enact-config 0.0.2

Unified configuration management for Enact - secure storage with keychain and encrypted files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314

//! Enact Configuration Management
//!
//! Unified configuration management for Enact with:
//! - Environment variable support for secrets (checks `ENACT_*` env vars first)
//! - OS keychain for secrets (API keys, tokens, credentials) with fallback support
//! - Encrypted file storage for settings (feature flags, timeouts, preferences)
//! - Cloud sync for authenticated users (respects air-gapped mode)
//!
//! # Example
//!
//! ```rust,no_run
//! use enact_config::{ConfigManager, RuntimeMode, default_config_path};
//!
//! # async fn example() -> anyhow::Result<()> {
//! let config_path = default_config_path()?;
//! let manager = ConfigManager::new(config_path).await?;
//!
//! // Load configuration
//! let config = manager.load().await?;
//!
//! // Set a secret (stored in keychain)
//! manager.set_secret("providers.azure.apiKey", "your-api-key").await?;
//!
//! // Set a setting (stored in encrypted file)
//! let mut config = manager.load().await?;
//! config.runtime.mode = RuntimeMode::Local;
//! manager.save(&config).await?;
//!
//! // Save configuration
//! manager.save(&config).await?;
//! # Ok(())
//! # }
//! ```

pub mod agent_def;
pub mod config;
pub mod doctor;
pub mod encrypted_store;
pub mod home;
pub mod hook_config;
pub mod medic;
pub mod project_def;
pub mod secrets;
pub mod sync;

pub use agent_def::{AgentDef, AgentRegistry, ChannelBotConfig};
pub use config::*;
pub use doctor::{run_checks, Check, CheckStatus, DoctorReport};
pub use encrypted_store::{default_config_path, EncryptedStore};
pub use home::{
    create_config_backup, enact_home, ensure_home_dirs, load_dotenv_from_home,
    load_enact_md_context, resolve_config_file, write_env_secret, write_yaml_at_home,
};
pub use hook_config::{HookConfig, HookDecision, HookEvent, HookHandler, HooksConfig};
pub use medic::{disallowed_top_level_keys, reference_yaml, REFERENCE_FILES};
pub use project_def::{ProjectDef, ProjectRegistry, Task, TaskBoard};
pub use secrets::SecretManager;
pub use sync::{SyncManager, SyncStatus};

use anyhow::{Context, Result};
use std::path::PathBuf;
use tracing::{debug, info};

/// Main configuration manager
pub struct ConfigManager {
    encrypted_store: EncryptedStore,
    secrets: SecretManager,
    sync_manager: Option<SyncManager>,
}

impl ConfigManager {
    /// Create a new configuration manager
    ///
    /// # Arguments
    /// * `config_path` - Path to the encrypted config file
    pub async fn new(config_path: impl Into<PathBuf>) -> Result<Self> {
        let config_path = config_path.into();

        // In test mode, we might want mock store
        if std::env::var("ENACT_USE_MOCK_SECRET_STORE").is_ok()
            || std::env::var("CARGO_TARGET_TMPDIR").is_ok()
        {
            #[allow(clippy::needless_return)]
            return Self::new_with_mock_secrets(config_path).await;
        }

        #[cfg(test)]
        {
            #[allow(clippy::needless_return)]
            return Self::new_with_mock_secrets(config_path).await;
        }

        #[cfg(not(test))]
        {
            // Always use SecretManager which handles env vars and .env files
            // No more OS keychain prompts!
            let secrets = SecretManager::new();
            // For EncryptedStore, we need to pass the secret manager if it uses it for encryption keys?
            // EncryptedStore used to take KeychainManager to store the master key.
            // Now that we don't have keychain, where does EncryptedStore get the master key?
            // Usually it generates one and stores it in keychain.
            // If keychain is gone, we must store the master key in .env? ENACT_MASTER_KEY?

            // I need to check EncryptedStore implementation. It likely calls `keychain.get("enact.master.key")`.
            // With SecretManager, it will look for ENACT_ENACT_MASTER_KEY in env.
            // If not found, EncryptedStore usually generates it. But it can't save it back to env.
            // So EncryptedStore setup might fail or generate a new key every time if not in .env.
            // This effectively means configuration is ephemeral unless ENACT_MASTER_KEY is set.

            // I'll proceed with updating ConfigManager, and then I MUST check EncryptedStore.

            let encrypted_store =
                EncryptedStore::new(&config_path).context("Failed to create encrypted store")?;

            Ok(Self {
                encrypted_store,
                secrets,
                sync_manager: None,
            })
        }
    }

    /// Create a new configuration manager with a mock secrets for testing
    pub async fn new_with_mock_secrets(config_path: impl Into<PathBuf>) -> Result<Self> {
        let config_path = config_path.into();
        let mock_secrets = SecretManager::new_mock();
        // EncryptedStore needs to be updated to take SecretManager
        // For now, assume EncryptedStore still expects KeychainManager?
        // I need to update EncryptedStore too!

        // This tool call only updates lib.rs. I'll need to update encrypted_store.rs next.
        // I will temporarily comment out EncryptedStore usage here or assume it's updated.
        // But `EncryptedStore::with_keychain` signature will change.

        // Let's assume I will rename `with_keychain` to `with_secrets`.
        let encrypted_store = EncryptedStore::with_secrets(&config_path, mock_secrets.clone())
            .context("Failed to create encrypted store")?;

        Ok(Self {
            encrypted_store,
            secrets: mock_secrets,
            sync_manager: None,
        })
    }

    /// Create a configuration manager with cloud sync enabled
    pub async fn with_sync(
        config_path: impl Into<PathBuf>,
        api_url: Option<String>,
        tenant_id: Option<String>,
        auto_sync: bool,
        runtime_mode: RuntimeMode,
    ) -> Result<Self> {
        let mut manager = Self::new(config_path).await?;
        manager.sync_manager = Some(SyncManager::new(
            api_url,
            tenant_id,
            auto_sync,
            runtime_mode,
        ));

        let mut config = manager.load().await?;
        let mut changed = false;
        if config.runtime.mode != runtime_mode {
            config.runtime.mode = runtime_mode;
            changed = true;
        }

        if matches!(runtime_mode, RuntimeMode::AirGapped) && config.runtime.allow_network {
            config.runtime.allow_network = false;
            changed = true;
        }

        if changed {
            manager.save(&config).await?;
        }

        Ok(manager)
    }

    /// Load configuration from encrypted file
    pub async fn load(&self) -> Result<Config> {
        match self.encrypted_store.load()? {
            Some(json) => {
                let config: Config =
                    serde_json::from_str(&json).context("Failed to parse configuration")?;
                debug!("Loaded configuration from encrypted store");
                Ok(config)
            }
            None => {
                debug!("No configuration found, using defaults");
                Ok(Config::default())
            }
        }
    }

    /// Save configuration to encrypted file
    pub async fn save(&self, config: &Config) -> Result<()> {
        let json =
            serde_json::to_string_pretty(config).context("Failed to serialize configuration")?;

        self.encrypted_store.save(&json)?;

        // Auto-sync to cloud if enabled
        if let Some(ref sync_manager) = self.sync_manager {
            if sync_manager.is_enabled() {
                info!("Auto-syncing configuration to cloud");
                if let Err(e) = sync_manager.sync_to_cloud(config).await {
                    tracing::warn!("Failed to sync configuration to cloud: {}", e);
                }
            }
        }

        Ok(())
    }

    /// Set a secret value
    /// Note: With SecretManager, this might fail if not using mock store.
    /// Users should set secrets in .env.
    pub async fn set_secret(&self, key: &str, value: &str) -> Result<()> {
        self.secrets.set(key, value)?;
        debug!("Set secret: {}", key);
        Ok(())
    }

    /// Get a secret value
    pub async fn get_secret(&self, key: &str) -> Result<Option<String>> {
        self.secrets.get(key)
    }

    /// Delete a secret
    pub async fn delete_secret(&self, key: &str) -> Result<()> {
        self.secrets.delete(key)?;
        debug!("Deleted secret: {}", key);
        Ok(())
    }

    /// Sync configuration from cloud
    pub async fn sync_from_cloud(&self) -> Result<Option<Config>> {
        if let Some(ref sync_manager) = self.sync_manager {
            sync_manager.sync_from_cloud().await
        } else {
            Ok(None)
        }
    }

    /// Sync configuration to cloud
    pub async fn sync_to_cloud(&self, config: &Config) -> Result<Option<sync::SyncResponse>> {
        if let Some(ref sync_manager) = self.sync_manager {
            sync_manager.sync_to_cloud(config).await
        } else {
            Ok(None)
        }
    }

    /// Get sync status
    pub fn sync_status(&self) -> SyncStatus {
        self.sync_manager
            .as_ref()
            .map(|m| m.status())
            .unwrap_or(SyncStatus::Disabled)
    }

    /// Get the config file path
    pub fn config_path(&self) -> &std::path::Path {
        self.encrypted_store.config_path()
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::TempDir;

    #[tokio::test]
    async fn test_config_manager() {
        let temp_dir = TempDir::new().unwrap();
        let config_path = temp_dir.path().join("test_config.encrypted");
        let manager = ConfigManager::new_with_mock_secrets(&config_path)
            .await
            .unwrap();

        // Test default config
        let config = manager.load().await.unwrap();
        assert_eq!(config.runtime.mode, RuntimeMode::Local);

        // Test save and load
        let mut config = Config::default();
        config.runtime.mode = RuntimeMode::AirGapped;
        manager.save(&config).await.unwrap();

        let loaded = manager.load().await.unwrap();
        assert_eq!(loaded.runtime.mode, RuntimeMode::AirGapped);
    }

    #[tokio::test]
    async fn test_secret_management() {
        let temp_dir = TempDir::new().unwrap();
        let config_path = temp_dir.path().join("test_config.encrypted");
        let manager = ConfigManager::new_with_mock_secrets(&config_path)
            .await
            .unwrap();

        // Test set and get secret
        manager.set_secret("test.key", "test_value").await.unwrap();
        let value = manager.get_secret("test.key").await.unwrap();
        assert_eq!(value, Some("test_value".to_string()));

        // Test delete
        manager.delete_secret("test.key").await.unwrap();
        let value = manager.get_secret("test.key").await.unwrap();
        assert_eq!(value, None);
    }
}