Add update credentials API endpoint

[sjmiller609]

Summary

Adds PATCH /instances/{id}/credentials endpoint for updating/rotating credential brokering policies after instance creation.

Since real secrets live host-side and the egress proxy rewrites headers at request time, credential updates require no VM changes.

Merge semantics — only credentials included in the request are updated:

• Credentials matched by name are overridden with new values
• New credentials (not matching any existing name) are added
• Existing credentials not in the request are left untouched

If the instance is running with an active egress proxy, the proxy policy is updated atomically. For stopped/standby instances, the config is persisted and takes effect on next start/restore.

Changes

• openapi.yaml — UpdateCredentialsRequest schema + PATCH /instances/{id}/credentials endpoint
• lib/egressproxy/service.go — UpdateInstancePolicy() for atomic policy replacement
• lib/egressproxy/types.go — ErrInstanceNotRegistered sentinel error
• lib/instances/update_credentials.go — merge logic: validate, normalize, merge with existing, update proxy, persist
• lib/instances/manager.go — UpdateCredentials on Manager interface
• lib/instances/types.go — UpdateCredentialsRequest domain type
• cmd/api/api/instances.go — HTTP handler
• lib/egressproxy/README.md — credential rotation docs
• lib/oapi/oapi.go — regenerated

Tests

• 6 unit tests for UpdateInstancePolicy (replace, clear, unregistered error, idempotent, isolation, register-then-update)
• 7 unit tests for updateCredentials (egress required, env binding validation, merge with existing, override by name, preserve unspecified, normalization, not-found)

🤖 Generated with Claude Code

[github-actions]

✱ Stainless preview builds

This PR will update the hypeman SDKs with the following commit message.

feat: Add update credentials API endpoint

Edit this comment to update it. It will appear in the SDK's changelogs.

✅ hypeman-typescript studio · code · diff

Your SDK build had at least one "note" diagnostic, but this did not represent a regression.
generate ✅ → build ✅ → lint ✅ → test ✅

npm install https://pkg.stainless.com/s/hypeman-typescript/41e1013f520ee8b9391d5d65d99b2d9caa7ec3cb/dist.tar.gz

New diagnostics (1 note)

💡 Endpoint/NotConfigured: Skipped endpoint because it's not in your Stainless config: `patch /instances/{id}/credentials`

✅ hypeman-openapi studio · code · diff

Your SDK build had at least one "note" diagnostic, but this did not represent a regression.
generate ✅

New diagnostics (1 note)

💡 Endpoint/NotConfigured: Skipped endpoint because it's not in your Stainless config: `patch /instances/{id}/credentials`

✅ hypeman-go studio · code · diff

Your SDK build had at least one "note" diagnostic, but this did not represent a regression.
generate ✅ → build ✅ → lint ✅ → test ✅

go get github.com/stainless-sdks/hypeman-go@bf4306f15b29080f9ffaaa6a29813ea50fe581d8

New diagnostics (1 note)

💡 Endpoint/NotConfigured: Skipped endpoint because it's not in your Stainless config: `patch /instances/{id}/credentials`

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-03-19 20:03:36 UTC