Add aws feature + SecretsManagerTokenSource backend

Introduces an opt-in AWS Secrets Manager backend for bearer tokens,
behind the `aws` Cargo feature. Default builds (on-prem, local dev)
don't pull in the AWS SDK and don't pay its compile cost.

- New Cargo feature `aws` gates the `aws-config` + `aws-sdk-secretsmanager`
  optional deps. Default features remain empty.
- New `auth::aws::SecretsManagerTokenSource` implements `TokenSource` by
  fetching a JSON `{"actor_id": "token", ...}` payload from a named
  Secrets Manager secret. Credentials resolve via the AWS default chain
  (env, shared config, IMDSv2 instance role, ECS task role) so no
  explicit plumbing is needed under an IAM role.
- New `resolve_token_source()` dispatches based on the
  `OMNIGRAPH_SERVER_BEARER_TOKENS_AWS_SECRET` env var. If the var is set
  but the binary was built without `--features aws`, returns a clear
  rebuild instruction rather than silently falling back.
- `serve()` now uses `resolve_token_source()` and logs which source was
  selected at startup.
- `parse_json_secret_payload()` is factored out as a free function so
  the payload validation (trim whitespace, reject blank actor/token,
  reject non-object) is unit-testable without the AWS SDK.
- New CI job `test_aws_feature` builds + tests with `--features aws`.

Not in this PR (follow-ups):
- Background refresh loop for rotation. `SecretsManagerTokenSource`
  advertises `supports_refresh: true` but the AppState-level refresh
  task isn't wired yet.
- Config-YAML dispatch (today the AWS source is selected via env var
  only; eventually `server.bearer_tokens.source` in `omnigraph.yaml`).

Tests:
- Default-feature build: 33 lib + 41 integration + 64 openapi.
- `--features aws` build: 32 lib (one test is cfg-gated) + 41 + 64.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/omnigraph-server/Cargo.toml

@@ -12,6 +12,12 @@ documentation = "https://docs.rs/omnigraph-server"
 name = "omnigraph-server"
 path = "src/main.rs"
 
+[features]
+default = []
+# Enables the AWS Secrets Manager bearer-token source. Off by default — on-prem
+# and local-dev builds don't pay the AWS SDK compile cost.
+aws = ["dep:aws-config", "dep:aws-sdk-secretsmanager"]
+
 [dependencies]
 omnigraph = { package = "omnigraph-engine", path = "../omnigraph", version = "0.2.2" }
 omnigraph-compiler = { path = "../omnigraph-compiler", version = "0.2.2" }
@@ -31,6 +37,8 @@ futures = { workspace = true }
 sha2 = { workspace = true }
 subtle = { workspace = true }
 async-trait = { workspace = true }
+aws-config = { version = "1", optional = true, default-features = false, features = ["rustls", "rt-tokio", "credentials-process", "sso"] }
+aws-sdk-secretsmanager = { version = "1", optional = true, default-features = false, features = ["rustls", "rt-tokio"] }
 
 [dev-dependencies]
 tempfile = { workspace = true }

crates/omnigraph-server/src/auth.rs

@@ -10,10 +10,15 @@
 //! touching the server wiring.
 
 use async_trait::async_trait;
-use color_eyre::eyre::Result;
+use color_eyre::eyre::{Result, bail};
 
 use crate::server_bearer_tokens_from_env;
 
+/// Environment variable that, when set, selects AWS Secrets Manager as the
+/// token source. Its value is the secret ID or ARN. Only honored when the
+/// binary is compiled with `--features aws`.
+pub const AWS_SECRET_ENV: &str = "OMNIGRAPH_SERVER_BEARER_TOKENS_AWS_SECRET";
+
 /// A source of bearer tokens, returned as `(actor_id, token)` pairs in
 /// plaintext. The caller is expected to hash tokens before storing them.
 #[async_trait]
@@ -59,6 +64,139 @@ impl TokenSource for EnvOrFileTokenSource {
     }
 }
 
+/// Pick the token source based on configuration.
+///
+/// Preference order:
+/// 1. If `OMNIGRAPH_SERVER_BEARER_TOKENS_AWS_SECRET` is set AND the binary was
+///    built with `--features aws`, returns an AWS Secrets Manager source.
+/// 2. If that env var is set but the binary was built without the feature,
+///    errors with a clear rebuild instruction rather than silently falling
+///    back to the env/file source (which would hide the misconfiguration).
+/// 3. Otherwise, returns `EnvOrFileTokenSource`.
+pub async fn resolve_token_source() -> Result<Box<dyn TokenSource>> {
+    if let Ok(secret_id) = std::env::var(AWS_SECRET_ENV) {
+        let secret_id = secret_id.trim().to_string();
+        if !secret_id.is_empty() {
+            #[cfg(feature = "aws")]
+            {
+                let source = aws::SecretsManagerTokenSource::new(secret_id).await?;
+                return Ok(Box::new(source));
+            }
+            #[cfg(not(feature = "aws"))]
+            {
+                bail!(
+                    "{} is set but this binary was not built with --features aws. \
+                     Rebuild: cargo build --release --features aws",
+                    AWS_SECRET_ENV
+                );
+            }
+        }
+    }
+    Ok(Box::new(EnvOrFileTokenSource))
+}
+
+/// Parse a JSON secret payload (from AWS Secrets Manager or any equivalent
+/// source) into actor → token pairs.
+///
+/// Payload shape: `{"actor_id_1": "token_1", "actor_id_2": "token_2", ...}`.
+/// Extracted as a free function so it can be unit-tested without the AWS SDK.
+#[cfg(any(test, feature = "aws"))]
+pub(crate) fn parse_json_secret_payload(payload: &str) -> Result<Vec<(String, String)>> {
+    use std::collections::HashMap;
+
+    let map: HashMap<String, String> = serde_json::from_str(payload).map_err(|err| {
+        color_eyre::eyre::eyre!(
+            "bearer-token secret payload is not a JSON object of actor→token: {}",
+            err
+        )
+    })?;
+
+    let mut pairs: Vec<(String, String)> = Vec::with_capacity(map.len());
+    for (actor, token) in map {
+        let actor = actor.trim().to_string();
+        let token = token.trim().to_string();
+        if actor.is_empty() {
+            bail!("bearer-token secret contains a blank actor id");
+        }
+        if token.is_empty() {
+            bail!("bearer-token secret has a blank token for actor '{}'", actor);
+        }
+        pairs.push((actor, token));
+    }
+    pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
+    Ok(pairs)
+}
+
+#[cfg(feature = "aws")]
+pub mod aws {
+    //! AWS Secrets Manager bearer-token backend.
+    //!
+    //! Fetches a JSON payload from a named secret on startup. Credentials are
+    //! resolved via the AWS default chain — env vars, shared config, IMDSv2
+    //! instance role, or ECS task role — so no explicit credential plumbing
+    //! is needed when running under an IAM role.
+    //!
+    //! Background refresh for rotation is a follow-up.
+    use super::TokenSource;
+    use async_trait::async_trait;
+    use color_eyre::eyre::{Result, WrapErr, eyre};
+
+    /// Loads bearer tokens from a named AWS Secrets Manager secret.
+    pub struct SecretsManagerTokenSource {
+        client: aws_sdk_secretsmanager::Client,
+        secret_id: String,
+    }
+
+    impl SecretsManagerTokenSource {
+        /// Construct a new source. Resolves AWS credentials + region via the
+        /// default chain — no explicit configuration needed on EC2/ECS/EKS.
+        pub async fn new(secret_id: impl Into<String>) -> Result<Self> {
+            let config =
+                aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
+            let client = aws_sdk_secretsmanager::Client::new(&config);
+            Ok(Self {
+                client,
+                secret_id: secret_id.into(),
+            })
+        }
+    }
+
+    #[async_trait]
+    impl TokenSource for SecretsManagerTokenSource {
+        async fn load(&self) -> Result<Vec<(String, String)>> {
+            let output = self
+                .client
+                .get_secret_value()
+                .secret_id(&self.secret_id)
+                .send()
+                .await
+                .wrap_err_with(|| {
+                    format!("fetch AWS Secrets Manager secret '{}'", self.secret_id)
+                })?;
+
+            let payload = output.secret_string().ok_or_else(|| {
+                eyre!(
+                    "secret '{}' has no SecretString — binary secrets are not supported",
+                    self.secret_id
+                )
+            })?;
+
+            super::parse_json_secret_payload(payload)
+        }
+
+        fn supports_refresh(&self) -> bool {
+            true
+        }
+
+        fn name(&self) -> &'static str {
+            "aws-secrets-manager"
+        }
+    }
+}
+
+#[cfg(feature = "aws")]
+pub use aws::SecretsManagerTokenSource;
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -103,4 +241,70 @@ mod tests {
         assert!(!source.supports_refresh());
         assert_eq!(source.name(), "env-or-file");
     }
+
+    #[test]
+    fn parse_json_secret_payload_reads_actor_token_map() {
+        let pairs = parse_json_secret_payload(r#"{"alice": "tok-a", "bob": "tok-b"}"#).unwrap();
+        assert_eq!(
+            pairs,
+            vec![
+                ("alice".to_string(), "tok-a".to_string()),
+                ("bob".to_string(), "tok-b".to_string()),
+            ]
+        );
+    }
+
+    #[test]
+    fn parse_json_secret_payload_trims_whitespace() {
+        let pairs = parse_json_secret_payload(r#"{"  alice  ": "  tok-a  "}"#).unwrap();
+        assert_eq!(pairs, vec![("alice".to_string(), "tok-a".to_string())]);
+    }
+
+    #[test]
+    fn parse_json_secret_payload_rejects_blank_actor() {
+        let err = parse_json_secret_payload(r#"{"   ": "tok"}"#).unwrap_err();
+        assert!(err.to_string().contains("blank actor"));
+    }
+
+    #[test]
+    fn parse_json_secret_payload_rejects_blank_token() {
+        let err = parse_json_secret_payload(r#"{"alice": "  "}"#).unwrap_err();
+        assert!(err.to_string().contains("blank token"));
+    }
+
+    #[test]
+    fn parse_json_secret_payload_rejects_non_object() {
+        let err = parse_json_secret_payload("[1, 2, 3]").unwrap_err();
+        assert!(err.to_string().contains("not a JSON object"));
+    }
+
+    #[tokio::test]
+    #[serial]
+    async fn resolve_token_source_falls_back_to_env_or_file_when_aws_var_unset() {
+        clear_env();
+        unsafe {
+            env::remove_var(AWS_SECRET_ENV);
+        }
+        let source = resolve_token_source().await.unwrap();
+        assert_eq!(source.name(), "env-or-file");
+    }
+
+    #[cfg(not(feature = "aws"))]
+    #[tokio::test]
+    #[serial]
+    async fn resolve_token_source_errors_when_aws_var_set_without_feature() {
+        clear_env();
+        unsafe {
+            env::set_var(AWS_SECRET_ENV, "some-secret-id");
+        }
+        let result = resolve_token_source().await;
+        unsafe {
+            env::remove_var(AWS_SECRET_ENV);
+        }
+        let err = match result {
+            Ok(_) => panic!("expected resolve_token_source to error without aws feature"),
+            Err(err) => err,
+        };
+        assert!(err.to_string().contains("--features aws"));
+    }
 }

crates/omnigraph-server/src/lib.rs

@@ -38,7 +38,7 @@ use omnigraph::error::{ManifestErrorKind, OmniError};
 use omnigraph_compiler::json_params_to_param_map;
 use omnigraph_compiler::query::parser::parse_query;
 use omnigraph_compiler::{JsonParamMode, ParamMap};
-pub use auth::{EnvOrFileTokenSource, TokenSource};
+pub use auth::{AWS_SECRET_ENV, EnvOrFileTokenSource, TokenSource, resolve_token_source};
 pub use policy::{
     PolicyAction, PolicyCompiler, PolicyConfig, PolicyDecision, PolicyEngine, PolicyExpectation,
     PolicyRequest, PolicyTestConfig,
@@ -464,7 +464,8 @@ pub fn build_app(state: AppState) -> Router {
 }
 
 pub async fn serve(config: ServerConfig) -> Result<()> {
-    let token_source = EnvOrFileTokenSource;
+    let token_source = resolve_token_source().await?;
+    info!(source = token_source.name(), "loaded bearer token source");
     let state = AppState::open_with_bearer_tokens_and_policy(
         config.uri.clone(),
         token_source.load().await?,