Skip to main content

Module credentials

linesmith_core::data_context

Module credentials 

Source
Expand description

OAuth credential resolution for the OAuth /api/oauth/usage endpoint. Reads the access token from macOS Keychain (primary + multi-account fallback) or from a file cascade ($CLAUDE_CONFIG_DIR, XDG, ~/.claude/).

Canonical spec: docs/specs/credentials.md.

Sensitivity contract. The token never appears in Debug or [Display] output anywhere in this module. Credentials wraps the token in secrecy::SecretString with manual Debug that redacts it. CredentialError::ParseError carries a serde_json::Error whose Display would include a snippet of the source bytes — our Display impl prints only the path and line / column, never the cause’s Display. std::error::Error::source still chains to the raw cause so callers who opt in (with caution) can inspect it.

Structs§

Credentials
Resolved OAuth credentials. Clone-on-Arc across segments; the underlying SecretString is cheap to clone.
FileCascadeEnv
Environmental inputs for the file-cascade portion of credential resolution. macOS Keychain probes shell out to security and don’t depend on these fields, so only the file-cascade env vars live here. Treats empty string as unset per credentials.md §Edge cases.

Enums§

CredentialError
Failure modes for resolve_credentials. Debug and Display deliberately avoid forwarding serde_json::Error’s Display because its context snippet may include token bytes; the raw cause is still reachable via std::error::Error::source for callers who need it.
CredentialSource
Where resolve_credentials found the token.

Functions§

resolve_credentials
Resolve the OAuth access token via the cascade in docs/specs/credentials.md §Resolution cascade: macOS Keychain (primary + multi-account) on macOS, then file-based cascade on all platforms. Memoization for process-lifetime reuse is the caller’s responsibility; each invocation re-runs the full cascade.
resolve_credentials_with
Same cascade as resolve_credentials but with an explicit FileCascadeEnv. Lets doctor and tests pin the file-cascade inputs without mutating process env, which is racy under Rust’s default parallel test execution.