cellos-broker-env 0.5.1

Environment-variable SecretBroker for CellOS — resolves spec secretRefs from process env. Dev/CI default.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

# cellos-broker-env

`SecretBroker` that reads secrets from the process environment as
`CELLOS_SECRET_<UPPER_KEY>`. The dev / CI default.

## What it is

Implements `cellos_core::ports::SecretBroker`. For every `secretRef` in a
cell spec, the broker uppercases the key, replaces `-` with `_`, prefixes
`CELLOS_SECRET_`, and reads that env var. The result is wrapped in a
`SecretView` (`ZeroizeOnDrop`) and handed to the supervisor.

Selected in `cellos-supervisor::composition::build_secret_broker` when
`CELLOS_BROKER=env`. Intended for CI runners and shell-level composition
where the host has already injected secrets as environment variables.

What it does NOT do:

- It does not cache, refresh, or rotate values — every `resolve` re-reads
  the env var.
- It does not implement `revoke_for_cell`: env vars set in a parent
  process cannot be unset from a child. Isolation relies on cell-model
  teardown (cleared subprocess env, short TTLs), not on runtime revocation.
- It does not surface a broker correlation ID — there is no upstream
  session to thread. `broker_correlation_id` returns `None`, and the
  supervisor falls back to `spec.correlation.correlationId`.

## Public API surface

| Symbol | Purpose |
|---|---|
| `EnvSecretBroker` | The broker. `new()` / `default()`. |
| `EnvSecretBroker::env_var_name(key)` | Pure helper: `"github-token"``"CELLOS_SECRET_GITHUB_TOKEN"`. |

Source: [`src/lib.rs`](src/lib.rs).

## Configuration

Per secret key referenced by the cell spec:

```text
CELLOS_SECRET_<UPPER_KEY>=<value>
```

Selection:

```text
CELLOS_BROKER=env
```

Empty / unset `CELLOS_BROKER` selects the in-memory broker (test only);
an unknown value records a `StartupConfigWarning` and falls back to the
in-memory broker (or fails under `CELLOS_STRICT_CONFIG=1`).

Keys are rejected before reading env if they are empty, contain a NUL
byte, or contain `=` — these would otherwise propagate into the env-var
name and panic `std::env::var`.

## Examples

```yaml
# Cell spec
authority:
  secretRefs:
    - GITHUB_TOKEN
    - DB_PASSWORD
```

```bash
export CELLOS_BROKER=env
export CELLOS_SECRET_GITHUB_TOKEN=ghp_...
export CELLOS_SECRET_DB_PASSWORD=hunter2
cellos-supervisor --spec cell.yaml
```

## Testing

```bash
cargo test -p cellos-broker-env
```

## Related crates

- `cellos-broker-file` — filesystem-mounted secrets (k8s, Docker, systemd).
- `cellos-broker-oidc` — GitHub Actions OIDC token exchange.
- `cellos-broker-vault` — HashiCorp Vault AppRole.
- `cellos-supervisor` — selects this broker via `CELLOS_BROKER`.
- `cellos-core` — defines the `SecretBroker` port and `SecretView`.

## ADRs

- ADR-0007 — RBAC and `secretRef` admission contract.