feat: add LEA_DUCKDB_SECRETS, replace LEA_DUCKLAKE_SECRET

[MaxHalford]

Summary

• Adds LEA_DUCKDB_SECRETS (semicolon-separated CREATE SECRET bodies) that works across all DuckDB-based warehouses (DuckDB, MotherDuck, DuckLake)
• Replaces the DuckLake-specific LEA_DUCKLAKE_SECRET and LEA_QUACK_DUCKLAKE_SECRET with LEA_DUCKDB_SECRETS and LEA_QUACK_DUCKDB_SECRETS
• Moves extension/secret loading before warehouse-specific setup so DuckLake ATTACH can use the credentials
• Bumps version to 0.19.0

Closes #188

Test plan

• Verify LEA_DUCKDB_SECRETS works with LEA_WAREHOUSE=duckdb (e.g. gsheets extension)
• Verify LEA_DUCKDB_SECRETS works with DuckLake for cloud storage (R2/S3/GCS)
• Verify multiple semicolon-separated secrets are created
• Verify LEA_QUACK_DUCKDB_SECRETS works in quack mode

🤖 Generated with Claude Code

---

Summary by cubic

Adds LEA_DUCKDB_SECRETS (and LEA_QUACK_DUCKDB_SECRETS) to create DuckDB secrets across DuckDB, MotherDuck, and DuckLake using semicolon-separated CREATE SECRET bodies. Extensions and secrets now load before warehouse setup so DuckLake ATTACH can use the credentials; docs and examples updated; enables auth for extensions like gsheets.

• Migration
  • Replace LEA_DUCKLAKE_SECRET with LEA_DUCKDB_SECRETS and LEA_QUACK_DUCKLAKE_SECRET with LEA_QUACK_DUCKDB_SECRETS.
  • Breaking change in v0.19.0.

^{Written for commit 94a0761. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 8 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="README.md">

<violation number="1" location="README.md:130">
P2: Quote the `LEA_DUCKDB_SECRETS` value in the shell example; without quotes, the assignment is parsed incorrectly and users will copy a broken config.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant User as CLI / Env
    participant Cond as Conductor / CLI logic
    participant DB as DuckDB Client (Conn)
    participant Cloud as Cloud Provider (S3/R2/GCS)

    Note over User,DB: Session Preparation Flow

    User->>Cond: Run command (e.g., run, quack-ui)
    Cond->>User: Get LEA_DUCKDB_EXTENSIONS
    
    loop For each Extension
        Cond->>DB: INSTALL/LOAD extension
    end

    Note right of Cond: CHANGED: Secrets now loaded before warehouse ATTACH

    User->>Cond: NEW: Get LEA_DUCKDB_SECRETS (or LEA_QUACK_DUCKDB_SECRETS)
    
    loop NEW: For each semicolon-separated secret
        Cond->>Cond: Strip whitespace and wrap in CREATE SECRET ()
        Cond->>DB: execute("CREATE SECRET (...)")
        DB-->>Cloud: Validate credentials (if applicable)
    end

    alt Warehouse is DuckLake
        Cond->>DB: CHANGED: ATTACH 'ducklake:...'
        Note right of DB: This now successfully uses the<br/>secrets created in the previous step
    else Warehouse is DuckDB
        Cond->>DB: Use local database path
    else Warehouse is MotherDuck
        Cond->>DB: Set active database
    end

    Cond->>DB: Create schemas and prepare tables
    DB-->>Cond: Session Ready
    Cond-->>User: Execution started

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}