axonml-server 0.6.2

REST API server for AxonML Machine Learning Framework
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235

//! Secrets Management — Multi-Backend Secret Retrieval with Priority Fallback
//!
//! Defines the `SecretsBackend` trait for pluggable secret storage, `SecretKey`
//! constants for well-known keys (JWT_SECRET, DB_USERNAME, DB_PASSWORD,
//! RESEND_API_KEY), and the `SecretsManager` which tries multiple backends in
//! priority order until a value is found. Includes `SecretsError` variants for
//! not-found, Vault errors, config errors, and auth failures. Sub-modules `env`
//! and `vault` provide the environment-variable and HashiCorp Vault backends.
//!
//! # File
//! `crates/axonml-server/src/secrets/mod.rs`
//!
//! # Author
//! Andrew Jewell Sr. — AutomataNexus LLC
//! ORCID: 0009-0005-2158-7060
//!
//! # Updated
//! April 16, 2026 11:15 PM EST
//!
//! # Disclaimer
//! Use at own risk. This software is provided "as is", without warranty of any
//! kind, express or implied. The author and AutomataNexus shall not be held
//! liable for any damages arising from the use of this software.

// =============================================================================
// Sub-modules
// =============================================================================

pub mod env;
pub mod vault;

use std::sync::Arc;
use thiserror::Error;

// =============================================================================
// Error Types
// =============================================================================

#[derive(Error, Debug)]
pub enum SecretsError {
    #[error("Secret not found: {0}")]
    NotFound(String),

    #[error("Vault error: {0}")]
    Vault(String),

    #[error("Configuration error: {0}")]
    Config(String),

    #[error("Authentication failed: {0}")]
    AuthFailed(String),
}

// =============================================================================
// Secret Keys
// =============================================================================

/// Well-known secret key constants
pub struct SecretKey;

impl SecretKey {
    /// JWT signing secret (min 32 characters)
    pub const JWT_SECRET: &'static str = "jwt_secret";

    /// Database username for Aegis-DB
    pub const DB_USERNAME: &'static str = "db_username";

    /// Database password for Aegis-DB
    pub const DB_PASSWORD: &'static str = "db_password";

    /// Resend email API key
    pub const RESEND_API_KEY: &'static str = "resend_api_key";
}

// =============================================================================
// Secrets Backend Trait
// =============================================================================

/// Trait for secrets storage backends
#[async_trait::async_trait]
pub trait SecretsBackend: Send + Sync {
    /// Get a secret by key, returning None if not found in this backend
    async fn get_secret(&self, key: &str) -> Result<Option<String>, SecretsError>;

    /// Get the name of this backend for logging
    fn name(&self) -> &'static str;
}

// =============================================================================
// Secrets Manager
// =============================================================================

/// Manager for retrieving secrets from multiple backends
///
/// Backends are tried in order until one returns a value.
pub struct SecretsManager {
    backends: Vec<Arc<dyn SecretsBackend>>,
}

impl SecretsManager {
    /// Create a new empty secrets manager
    pub fn new() -> Self {
        Self {
            backends: Vec::new(),
        }
    }

    /// Add a backend to the manager (backends are tried in order added)
    pub fn with_backend(mut self, backend: Arc<dyn SecretsBackend>) -> Self {
        self.backends.push(backend);
        self
    }

    /// Get a secret, trying backends in order until one returns a value
    ///
    /// Returns an error if no backend has the secret.
    pub async fn get_secret(&self, key: &str) -> Result<String, SecretsError> {
        for backend in &self.backends {
            match backend.get_secret(key).await {
                Ok(Some(value)) => {
                    tracing::debug!(secret_key = key, backend = backend.name(), "Secret loaded");
                    return Ok(value);
                }
                Ok(None) => continue,
                Err(e) => {
                    tracing::warn!(
                        secret_key = key,
                        backend = backend.name(),
                        error = %e,
                        "Backend failed to retrieve secret"
                    );
                    continue;
                }
            }
        }
        Err(SecretsError::NotFound(key.to_string()))
    }

    /// Get a secret, returning None if not found in any backend
    ///
    /// Only returns an error for actual failures, not missing secrets.
    pub async fn get_secret_optional(&self, key: &str) -> Result<Option<String>, SecretsError> {
        match self.get_secret(key).await {
            Ok(v) => Ok(Some(v)),
            Err(SecretsError::NotFound(_)) => Ok(None),
            Err(e) => Err(e),
        }
    }

    /// Check if any backends are configured
    #[allow(dead_code)]
    pub fn has_backends(&self) -> bool {
        !self.backends.is_empty()
    }

    /// Get the names of configured backends
    pub fn backend_names(&self) -> Vec<&'static str> {
        self.backends.iter().map(|b| b.name()).collect()
    }
}

impl Default for SecretsManager {
    fn default() -> Self {
        Self::new()
    }
}

// =============================================================================
// Tests
// =============================================================================

#[cfg(test)]
mod tests {
    use super::*;

    struct MockBackend {
        secrets: std::collections::HashMap<String, String>,
    }

    impl MockBackend {
        fn new(secrets: Vec<(&str, &str)>) -> Self {
            Self {
                secrets: secrets
                    .into_iter()
                    .map(|(k, v)| (k.to_string(), v.to_string()))
                    .collect(),
            }
        }
    }

    #[async_trait::async_trait]
    impl SecretsBackend for MockBackend {
        async fn get_secret(&self, key: &str) -> Result<Option<String>, SecretsError> {
            Ok(self.secrets.get(key).cloned())
        }

        fn name(&self) -> &'static str {
            "mock"
        }
    }

    #[tokio::test]
    async fn test_secrets_manager_priority() {
        let backend1 = Arc::new(MockBackend::new(vec![("key1", "value1")]));
        let backend2 = Arc::new(MockBackend::new(vec![
            ("key1", "value2"),
            ("key2", "value2"),
        ]));

        let manager = SecretsManager::new()
            .with_backend(backend1)
            .with_backend(backend2);

        // First backend has priority
        assert_eq!(manager.get_secret("key1").await.unwrap(), "value1");

        // Falls back to second backend
        assert_eq!(manager.get_secret("key2").await.unwrap(), "value2");

        // Not found in any backend
        assert!(manager.get_secret("key3").await.is_err());
    }

    #[tokio::test]
    async fn test_get_secret_optional() {
        let backend = Arc::new(MockBackend::new(vec![("exists", "value")]));
        let manager = SecretsManager::new().with_backend(backend);

        assert_eq!(
            manager.get_secret_optional("exists").await.unwrap(),
            Some("value".to_string())
        );
        assert_eq!(manager.get_secret_optional("missing").await.unwrap(), None);
    }
}