Module secrets 

Token broker extension point for multi-tenant ATD servers.

TokenBroker is the trait an operator implements to map a caller identity (CallContext::caller_id, populated from the SP-12 Hello handshake) to a SecretBundle that gets attached to the crate::CallContext before Tool::call runs. Tools that need secrets read them via crate::CallContext::secrets; tools that don’t, ignore the field — full back-compat with single-tenant deployments.

Secrets are wrapped in RedactedString, whose Debug/Display impls refuse to print the value. Audit logs include only a secrets_resolved: bool flag (no key names, no values).

See docs/superpowers/specs/2026-04-27-sp-token-broker-phase1-design.md for the design rationale; Phase 2 (adopter wiring in healthkit_cli) and Phase 3 (live two-tenant demo) are separate SPs.

Structs

BearerIdentity

Outcome of a successful bearer resolution. Returned by TokenBroker::resolve_bearer; the HTTP listener consumes this to build a CallContext per request (SP-streamable-http §4.3).

InMemoryTokenBroker

Reference broker for unit tests + small deployments. Production adopters should implement their own TokenBroker against a real secret manager (Vault, AWS Secrets Manager, Doppler, …).

RedactedString

String wrapper that refuses to render its value in Debug or Display. The value is only accessible via Self::expose — by convention, callers should not log the result of expose().

Enums

BrokerError

Errors that can be returned by a TokenBroker::resolve or TokenBroker::resolve_bearer call.

Traits

TokenBroker

Server-side extension point that resolves secrets for a caller.

Type Aliases

ResolveBearerFuture

Owned-future return type for TokenBroker::resolve_bearer. SP-streamable-http §4.4 + SP-token-broker-phase2 §5.

ResolveFuture

Owned-future return type for TokenBroker::resolve. Modeled on registry::CallFuture to avoid pulling in async_trait.

SecretBundle

Bag of named secrets resolved for one caller. Keys are operator-defined (e.g., "oauth_token", "refresh_token", "api_key").