Remove org owned feature flag (#441)

timothyF95 · web-flow · commit 4635576d5214 · 2026-05-20T10:13:40.000Z
diff --git a/cmd/secrets/common/handler.go b/cmd/secrets/common/handler.go
@@ -277,16 +277,8 @@ func (h *Handler) fetchVaultMasterPublicKeyHex() (string, error) {
 	return rpcResp.Result.PublicKey, nil
 }
 
-// ResolveEffectiveOwner returns the owner string to use for vault secret identifiers.
-// When SecretsOrgOwned is enabled, the org ID (from auth validation) is used;
-// otherwise, the workflow owner address is used and must be a valid hex address.
+// ResolveEffectiveOwner returns the checksummed workflow owner address for owner-key vault operations.
 func (h *Handler) ResolveEffectiveOwner() (string, error) {
-	if h.EnvironmentSet != nil && h.EnvironmentSet.SecretsOrgOwned {
-		if h.Credentials == nil || h.Credentials.OrgID == "" {
-			return "", fmt.Errorf("org ID required when CRE_CLI_SECRETS_ORG_OWNED is enabled; ensure auth validation succeeds")
-		}
-		return h.Credentials.OrgID, nil
-	}
 	if !common.IsHexAddress(h.OwnerAddress) {
 		return "", fmt.Errorf("owner address %q is not a valid hex address", h.OwnerAddress)
 	}
@@ -296,7 +288,7 @@ func (h *Handler) ResolveEffectiveOwner() (string, error) {
 // ResolveVaultIdentifierOwnerForAuth returns the owner string used in vault JSON-RPC payloads
 // (SecretIdentifier.Owner and list request Owner). Browser auth always uses the signed-in
 // organization ID so digests and identifiers align with JWT AuthorizedOwner() on the gateway;
-// owner-key auth uses ResolveEffectiveOwner() (workflow address unless CRE_CLI_SECRETS_ORG_OWNED).
+// onchain auth uses ResolveEffectiveOwner() (linked workflow owner address).
 func (h *Handler) ResolveVaultIdentifierOwnerForAuth(secretsAuth string) (string, error) {
 	if IsBrowserFlow(secretsAuth) {
 		if h.Credentials == nil {
@@ -313,18 +305,9 @@ func (h *Handler) ResolveVaultIdentifierOwnerForAuth(secretsAuth string) (string
 	return h.ResolveEffectiveOwner()
 }
 
-// EncryptSecrets takes the raw secrets and encrypts them, returning pointers.
-// When SecretsOrgOwned is enabled, uses SHA256(orgID) as the TDH2 label and orgID as the owner.
-// Otherwise, uses the workflow owner address left-padded to 32 bytes as the TDH2 label.
+// EncryptSecrets takes the raw secrets and encrypts them for the owner-key (onchain) flow.
+// TDH2 label is the workflow owner address left-padded to 32 bytes; SecretIdentifier.Owner is the same hex address string.
 func (h *Handler) EncryptSecrets(rawSecrets UpsertSecretsInputs) ([]*vault.EncryptedSecret, error) {
-	if h.EnvironmentSet != nil && h.EnvironmentSet.SecretsOrgOwned {
-		owner, err := h.ResolveEffectiveOwner()
-		if err != nil {
-			return nil, err
-		}
-		return h.EncryptSecretsForBrowserOrg(rawSecrets, owner)
-	}
-
 	pubKeyHex, err := h.fetchVaultMasterPublicKeyHex()
 	if err != nil {
 		return nil, err
diff --git a/cmd/secrets/common/handler_test.go b/cmd/secrets/common/handler_test.go
@@ -134,64 +134,38 @@ func TestEncryptSecrets(t *testing.T) {
 }
 
 func TestResolveEffectiveOwner(t *testing.T) {
-	t.Run("returns canonicalized address when SecretsOrgOwned is false", func(t *testing.T) {
+	t.Run("returns canonicalized workflow owner address", func(t *testing.T) {
 		h, _, _ := newMockHandler(t)
 		h.OwnerAddress = "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266"
-		h.EnvironmentSet.SecretsOrgOwned = false
 
 		owner, err := h.ResolveEffectiveOwner()
 		require.NoError(t, err)
 		require.Equal(t, "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266", owner)
 	})
 
-	t.Run("errors when SecretsOrgOwned is false and owner address is empty", func(t *testing.T) {
+	t.Run("errors when owner address is empty", func(t *testing.T) {
 		h, _, _ := newMockHandler(t)
 		h.OwnerAddress = ""
-		h.EnvironmentSet.SecretsOrgOwned = false
 
 		_, err := h.ResolveEffectiveOwner()
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "not a valid hex address")
 	})
 
-	t.Run("errors when SecretsOrgOwned is false and owner address is malformed", func(t *testing.T) {
+	t.Run("errors when owner address is malformed", func(t *testing.T) {
 		h, _, _ := newMockHandler(t)
 		h.OwnerAddress = "not-an-address"
-		h.EnvironmentSet.SecretsOrgOwned = false
 
 		_, err := h.ResolveEffectiveOwner()
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "not a valid hex address")
 	})
-
-	t.Run("returns org ID when SecretsOrgOwned is true and org ID is set", func(t *testing.T) {
-		h, _, _ := newMockHandler(t)
-		h.OwnerAddress = "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266"
-		h.EnvironmentSet.SecretsOrgOwned = true
-		h.Credentials.OrgID = "org-123"
-
-		owner, err := h.ResolveEffectiveOwner()
-		require.NoError(t, err)
-		require.Equal(t, "org-123", owner)
-	})
-
-	t.Run("errors when SecretsOrgOwned is true but org ID is empty", func(t *testing.T) {
-		h, _, _ := newMockHandler(t)
-		h.OwnerAddress = "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266"
-		h.EnvironmentSet.SecretsOrgOwned = true
-		h.Credentials.OrgID = ""
-
-		_, err := h.ResolveEffectiveOwner()
-		require.Error(t, err)
-		require.Contains(t, err.Error(), "org ID required")
-	})
 }
 
 func TestResolveVaultIdentifierOwnerForAuth(t *testing.T) {
-	t.Run("browser returns org ID when SecretsOrgOwned is false", func(t *testing.T) {
+	t.Run("browser returns org ID", func(t *testing.T) {
 		h, _, _ := newMockHandler(t)
 		h.OwnerAddress = "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266"
-		h.EnvironmentSet.SecretsOrgOwned = false
 		h.Credentials.AuthType = credentials.AuthTypeBearer
 		h.Credentials.OrgID = "org-browser"
 
@@ -220,18 +194,17 @@ func TestResolveVaultIdentifierOwnerForAuth(t *testing.T) {
 		require.Contains(t, err.Error(), "organization information is missing")
 	})
 
-	t.Run("owner-key delegates to ResolveEffectiveOwner", func(t *testing.T) {
+	t.Run("onchain delegates to ResolveEffectiveOwner", func(t *testing.T) {
 		h, _, _ := newMockHandler(t)
 		h.OwnerAddress = "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266"
-		h.EnvironmentSet.SecretsOrgOwned = false
 
 		owner, err := h.ResolveVaultIdentifierOwnerForAuth(SecretsAuthOnchain)
 		require.NoError(t, err)
 		require.Equal(t, "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266", owner)
 	})
 }
 
-func TestEncryptSecrets_OrgOwned(t *testing.T) {
+func TestEncryptSecrets_UsesWorkflowOwnerAddress(t *testing.T) {
 	mockGw := &mockGatewayClient{
 		post: func(body []byte) ([]byte, int, error) {
 			var req jsonrpc2.Request[vaultcommon.GetPublicKeyRequest]
@@ -247,34 +220,17 @@ func TestEncryptSecrets_OrgOwned(t *testing.T) {
 		},
 	}
 
-	raw := UpsertSecretsInputs{
-		{ID: "secret-1", Value: "val1", Namespace: "main"},
-	}
-
-	t.Run("uses orgID as owner when SecretsOrgOwned is true", func(t *testing.T) {
-		h, _, _ := newMockHandler(t)
-		h.Gw = mockGw
-		h.EnvironmentSet.SecretsOrgOwned = true
-		h.Credentials.OrgID = "org-456"
-
-		enc, err := h.EncryptSecrets(raw)
-		require.NoError(t, err)
-		require.Len(t, enc, 1)
-		require.Equal(t, "org-456", enc[0].Id.Owner)
-		require.Equal(t, "secret-1", enc[0].Id.Key)
-	})
-
-	t.Run("uses address as owner when SecretsOrgOwned is false", func(t *testing.T) {
-		h, _, _ := newMockHandler(t)
-		h.Gw = mockGw
-		h.OwnerAddress = "0xabc"
-		h.EnvironmentSet.SecretsOrgOwned = false
+	h, _, _ := newMockHandler(t)
+	h.Gw = mockGw
+	h.OwnerAddress = "0xabc"
 
-		enc, err := h.EncryptSecrets(raw)
-		require.NoError(t, err)
-		require.Len(t, enc, 1)
-		require.Equal(t, "0xabc", enc[0].Id.Owner)
+	enc, err := h.EncryptSecrets(UpsertSecretsInputs{
+		{ID: "secret-1", Value: "val1", Namespace: "main"},
 	})
+	require.NoError(t, err)
+	require.Len(t, enc, 1)
+	require.Equal(t, "0xabc", enc[0].Id.Owner)
+	require.Equal(t, "secret-1", enc[0].Id.Key)
 }
 
 func TestPackAllowlistRequestTxData_Success_With0x(t *testing.T) {
diff --git a/internal/environments/environments.go b/internal/environments/environments.go
@@ -25,7 +25,6 @@ const (
 	EnvVarWorkflowRegistryChainName        = "CRE_CLI_WORKFLOW_REGISTRY_CHAIN_NAME"
 	EnvVarWorkflowRegistryChainExplorerURL = "CRE_CLI_WORKFLOW_REGISTRY_CHAIN_EXPLORER_URL"
 	EnvVarDonFamily                        = "CRE_CLI_DON_FAMILY"
-	EnvVarSecretsOrgOwned                  = "CRE_CLI_SECRETS_ORG_OWNED"
 
 	DefaultEnv     = "PRODUCTION"
 	StagingEnv     = "STAGING"
@@ -48,7 +47,6 @@ type EnvironmentSet struct {
 	WorkflowRegistryChainName        string `yaml:"CRE_CLI_WORKFLOW_REGISTRY_CHAIN_NAME"`
 	WorkflowRegistryChainExplorerURL string `yaml:"CRE_CLI_WORKFLOW_REGISTRY_CHAIN_EXPLORER_URL"`
 	DonFamily                        string `yaml:"CRE_CLI_DON_FAMILY"`
-	SecretsOrgOwned                  bool   `yaml:"CRE_CLI_SECRETS_ORG_OWNED"`
 }
 
 // RequiresVPN returns true if the GraphQL endpoint is on a private network
@@ -101,7 +99,6 @@ func NewEnvironmentSet(ff *fileFormat, envName string) *EnvironmentSet {
 	wrAddress := os.Getenv(EnvVarWorkflowRegistryAddress)
 	wrChainName := os.Getenv(EnvVarWorkflowRegistryChainName)
 	donFamily := os.Getenv(EnvVarDonFamily)
-	secretsOrgOwned := os.Getenv(EnvVarSecretsOrgOwned)
 
 	set.EnvName = envName
 	if authBase != "" {
@@ -131,9 +128,6 @@ func NewEnvironmentSet(ff *fileFormat, envName string) *EnvironmentSet {
 	if donFamily != "" {
 		set.DonFamily = donFamily
 	}
-	if secretsOrgOwned != "" {
-		set.SecretsOrgOwned = strings.EqualFold(secretsOrgOwned, "true")
-	}
 
 	newEnvironmentSetWarningsOnce.Do(func() {
 		switch envName {
@@ -170,9 +164,6 @@ func NewEnvironmentSet(ff *fileFormat, envName string) *EnvironmentSet {
 		if donFamily != "" {
 			ui.Warning(fmt.Sprintf("%s set, using %s", EnvVarDonFamily, donFamily))
 		}
-		if secretsOrgOwned != "" {
-			ui.Warning(fmt.Sprintf("%s set, using %s", EnvVarSecretsOrgOwned, secretsOrgOwned))
-		}
 	})
 
 	return &set
diff --git a/internal/environments/environments.yaml b/internal/environments/environments.yaml
@@ -6,7 +6,6 @@ ENVIRONMENTS:
     CRE_CLI_GRAPHQL_URL: https://graphql-cre-dev.tailf8f749.ts.net/graphql
     CRE_VAULT_DON_GATEWAY_URL: https://cre-gateway-one-zone-a.main.stage.cldev.sh/
     CRE_CLI_DON_FAMILY: "zone-a"
-    CRE_CLI_SECRETS_ORG_OWNED: false
 
     CRE_CLI_WORKFLOW_REGISTRY_ADDRESS: "0x7e69E853D9Ce50C2562a69823c80E01360019Cef"
     CRE_CLI_WORKFLOW_REGISTRY_CHAIN_NAME: "ethereum-testnet-sepolia" # eth-sepolia
@@ -19,7 +18,6 @@ ENVIRONMENTS:
     CRE_CLI_GRAPHQL_URL: https://graphql-cre-stage.tailf8f749.ts.net/graphql
     CRE_VAULT_DON_GATEWAY_URL: https://cre-gateway-one-zone-a.main.stage.cldev.sh/
     CRE_CLI_DON_FAMILY: "zone-a"
-    CRE_CLI_SECRETS_ORG_OWNED: false
 
     CRE_CLI_WORKFLOW_REGISTRY_ADDRESS: "0xaE55eB3EDAc48a1163EE2cbb1205bE1e90Ea1135"
     CRE_CLI_WORKFLOW_REGISTRY_CHAIN_NAME: "ethereum-testnet-sepolia" # eth-sepolia
@@ -32,7 +30,6 @@ ENVIRONMENTS:
     CRE_CLI_GRAPHQL_URL: https://api.cre.chain.link/graphql
     CRE_VAULT_DON_GATEWAY_URL: https://01.gateway.zone-a.cre.chain.link
     CRE_CLI_DON_FAMILY: "zone-a"
-    CRE_CLI_SECRETS_ORG_OWNED: false
 
     CRE_CLI_WORKFLOW_REGISTRY_ADDRESS: "0x4Ac54353FA4Fa961AfcC5ec4B118596d3305E7e5"
     CRE_CLI_WORKFLOW_REGISTRY_CHAIN_NAME: "ethereum-mainnet"
