cellos-broker-env 0.5.0

Environment-variable SecretBroker for CellOS — resolves spec secretRefs from process env. Dev/CI default.
Documentation

cellos-broker-env

SecretBroker that reads secrets from the process environment as CELLOS_SECRET_<UPPER_KEY>. The dev / CI default.

What it is

Implements cellos_core::ports::SecretBroker. For every secretRef in a cell spec, the broker uppercases the key, replaces - with _, prefixes CELLOS_SECRET_, and reads that env var. The result is wrapped in a SecretView (ZeroizeOnDrop) and handed to the supervisor.

Selected in cellos-supervisor::composition::build_secret_broker when CELLOS_BROKER=env. Intended for CI runners and shell-level composition where the host has already injected secrets as environment variables.

What it does NOT do:

  • It does not cache, refresh, or rotate values — every resolve re-reads the env var.
  • It does not implement revoke_for_cell: env vars set in a parent process cannot be unset from a child. Isolation relies on cell-model teardown (cleared subprocess env, short TTLs), not on runtime revocation.
  • It does not surface a broker correlation ID — there is no upstream session to thread. broker_correlation_id returns None, and the supervisor falls back to spec.correlation.correlationId.

Public API surface

Symbol Purpose
EnvSecretBroker The broker. new() / default().
EnvSecretBroker::env_var_name(key) Pure helper: "github-token""CELLOS_SECRET_GITHUB_TOKEN".

Source: src/lib.rs.

Configuration

Per secret key referenced by the cell spec:

CELLOS_SECRET_<UPPER_KEY>=<value>

Selection:

CELLOS_BROKER=env

Empty / unset CELLOS_BROKER selects the in-memory broker (test only); an unknown value records a StartupConfigWarning and falls back to the in-memory broker (or fails under CELLOS_STRICT_CONFIG=1).

Keys are rejected before reading env if they are empty, contain a NUL byte, or contain = — these would otherwise propagate into the env-var name and panic std::env::var.

Examples

# Cell spec
authority:
  secretRefs:
    - GITHUB_TOKEN
    - DB_PASSWORD

export CELLOS_BROKER=env
export CELLOS_SECRET_GITHUB_TOKEN=ghp_...
export CELLOS_SECRET_DB_PASSWORD=hunter2
cellos-supervisor --spec cell.yaml

Testing

cargo test -p cellos-broker-env

Related crates

  • cellos-broker-file — filesystem-mounted secrets (k8s, Docker, systemd).
  • cellos-broker-oidc — GitHub Actions OIDC token exchange.
  • cellos-broker-vault — HashiCorp Vault AppRole.
  • cellos-supervisor — selects this broker via CELLOS_BROKER.
  • cellos-core — defines the SecretBroker port and SecretView.

ADRs

  • ADR-0007 — RBAC and secretRef admission contract.