awaken-contract 0.4.0

Core types, traits, and state model for the Awaken AI agent runtime
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197

//! Secret value newtype that redacts itself in `Debug`/`Display` while still
//! round-tripping through `serde`.
//!
//! Use [`RedactedString`] for any field that holds a credential. The inner
//! buffer is held inside [`secrecy::SecretBox`], so it is zeroized when the
//! value is dropped. The plaintext is reachable only via
//! [`RedactedString::expose_secret`] — this single accessor is the grep-able
//! "trust boundary" for the codebase.
//!
//! Wire format is a plain JSON string. JSON Schema reports `string`. Storage
//! backends that persist this value see the secret in cleartext, so storage
//! choices remain a separate concern.

use std::borrow::Cow;
use std::fmt;

use schemars::{JsonSchema, Schema, SchemaGenerator};
use secrecy::{ExposeSecret, SecretBox};
use serde::{Deserialize, Deserializer, Serialize, Serializer};

/// String wrapper whose `Debug`/`Display` implementations never reveal the
/// underlying value, and whose buffer is zeroized on drop.
pub struct RedactedString(SecretBox<String>);

impl RedactedString {
    /// Construct from any `Into<String>`.
    pub fn new(value: impl Into<String>) -> Self {
        Self(SecretBox::new(Box::new(value.into())))
    }

    /// Reach through the redaction to obtain the plaintext value.
    ///
    /// Calls to this function are the trust boundary: every caller is
    /// responsible for not propagating the returned `&str` into any path that
    /// might log it.
    pub fn expose_secret(&self) -> &str {
        self.0.expose_secret().as_str()
    }

    /// Returns `true` if the inner string is empty.
    pub fn is_empty(&self) -> bool {
        self.expose_secret().is_empty()
    }

    /// Redacted preview suitable for operator-facing logs: first four and
    /// last four characters with the middle masked, e.g. `"sk-a***wxyz"`.
    ///
    /// Values shorter than twelve characters render as `"***"` so that the
    /// preview never reveals more than half of any single secret.
    /// Char-aware so multi-byte UTF-8 cannot be split in the middle of a code
    /// point. Not a cryptographic identifier — do not use for authentication
    /// or de-duplication.
    pub fn preview(&self) -> String {
        let chars: Vec<char> = self.expose_secret().chars().collect();
        if chars.len() < 12 {
            return "***".into();
        }
        let head: String = chars.iter().take(4).collect();
        let tail: String = chars.iter().skip(chars.len() - 4).collect();
        format!("{head}***{tail}")
    }
}

impl Clone for RedactedString {
    fn clone(&self) -> Self {
        Self::new(self.expose_secret().to_owned())
    }
}

impl PartialEq for RedactedString {
    fn eq(&self, other: &Self) -> bool {
        self.expose_secret() == other.expose_secret()
    }
}

impl Eq for RedactedString {}

impl fmt::Debug for RedactedString {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.write_str("RedactedString(***)")
    }
}

impl fmt::Display for RedactedString {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.write_str("***")
    }
}

impl From<String> for RedactedString {
    fn from(value: String) -> Self {
        Self::new(value)
    }
}

impl From<&str> for RedactedString {
    fn from(value: &str) -> Self {
        Self::new(value)
    }
}

impl Serialize for RedactedString {
    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
        serializer.serialize_str(self.expose_secret())
    }
}

impl<'de> Deserialize<'de> for RedactedString {
    fn deserialize<D: Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error> {
        let value = String::deserialize(deserializer)?;
        Ok(Self::new(value))
    }
}

impl JsonSchema for RedactedString {
    fn schema_name() -> Cow<'static, str> {
        Cow::Borrowed("String")
    }

    fn json_schema(generator: &mut SchemaGenerator) -> Schema {
        String::json_schema(generator)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn debug_redacts() {
        let s = RedactedString::new("sk-secret");
        assert_eq!(format!("{s:?}"), "RedactedString(***)");
    }

    #[test]
    fn display_redacts() {
        let s = RedactedString::new("sk-secret");
        assert_eq!(format!("{s}"), "***");
    }

    #[test]
    fn debug_in_option_redacts() {
        let s = Some(RedactedString::new("sk-secret"));
        let formatted = format!("{s:?}");
        assert!(!formatted.contains("sk-secret"), "leaked: {formatted}");
    }

    #[test]
    fn clone_preserves_value() {
        let original = RedactedString::new("sk-secret");
        let copied = original.clone();
        assert_eq!(copied.expose_secret(), "sk-secret");
        assert_eq!(original.expose_secret(), "sk-secret");
    }

    #[test]
    fn serde_roundtrip_preserves_value() {
        let s = RedactedString::new("sk-secret");
        let encoded = serde_json::to_string(&s).unwrap();
        assert_eq!(encoded, "\"sk-secret\"");
        let decoded: RedactedString = serde_json::from_str(&encoded).unwrap();
        assert_eq!(decoded.expose_secret(), "sk-secret");
    }

    #[test]
    fn json_schema_is_plain_string() {
        let schema = schemars::schema_for!(RedactedString);
        let value = serde_json::to_value(&schema).unwrap();
        assert_eq!(value.get("type").and_then(|v| v.as_str()), Some("string"));
    }

    #[test]
    fn preview_keeps_first_and_last_four_chars() {
        let s = RedactedString::new("sk-abcd1234567890wxyz");
        assert_eq!(s.preview(), "sk-a***wxyz");
    }

    #[test]
    fn preview_masks_short_values_completely() {
        for short in ["", "abc", "sk-12345", "12345678901"] {
            let s = RedactedString::new(short);
            assert_eq!(
                s.preview(),
                "***",
                "values shorter than 12 chars must render as `***`, got input {short:?}"
            );
        }
    }

    #[test]
    fn preview_does_not_panic_on_multibyte_utf8() {
        let s = RedactedString::new("αβγδ-中文-emoji-🔑🔑🔑🔑");
        let preview = s.preview();
        assert!(preview.contains("***"));
        assert!(!preview.contains("中文"));
    }
}