Skip to main content

Module router_credentials

Module router_credentials 

Source
Expand description

Source-credential recursion check per ADR-021 §4.

A source A that declares SecretSource::requires_credential = Some(CredentialRef::Path(...)) must have its credential resolved through a source B whose requires_credential() is None. The router enforces this at configuration load, before any get() is dispatched, so the user gets a structured error rather than a runtime stack-overflow on the first secret read.

§Why one hop?

The reasoning from ADR-021 §4: a Vault token cannot itself be stored in Vault, because reading it would require Vault to already be unlockable. The keychain (and the local-vault from ADR-023, once unlocked) are the only sources that may hold source-credentials, because they have no requires_credential() of their own.

Anything deeper than one hop is either a misconfiguration the user did not realise, or a literal cycle. Both fail the load with a typed error from this module.

§What the validator checks

For every source A in RouterConfig::sources whose requires_credential() is Some(CredentialRef::Path(p)):

  1. p must live under the reserved __sources/ namespace. Anything else is rejected with CredentialGraphError::BadCredentialPath so users can’t accidentally route source-credentials through their normal manifest.
  2. p must resolve through the configured router rules to some source B.
  3. Walk the chain A → B → C → …. The first node whose requires_credential() is None (or Some(CredentialRef::Sentinel) — a sentinel means the source handles its own auth and is treated as terminal) closes the chain.
  4. If we revisit a node, the chain is a cycle — CredentialGraphError::Cycle.
  5. Otherwise, if the chain is longer than one hop — CredentialGraphError::Deep.

Sentinel-typed credentials are not graph edges; the source plugin interprets them natively (biometric, default-profile). They terminate the walk with no traversal.

Enums§

CredentialGraphError
Failure modes for validate_source_credentials.

Constants§

SOURCE_CREDENTIALS_PREFIX
Reserved prefix for source-authentication credential paths. Anything outside this namespace is rejected as a credential path; per ADR-021 §5 only __sources/<source>/<profile> paths may carry source credentials.

Functions§

validate_source_credentials
Validate the source-credential graph defined by config and the requires_credential lookup for each defined source.