leash-sdk 0.4.0

Rust SDK for the Leash platform — unified async client for auth, env, and integrations.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239

//! Runtime env-var primitive — fetches values from the Leash platform.
//!
//! Mirrors `leash.env.get` / `leash.env.getMany` in the TS / Python / Go SDKs.
//! Values are cached for 60 seconds per-instance; the cache is shared between
//! [`Env::get`], [`Env::get_fresh`], and [`Env::get_many`].
//!
//! The Rust surface adopts two adaptations:
//!
//!   * `Result<Option<String>>` — `Ok(None)` for a 404 (key not declared
//!     anywhere), `Err(_)` for everything else. Callers branch with
//!     `if value.is_none()` instead of catching errors.
//!   * Dedicated [`get_fresh`](Self::get_fresh) method for cache-bypass,
//!     rather than an option-struct overload — gives type safety and is
//!     equivalent to the TS `{ fresh: true }` option.

use std::collections::HashMap;
use std::sync::{Arc, Mutex};
use std::time::{Duration, Instant};

use serde::Deserialize;

use crate::errors::{LeashError, Result};

/// Default cache window — matches TS/Python/Go.
pub const ENV_CACHE_TTL: Duration = Duration::from_secs(60);

/// `leash.env()` — runtime env-var fetcher with an in-memory TTL cache.
#[derive(Debug, Clone)]
pub struct Env {
    inner: Arc<EnvInner>,
}

#[derive(Debug)]
struct EnvInner {
    platform_url: String,
    api_key: Option<String>,
    http: reqwest::Client,
    cache: Mutex<HashMap<String, Cached>>,
}

#[derive(Debug, Clone)]
struct Cached {
    value: Option<String>,
    expires_at: Instant,
}

impl Env {
    pub(crate) fn new(platform_url: String, api_key: Option<String>, http: reqwest::Client) -> Self {
        Self {
            inner: Arc::new(EnvInner {
                platform_url: platform_url.trim_end_matches('/').to_string(),
                api_key,
                http,
                cache: Mutex::new(HashMap::new()),
            }),
        }
    }

    /// Resolve a single env-var by name, using the TTL cache.
    ///
    /// Returns `Ok(None)` when the platform reports the key as not declared
    /// or not found anywhere (HTTP 404). All other failures surface as
    /// [`LeashError`].
    pub async fn get(&self, key: &str) -> Result<Option<String>> {
        self.resolve(key, false).await
    }

    /// Like [`Self::get`] but bypasses the cache read. The freshly-fetched
    /// value is still written back to the cache.
    ///
    /// Equivalent to the TS `leash.env.get(key, { fresh: true })` option.
    pub async fn get_fresh(&self, key: &str) -> Result<Option<String>> {
        self.resolve(key, true).await
    }

    /// Resolve multiple env-vars sequentially, sharing the TTL cache.
    ///
    /// If any key fails (auth, plan, network), the whole call returns that
    /// error — partial results are not surfaced (matches Go behaviour). Each
    /// value is `Option<String>` so callers can distinguish "missing" (`None`)
    /// from "empty string" (`Some("")`).
    pub async fn get_many(&self, keys: &[&str]) -> Result<HashMap<String, Option<String>>> {
        let mut out = HashMap::with_capacity(keys.len());
        for key in keys {
            let value = self.get(key).await?;
            out.insert((*key).to_string(), value);
        }
        Ok(out)
    }

    async fn resolve(&self, key: &str, fresh: bool) -> Result<Option<String>> {
        let now = Instant::now();
        if !fresh {
            if let Some(cached) = self.cache_get(key, now) {
                return Ok(cached);
            }
        }

        let value = self.fetch(key).await?;
        self.cache_put(key, value.clone(), now + ENV_CACHE_TTL);
        Ok(value)
    }

    fn cache_get(&self, key: &str, now: Instant) -> Option<Option<String>> {
        let cache = self.inner.cache.lock().ok()?;
        let entry = cache.get(key)?;
        if entry.expires_at > now {
            Some(entry.value.clone())
        } else {
            None
        }
    }

    fn cache_put(&self, key: &str, value: Option<String>, expires_at: Instant) {
        if let Ok(mut cache) = self.inner.cache.lock() {
            cache.insert(
                key.to_string(),
                Cached {
                    value,
                    expires_at,
                },
            );
        }
    }

    async fn fetch(&self, key: &str) -> Result<Option<String>> {
        let api_key = self.inner.api_key.as_deref().ok_or_else(|| {
            LeashError::Unauthorized {
                message: "LEASH_API_KEY is required to call Env::get.".to_string(),
            }
        })?;

        let url = format!(
            "{}/api/apps/me/secrets/{}",
            self.inner.platform_url,
            percent_encode(key)
        );

        let resp = self
            .inner
            .http
            .get(&url)
            .bearer_auth(api_key)
            .send()
            .await?;

        let status = resp.status();
        let raw = resp.bytes().await?;

        match status.as_u16() {
            400 => Err(LeashError::UpstreamError {
                status: 400,
                message: format!(
                    "Invalid env-var key: '{key}'. Names must match /^[A-Za-z_][A-Za-z0-9_]*$/ and be \u{2264}100 chars."
                ),
            }),
            401 => Err(LeashError::Unauthorized {
                message: "Missing or invalid LEASH_API_KEY.".to_string(),
            }),
            402 => {
                let parsed: Option<serde_json::Value> = serde_json::from_slice(&raw).ok();
                let required_plan = parsed
                    .as_ref()
                    .and_then(|v| v.get("requiredPlan"))
                    .and_then(|v| v.as_str())
                    .map(|s| s.to_string());
                let suffix = required_plan
                    .as_deref()
                    .map(|p| format!(" (requiredPlan: {p})"))
                    .unwrap_or_default();
                Err(LeashError::UpgradeRequired {
                    message: format!("Env::get requires the Growth plan or above{suffix}."),
                })
            }
            // Adapted behaviour: 404 → Ok(None) so callers can branch with
            // `if value.is_none()` instead of matching on a specific error.
            404 => Ok(None),
            502 => {
                let parsed: Option<serde_json::Value> = serde_json::from_slice(&raw).ok();
                let msg = parsed
                    .as_ref()
                    .and_then(|v| v.get("error"))
                    .and_then(|v| v.as_str())
                    .map(|s| s.to_string())
                    .unwrap_or_else(|| "Secret source resync failed on the platform side.".into());
                Err(LeashError::UpstreamError {
                    status: 502,
                    message: msg,
                })
            }
            s if s >= 400 => Err(LeashError::UpstreamError {
                status: s,
                message: format!("Unexpected response from platform: HTTP {s}"),
            }),
            _ => {
                let body: SecretBody =
                    serde_json::from_slice(&raw).map_err(|_| LeashError::MalformedResponse {
                        message: format!("Platform returned unexpected shape for key '{key}'."),
                    })?;
                Ok(Some(body.value))
            }
        }
    }
}

#[derive(Debug, Deserialize)]
struct SecretBody {
    value: String,
}

/// Minimal percent-encoder for path segments — keeps unreserved chars,
/// escapes everything else. Avoids a dep on `percent-encoding` for one call.
fn percent_encode(input: &str) -> String {
    let mut out = String::with_capacity(input.len());
    for byte in input.bytes() {
        match byte {
            b'A'..=b'Z' | b'a'..=b'z' | b'0'..=b'9' | b'-' | b'_' | b'.' | b'~' => {
                out.push(byte as char);
            }
            _ => {
                out.push('%');
                out.push_str(&format!("{byte:02X}"));
            }
        }
    }
    out
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn percent_encodes_reserved_chars() {
        assert_eq!(percent_encode("OPENAI_API_KEY"), "OPENAI_API_KEY");
        assert_eq!(percent_encode("a/b"), "a%2Fb");
        assert_eq!(percent_encode("a b"), "a%20b");
    }
}