Add reusable integrations settings foundation

[JoshuaRileyDev]

Summary

Adds a reusable integrations settings foundation for GitHub, GitLab, Jira, and Linear with secure token storage/validation and a refreshed Settings navigation entry.

Changes

• Adds a table-driven integrations registry so new providers can be added without duplicating UI/server plumbing.
• Adds secure secret storage for integration API keys and server-side token validation per provider.
• Supports GitHub, GitLab, Jira (site URL + cloud/self-hosted), and Linear in the integrations flow.
• Renames the Settings sidebar entry to Integrations and restores the flat sidebar layout.
• Adds visual evidence for both the integrations overview and the add-account wizard.

Visual Evidence

Area	Screenshot	Notes
Settings → Integrations		Shows the integrations page with GitHub, GitLab, Jira, and Linear sections.
Add GitHub Account Wizard		Shows the first step of the multi-step add-account flow.

Test Plan

1. Run vp check.
2. Run vp run typecheck.
3. Open Settings → Integrations and verify the provider sections render with the updated sidebar item.
4. Open Add account and verify the wizard stepper appears.

Risks

• The repo still has unrelated pre-existing typecheck failures outside this change set.
• Jira’s token validation depends on the configured base URL, so self-hosted instances need the correct site URL.

Rollback

• Revert commit c7ab73118301f417af1467776fbe46569fdbabb5.

Follow-up

This is the building block for a future PR that can layer automations and triggers on top of the integrations registry.

---

Note

High Risk
Touches secret storage encryption and third-party API token handling; losing .secret-store-key makes stored secrets unreadable.

Overview
Adds a Settings → Integrations flow for GitHub, GitLab, Jira, and Linear: contracts/schemas, a multi-step add/edit wizard, and sidebar routing.

Server behavior: integration API keys are persisted in ServerSecretStore (not settings.json), redacted for clients, hydrated on read, and legacy plaintext keys migrate on save. ServerSecretStore now writes secrets as AES-256-GCM blobs (magic T3S1); payloads without that header still decrypt as plaintext for backward compatibility. A new serverTestIntegrationToken RPC validates tokens via provider APIs (including stored keys when useStoredToken is set).

UI: IntegrationsSettingsPanel tests tokens before save; Linear/Jira/GitLab icons updated.

^{Reviewed by Cursor Bugbot for commit a3d9baa. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Add integrations settings foundation with token validation and encrypted secret storage

• Adds a new /settings/integrations route rendering IntegrationsSettingsPanel, which lets users create, edit, and delete integration accounts (GitHub, GitLab, Jira, Linear) stored in ServerSettings.
• Adds a multi-step AccountDialog that validates account name uniqueness, optional base URL, and verifies API tokens via a new testIntegrationToken RPC before saving.
• Adds server-side token validators in integrations.ts for all four providers; each fetches the authenticated user and returns an accountLabel or a typed IntegrationAccountTokenValidationError.
• Integration API keys are never stored in plaintext: serverSettings.ts writes keys to ServerSecretStore, redacts them in persisted JSON and client-facing views, and hydrates them on read.
• ServerSecretStore now encrypts all secrets at rest using AES-256-GCM with a per-store 32-byte key file; existing unencrypted payloads are read as-is for backward compatibility.
• Risk: the encryption key file (.secret-store-key) is created automatically on first use; losing it makes stored integration secrets unrecoverable.

^{Macroscope summarized a3d9baa.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9cd7e7c3-0d40-4813-a34a-f7b26236563f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR introduces a significant new feature: a complete integrations settings system with encryption at rest, external API token validation (GitHub, GitLab, Jira, Linear), new UI components, and RPC endpoints. The scope and security-sensitive nature of the encryption code warrant human review.

^{You can customize Macroscope's approvability policy. Learn more.}

[cursor]

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 44e710a. Configure here.}