Crate deepseek_secrets

Expand description

Secret storage for DeepSeek API keys.

Provides a small abstraction (KeyringStore) plus a default file-based implementation (FileKeyringStore), an opt-in OS keyring implementation (DefaultKeyringStore), and an in-memory store for tests (InMemoryKeyringStore).

Higher-level lookup through Secrets::resolve checks the secret store first and falls back to environment variables. Config-file precedence lives in the config crate so user-facing commands can keep config -> secret store -> env explicit at the call site.

Structs§

DefaultKeyringStore: OS keyring backend (macOS Keychain, Windows Credential Manager, Linux Secret Service / kwallet). This backend is opt-in through SECRET_BACKEND_ENV. On platforms without a configured native keyring dependency, probing this backend returns an unsupported error so Secrets::auto_detect can fall back to FileKeyringStore.
FileKeyringStore: JSON-on-disk fallback for headless environments without a Secret Service / dbus. Stored at <home>/.deepseek/secrets/secrets.json with mode 0600.
InMemoryKeyringStore: In-memory keyring (tests only).
Secrets: High-level façade combining a KeyringStore with environment variable fallbacks.

Enums§

SecretSource: Source layer that provided a resolved secret.
SecretsError: Errors that may arise from a KeyringStore backend.

Constants§

DEFAULT_SERVICE: Default OS keychain service name. macOS users can verify entries with security find-generic-password -s deepseek -a <provider>.
SECRET_BACKEND_ENV: Select the secret storage backend. Supported values are file (default) and system/keyring for the OS credential store.

Traits§

KeyringStore: Abstract secret store; concrete implementations may use the OS keyring, a JSON file under ~/.deepseek/secrets/, or an in-memory map (tests).

Functions§

env_for: Map a canonical provider name to its environment variable, returning the value if non-empty.