Expand description
Source-credential recursion check per ADR-021 §4.
A source A that declares
SecretSource::requires_credential
= Some(CredentialRef::Path(...)) must have its credential
resolved through a source B whose requires_credential() is
None. The router enforces this at configuration load, before
any get() is dispatched, so the user gets a structured error
rather than a runtime stack-overflow on the first secret read.
§Why one hop?
The reasoning from ADR-021 §4: a Vault token cannot itself be
stored in Vault, because reading it would require Vault to
already be unlockable. The keychain (and the local-vault from
ADR-023, once unlocked) are the only sources that may hold
source-credentials, because they have no requires_credential()
of their own.
Anything deeper than one hop is either a misconfiguration the user did not realise, or a literal cycle. Both fail the load with a typed error from this module.
§What the validator checks
For every source A in RouterConfig::sources whose
requires_credential() is Some(CredentialRef::Path(p)):
pmust live under the reserved__sources/namespace. Anything else is rejected withCredentialGraphError::BadCredentialPathso users can’t accidentally route source-credentials through their normal manifest.pmust resolve through the configured router rules to some sourceB.- Walk the chain
A → B → C → …. The first node whoserequires_credential()isNone(orSome(CredentialRef::Sentinel)— a sentinel means the source handles its own auth and is treated as terminal) closes the chain. - If we revisit a node, the chain is a cycle —
CredentialGraphError::Cycle. - Otherwise, if the chain is longer than one hop —
CredentialGraphError::Deep.
Sentinel-typed credentials are not graph edges; the source
plugin interprets them natively (biometric,
default-profile). They terminate the walk with no traversal.
Enums§
- Credential
Graph Error - Failure modes for
validate_source_credentials.
Constants§
- SOURCE_
CREDENTIALS_ PREFIX - Reserved prefix for source-authentication credential paths.
Anything outside this namespace is rejected as a credential
path; per ADR-021 §5 only
__sources/<source>/<profile>paths may carry source credentials.
Functions§
- validate_
source_ credentials - Validate the source-credential graph defined by
configand therequires_credentiallookup for each defined source.