Add Railway secrets provider

[quappefeeder]

Summary

• add a Railway secrets provider for railway variable list/set
• register railway under the secrets adapter category
• include README, package metadata, tsconfig, and smoke test

Refs #710.

Via ugig gig, ugig user liudong-design.

Testing

• git diff --check
• node --check packages/secrets/railway/src/index.ts using local bundled Node
• Not run: pnpm --filter @profullstack/sh1pt-secrets-railway typecheck and pnpm vitest run packages/secrets/railway/src/index.test.ts because this execution environment does not have pnpm/npm/corepack available on PATH.

[greptile-apps]

Greptile Summary

This PR adds a fully-functional Railway secrets provider (@profullstack/sh1pt-secrets-railway) that wraps the railway variable list and railway variable set CLI commands, and registers it in the adapter registry alongside Doppler, dotenvx, GitHub, and 1Password.

• The core implementation (index.ts) includes key validation via assertSecretKey, defensive JSON parsing that handles both array and object response shapes from railway variable list --json, optional --service/--environment/--skip-deploys scoping, and a redactSecretArgError helper that scrubs KEY=VALUE from CLI error messages before re-throwing — directly addressing the secret-exposure concern raised in the previous review thread.
• A smoke test plus a targeted redaction test (index.test.ts) verify the security-critical error-scrubbing path with a realistic mock error matching the exec error format.
• Package scaffolding (package.json, tsconfig.json, README, pnpm-lock.yaml) follows the existing monorepo conventions.

Confidence Score: 5/5

Safe to merge — the change is additive, self-contained within its new package, and the security-sensitive push path has been deliberately hardened with error redaction.

The implementation is complete and consistent with existing provider patterns. The one security-sensitive path (secret value appearing in CLI arguments and error messages) is explicitly handled by redactSecretArgError and covered by a test. No existing functionality is modified beyond adding 'railway' to the adapter list.

No files require special attention. The two comments left are minor polish items (semantic use of accountId in connect, and missing pull/connect unit tests) that do not affect correctness.

Important Files Changed

Filename	Overview
packages/secrets/railway/src/index.ts	Core provider implementation — pull/push/connect wired correctly, secret redaction in place, key validation, defensive JSON parsing for both array and object Railway API shapes
packages/secrets/railway/src/index.test.ts	Smoke test + targeted redaction test; verifies the security-critical error-message scrubbing path end-to-end with a realistic mock error
packages/cli/src/adapter-registry.ts	Registers 'railway' in the secrets adapter list and updates the description string; minimal, correct change
packages/secrets/railway/package.json	Standard monorepo package manifest with workspace dep on sh1pt-core; dev-time main points to src/index.ts, publishConfig overrides to dist correctly
packages/secrets/railway/tsconfig.json	Extends the root tsconfig.base.json with standard outDir/rootDir; consistent with other packages in the monorepo
packages/secrets/railway/README.md	New package README covering usage, dev commands, and adapter metadata; accurate description of skip-deploys and scope options
pnpm-lock.yaml	Lock file updated to add the new railway package workspace entry pointing to core; no unexpected dependency additions

Sequence Diagram

sequenceDiagram
    participant CLI as sh1pt CLI
    participant Adapter as secrets-railway adapter
    participant Exec as core/exec (spawn)
    participant RailwayCLI as railway CLI

    CLI->>Adapter: connect(ctx, config)
    Adapter->>Exec: exec('railway', ['whoami'])
    Exec->>RailwayCLI: spawn railway whoami
    RailwayCLI-->>Exec: stdout/stderr
    Exec-->>Adapter: ExecResult
    Adapter-->>CLI: "{ accountId: scope }"

    CLI->>Adapter: pull(ctx, config)
    Adapter->>Exec: exec('railway', ['variable','list','--json',...scopedArgs])
    Exec->>RailwayCLI: spawn railway variable list --json
    RailwayCLI-->>Exec: JSON stdout
    Exec-->>Adapter: "ExecResult { stdout }"
    Adapter->>Adapter: "parseVariables(stdout) — handles array & object shapes"
    Adapter-->>CLI: SecretRef[]

    CLI->>Adapter: push(ctx, secrets, config)
    loop for each secret
        Adapter->>Adapter: assertSecretKey(key)
        Adapter->>Exec: "exec('railway', [...commonArgs, 'KEY=VALUE'])"
        Exec->>RailwayCLI: "spawn railway variable set KEY=VALUE"
        RailwayCLI-->>Exec: exit code
        alt non-zero exit
            Exec-->>Adapter: "throws Error (message contains KEY=VALUE)"
            Adapter->>Adapter: "redactSecretArgError → replaces KEY=VALUE with KEY=<redacted>"
            Adapter-->>CLI: throws redacted Error
        else success
            Exec-->>Adapter: ExecResult
        end
    end
    Adapter-->>CLI: "{ count: N }"

Loading

_{Reviews (4): Last reviewed commit: "Redact Railway secret values on CLI fail..." | Re-trigger Greptile}

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.

[github-actions]

🤖 Auto-rebase: The branch was rebased successfully locally but could not be pushed to the fork. Please enable 'Allow edits from maintainers' in the PR settings, or rebase manually: git fetch upstream master && git rebase upstream/master.