlocked": "Vault is unlocked.",
+    "secret_status_locked": "Vault is locked.",
+    "secret_passphrase_required": "Enter a passphrase first.",
+    "secret_wrong_passphrase": "Wrong passphrase.",
+    "secret_unlock_first": "Unlock the vault before managing secrets.",
+    "secret_name_prompt": "Secret name (use as ${secrets.NAME}):",
+    "secret_value_prompt": "Secret value:",
+    "secret_old_passphrase_prompt": "Current passphrase:",
+    "secret_new_passphrase_prompt": "New passphrase:",
+
     # Profiler tab
     "prof_enable": "Enable profiler",
     "prof_disable": "Disable profiler",

je_auto_control/gui/language_wrapper/japanese.py

@@ -29,6 +29,7 @@
     "tab_report": "レポート",
     "tab_run_history": "実行履歴",
     "tab_profiler": "プロファイラ",
+    "tab_secrets": "シークレット",
     "tab_accessibility": "アクセシビリティ",
     "tab_vlm": "AI ロケーター",
     "tab_ocr_reader": "OCR リーダー",
@@ -662,6 +663,30 @@
     "rh_preview_empty": "実行を選択するとプレビューが表示されます。",
     "rh_preview_no_artifact": "この実行のスクリーンショットはありません。",
 
+    # Secrets tab
+    "secret_unlock_group": "ボールト",
+    "secret_manage_group": "シークレット",
+    "secret_passphrase_label": "パスフレーズ：",
+    "secret_passphrase_placeholder": "ボールトパスフレーズ",
+    "secret_init": "ボールトを作成",
+    "secret_init_done": "ボールトを作成し、解錠しました。",
+    "secret_unlock": "解錠",
+    "secret_lock": "ロック",
+    "secret_add": "シークレットを追加",
+    "secret_remove": "削除",
+    "secret_change_passphrase": "パスフレーズ変更",
+    "secret_change_done": "新しいパスフレーズで再暗号化しました。",
+    "secret_status_uninitialized": "ボールト未作成。",
+    "secret_status_unlocked": "ボールト解錠中。",
+    "secret_status_locked": "ボールトはロック中。",
+    "secret_passphrase_required": "パスフレーズを入力してください。",
+    "secret_wrong_passphrase": "パスフレーズが違います。",
+    "secret_unlock_first": "先にボールトを解錠してください。",
+    "secret_name_prompt": "シークレット名 (${secrets.NAME} で参照):",
+    "secret_value_prompt": "シークレット値:",
+    "secret_old_passphrase_prompt": "現在のパスフレーズ:",
+    "secret_new_passphrase_prompt": "新しいパスフレーズ:",
+
     # Profiler tab
     "prof_enable": "プロファイラを有効化",
     "prof_disable": "プロファイラを無効化",

je_auto_control/gui/language_wrapper/simplified_chinese.py

@@ -21,6 +21,7 @@
     "tab_report": "报告生成",
     "tab_run_history": "执行记录",
     "tab_profiler": "性能分析",
+    "tab_secrets": "密钥管理",
     "tab_accessibility": "无障碍树",
     "tab_vlm": "AI 定位",
     "tab_ocr_reader": "OCR 读取",
@@ -652,6 +653,30 @@
     "rh_preview_empty": "请选择一条记录预览。",
     "rh_preview_no_artifact": "此次执行没有截图。",
 
+    # Secrets tab
+    "secret_unlock_group": "密钥库",
+    "secret_manage_group": "密钥",
+    "secret_passphrase_label": "通行码：",
+    "secret_passphrase_placeholder": "密钥库通行码",
+    "secret_init": "创建密钥库",
+    "secret_init_done": "密钥库已创建并解锁。",
+    "secret_unlock": "解锁",
+    "secret_lock": "锁定",
+    "secret_add": "添加密钥",
+    "secret_remove": "删除",
+    "secret_change_passphrase": "修改通行码",
+    "secret_change_done": "密钥库已使用新通行码重新加密。",
+    "secret_status_uninitialized": "尚未创建密钥库。",
+    "secret_status_unlocked": "密钥库已解锁。",
+    "secret_status_locked": "密钥库已锁定。",
+    "secret_passphrase_required": "请先输入通行码。",
+    "secret_wrong_passphrase": "通行码错误。",
+    "secret_unlock_first": "请先解锁密钥库再管理密钥。",
+    "secret_name_prompt": "密钥名称（脚本以 ${secrets.NAME} 引用）：",
+    "secret_value_prompt": "密钥内容：",
+    "secret_old_passphrase_prompt": "当前通行码：",
+    "secret_new_passphrase_prompt": "新通行码：",
+
     # Profiler tab
     "prof_enable": "启用性能分析",
     "prof_disable": "停用性能分析",

je_auto_control/gui/language_wrapper/traditional_chinese.py

@@ -26,6 +26,7 @@
     "tab_vlm": "AI 定位",
     "tab_ocr_reader": "OCR 讀取",
     "tab_variables": "執行期變數",
+    "tab_secrets": "密鑰管理",
     "tab_llm_planner": "LLM 腳本規劃",
     "tab_remote_desktop": "遠端桌面",
     "tab_rest_api": "REST API",
@@ -653,6 +654,30 @@
     "rh_preview_empty": "請選擇一筆紀錄以預覽。",
     "rh_preview_no_artifact": "此次執行沒有截圖。",
 
+    # Secrets tab
+    "secret_unlock_group": "密鑰庫",
+    "secret_manage_group": "密鑰",
+    "secret_passphrase_label": "通行碼：",
+    "secret_passphrase_placeholder": "密鑰庫通行碼",
+    "secret_init": "建立密鑰庫",
+    "secret_init_done": "密鑰庫已建立並解鎖。",
+    "secret_unlock": "解鎖",
+    "secret_lock": "鎖定",
+    "secret_add": "新增密鑰",
+    "secret_remove": "移除",
+    "secret_change_passphrase": "變更通行碼",
+    "secret_change_done": "密鑰庫已用新通行碼重新加密。",
+    "secret_status_uninitialized": "尚未建立密鑰庫。",
+    "secret_status_unlocked": "密鑰庫已解鎖。",
+    "secret_status_locked": "密鑰庫已鎖定。",
+    "secret_passphrase_required": "請先輸入通行碼。",
+    "secret_wrong_passphrase": "通行碼錯誤。",
+    "secret_unlock_first": "請先解鎖密鑰庫再管理密鑰。",
+    "secret_name_prompt": "密鑰名稱（在腳本以 ${secrets.NAME} 引用）：",
+    "secret_value_prompt": "密鑰內容：",
+    "secret_old_passphrase_prompt": "目前通行碼：",
+    "secret_new_passphrase_prompt": "新通行碼：",
+
     # Profiler tab
     "prof_enable": "啟用效能分析",
     "prof_disable": "停用效能分析",

je_auto_control/gui/main_widget.py

@@ -20,6 +20,7 @@
 from je_auto_control.gui.ocr_tab import OCRReaderTab
 from je_auto_control.gui.plugins_tab import PluginsTab
 from je_auto_control.gui.profiler_tab import ProfilerTab
+from je_auto_control.gui.secrets_tab import SecretsTab
 from je_auto_control.gui.admin_console_tab import AdminConsoleTab
 from je_auto_control.gui.audit_log_tab import AuditLogTab
 from je_auto_control.gui.diagnostics_tab import DiagnosticsTab
@@ -109,6 +110,8 @@ def __init__(self, parent=None):
                       category="editing")
         self._add_tab("variables", "tab_variables", VariablesTab(),
                       category="editing")
+        self._add_tab("secrets", "tab_secrets", SecretsTab(),
+                      category="editing")
         self._add_tab("vlm", "tab_vlm", VLMTab(),
                       category="detection")
         self._add_tab("ocr_reader", "tab_ocr_reader", OCRReaderTab(),

je_auto_control/gui/secrets_tab.py

@@ -0,0 +1,194 @@
+"""Secrets tab: unlock the vault and manage ${secrets.NAME} entries."""
+from typing import Optional
+
+from PySide6.QtWidgets import (
+    QAbstractItemView, QGroupBox, QHBoxLayout, QInputDialog, QLabel,
+    QLineEdit, QListWidget, QListWidgetItem, QMessageBox, QPushButton,
+    QVBoxLayout, QWidget,
+)
+
+from je_auto_control.gui._i18n_helpers import TranslatableMixin
+from je_auto_control.gui.language_wrapper.multi_language_wrapper import (
+    language_wrapper,
+)
+from je_auto_control.utils.secrets import (
+    SecretStoreError, SecretStoreLocked, default_secret_manager,
+)
+
+
+def _t(key: str) -> str:
+    return language_wrapper.translate(key, key)
+
+
+class SecretsTab(TranslatableMixin, QWidget):
+    """Manage the encrypted secret vault used by ``${secrets.NAME}``."""
+
+    def __init__(self, parent: Optional[QWidget] = None) -> None:
+        super().__init__(parent)
+        self._tr_init()
+        self._status_label = QLabel()
+        self._passphrase = QLineEdit()
+        self._passphrase.setEchoMode(QLineEdit.Password)
+        self._list = QListWidget()
+        self._list.setEditTriggers(QAbstractItemView.NoEditTriggers)
+        self._build_layout()
+        self._refresh_status()
+
+    def retranslate(self) -> None:
+        TranslatableMixin.retranslate(self)
+        self._refresh_status()
+
+    def _build_layout(self) -> None:
+        root = QVBoxLayout(self)
+        unlock_box = self._tr(QGroupBox(), "secret_unlock_group")
+        unlock_layout = QHBoxLayout(unlock_box)
+        unlock_layout.addWidget(self._tr(QLabel(), "secret_passphrase_label"))
+        self._passphrase.setPlaceholderText(_t("secret_passphrase_placeholder"))
+        unlock_layout.addWidget(self._passphrase)
+        init_btn = self._tr(QPushButton(), "secret_init")
+        init_btn.clicked.connect(self._on_init)
+        unlock_layout.addWidget(init_btn)
+        unlock_btn = self._tr(QPushButton(), "secret_unlock")
+        unlock_btn.clicked.connect(self._on_unlock)
+        unlock_layout.addWidget(unlock_btn)
+        lock_btn = self._tr(QPushButton(), "secret_lock")
+        lock_btn.clicked.connect(self._on_lock)
+        unlock_layout.addWidget(lock_btn)
+        root.addWidget(unlock_box)
+
+        manage_box = self._tr(QGroupBox(), "secret_manage_group")
+        manage_layout = QVBoxLayout(manage_box)
+        manage_layout.addWidget(self._list)
+        button_row = QHBoxLayout()
+        add_btn = self._tr(QPushButton(), "secret_add")
+        add_btn.clicked.connect(self._on_add)
+        button_row.addWidget(add_btn)
+        remove_btn = self._tr(QPushButton(), "secret_remove")
+        remove_btn.clicked.connect(self._on_remove)
+        button_row.addWidget(remove_btn)
+        change_btn = self._tr(QPushButton(), "secret_change_passphrase")
+        change_btn.clicked.connect(self._on_change_passphrase)
+        button_row.addWidget(change_btn)
+        button_row.addStretch()
+        manage_layout.addLayout(button_row)
+        root.addWidget(manage_box, stretch=1)
+
+        root.addWidget(self._status_label)
+
+    def _refresh_status(self) -> None:
+        manager = default_secret_manager
+        if not manager.is_initialized:
+            self._status_label.setText(_t("secret_status_uninitialized"))
+        elif manager.is_unlocked:
+            self._status_label.setText(_t("secret_status_unlocked"))
+        else:
+            self._status_label.setText(_t("secret_status_locked"))
+        self._refresh_list()
+
+    def _refresh_list(self) -> None:
+        self._list.clear()
+        if not default_secret_manager.is_unlocked:
+            return
+        try:
+            names = default_secret_manager.list_names()
+        except SecretStoreError:
+            names = []
+        for name in names:
+            self._list.addItem(QListWidgetItem(name))
+
+    def _consume_passphrase(self) -> str:
+        text = self._passphrase.text()
+        self._passphrase.clear()
+        return text
+
+    def _on_init(self) -> None:
+        passphrase = self._consume_passphrase()
+        if not passphrase:
+            QMessageBox.warning(self, _t("secret_init"),
+                                _t("secret_passphrase_required"))
+            return
+        try:
+            default_secret_manager.initialize(passphrase)
+        except SecretStoreError as error:
+            QMessageBox.warning(self, _t("secret_init"), str(error))
+            return
+        QMessageBox.information(self, _t("secret_init"),
+                                _t("secret_init_done"))
+        self._refresh_status()
+
+    def _on_unlock(self) -> None:
+        passphrase = self._consume_passphrase()
+        if not passphrase:
+            return
+        try:
+            ok = default_secret_manager.unlock(passphrase)
+        except SecretStoreError as error:
+            QMessageBox.warning(self, _t("secret_unlock"), str(error))
+            return
+        if not ok:
+            QMessageBox.warning(self, _t("secret_unlock"),
+                                _t("secret_wrong_passphrase"))
+        self._refresh_status()
+
+    def _on_lock(self) -> None:
+        default_secret_manager.lock()
+        self._refresh_status()
+
+    def _on_add(self) -> None:
+        if not default_secret_manager.is_unlocked:
+            QMessageBox.information(self, _t("secret_add"),
+                                    _t("secret_unlock_first"))
+            return
+        name, ok = QInputDialog.getText(
+            self, _t("secret_add"), _t("secret_name_prompt"),
+        )
+        if not ok or not name.strip():
+            return
+        value, ok = QInputDialog.getText(
+            self, _t("secret_add"), _t("secret_value_prompt"),
+            QLineEdit.Password,
+        )
+        if not ok:
+            return
+        try:
+            default_secret_manager.set(name.strip(), value)
+        except (SecretStoreError, SecretStoreLocked, ValueError) as error:
+            QMessageBox.warning(self, _t("secret_add"), str(error))
+            return
+        self._refresh_list()
+
+    def _on_remove(self) -> None:
+        item = self._list.currentItem()
+        if item is None:
+            return
+        try:
+            default_secret_manager.remove(item.text())
+        except (SecretStoreError, SecretStoreLocked) as error:
+            QMessageBox.warning(self, _t("secret_remove"), str(error))
+            return
+        self._refresh_list()
+
+    def _on_change_passphrase(self) -> None:
+        old, ok = QInputDialog.getText(
+            self, _t("secret_change_passphrase"),
+            _t("secret_old_passphrase_prompt"), QLineEdit.Password,
+        )
+        if not ok:
+            return
+        new, ok = QInputDialog.getText(
+            self, _t("secret_change_passphrase"),
+            _t("secret_new_passphrase_prompt"), QLineEdit.Password,
+        )
+        if not ok or not new:
+            return
+        try:
+            default_secret_manager.change_passphrase(old, new)
+        except (SecretStoreError, ValueError) as error:
+            QMessageBox.warning(self, _t("secret_change_passphrase"),
+                                str(error))
+            return
+        QMessageBox.information(
+            self, _t("secret_change_passphrase"),
+            _t("secret_change_done"),
+        )
+        self._refresh_status()