Secrets Manager: QA spec for non-CI API secret access (endpoint to OpenBao read)
## Problem Non-CI/CD secret access (#594090) is covered in-process by request specs tagged `:gitlab_secrets_manager` (which boot a real OpenBao server). That validates the mint-then-read path inside Rails, but not the real deployed network path an external client actually uses: a real token hitting the API, then the real external OpenBao URL. ## Proposal Add a QA spec for the non-CI API read path: 1. Provision Secrets Manager on a project (and/or group). 2. Create a secret. 3. Call the new access-token endpoint via the API to get a JWT plus OpenBao connection details. 4. Use the JWT to log into the real external OpenBao and read the secret. 5. Assert the value matches. This mirrors `qa/qa/specs/features/ee/browser_ui/.../project_secret_ci_access_success_spec.rb` (the pipeline read path) but for the API path. It reuses the existing SM QA scenario and helpers (`qa/qa/ee/support/helpers/secrets_management/secrets_manager_helper.rb`, `qa/qa/scenario/test/integration/secrets_manager.rb`). ## Scope - In scope: the QA spec for the endpoint to OpenBao read flow. No ESO, no Kubernetes cluster. - Out of scope: a full ESO-in-a-cluster automated test. The QA framework has no ESO harness today, and the ESO flow is validated manually with design partners during 19.2 beta. ## Related - #594090 (endpoint, this issue's parent)
issue