Skip to main content

systemprompt_cli/commands/admin/config/
secret.rs

1//! `admin config secret set` — write a provider or custom credential into the
2//! profile's secrets file without hand-editing JSON.
3//!
4//! Infrastructure secrets (database URLs, at-rest pepper, signing seed) are
5//! rejected: they are provisioned out-of-band, so a partial edit here cannot
6//! corrupt the values the runtime depends on.
7
8use std::path::Path;
9
10use anyhow::{Context, Result, bail};
11use clap::{Args, Subcommand};
12use systemprompt_config::ProfileBootstrap;
13
14use super::profile_io::{load_profile, profile_dir};
15use super::types::ConfigMutationOutput;
16use crate::CliConfig;
17use crate::shared::{CommandOutput, render_result};
18
19const RESERVED: &[&str] = &[
20    "oauth_at_rest_pepper",
21    "manifest_signing_secret_seed",
22    "database_url",
23    "database_write_url",
24    "external_database_url",
25    "internal_database_url",
26];
27
28#[derive(Debug, Subcommand)]
29pub enum SecretCommands {
30    #[command(about = "Set a provider or custom secret")]
31    Set(SetArgs),
32}
33
34#[derive(Debug, Clone, Args)]
35pub struct SetArgs {
36    #[arg(help = "Secret name (e.g. anthropic, minimax)")]
37    pub name: String,
38
39    #[arg(help = "Secret value")]
40    pub value: String,
41}
42
43pub fn execute(command: &SecretCommands, _config: &CliConfig) -> Result<()> {
44    let SecretCommands::Set(args) = command;
45
46    let profile_path = ProfileBootstrap::get_path()?;
47    let profile = load_profile(profile_path)?;
48    let secrets_rel = profile
49        .secrets
50        .as_ref()
51        .map(|s| s.secrets_path.clone())
52        .ok_or_else(|| anyhow::anyhow!("profile has no secrets section"))?;
53    let secrets_file = profile_dir(profile_path).join(&secrets_rel);
54
55    set_secret(&secrets_file, &args.name, &args.value)?;
56
57    render_result(&CommandOutput::card_value(
58        "Secret Updated",
59        &ConfigMutationOutput {
60            field: "secrets".to_owned(),
61            message: format!("Secret '{}' set", args.name),
62        },
63    ));
64    Ok(())
65}
66
67pub fn set_secret(secrets_file: &Path, name: &str, value: &str) -> Result<()> {
68    if RESERVED.contains(&name) {
69        bail!("'{name}' is a reserved infrastructure secret and cannot be set here");
70    }
71
72    let content = std::fs::read_to_string(secrets_file)
73        .with_context(|| format!("Failed to read secrets: {}", secrets_file.display()))?;
74    // JSON: operator tooling edits the on-disk secrets document by key, so a
75    // file still missing a required field can be completed one secret at a time.
76    let mut doc: serde_json::Value = serde_json::from_str(&content)
77        .with_context(|| format!("Failed to parse secrets: {}", secrets_file.display()))?;
78    let object = doc.as_object_mut().ok_or_else(|| {
79        anyhow::anyhow!(
80            "secrets file is not a JSON object: {}",
81            secrets_file.display()
82        )
83    })?;
84    object.insert(name.to_owned(), serde_json::Value::String(value.to_owned()));
85
86    let serialized = serde_json::to_string_pretty(&doc).context("Failed to serialize secrets")?;
87    std::fs::write(secrets_file, serialized)
88        .with_context(|| format!("Failed to write {}", secrets_file.display()))?;
89    Ok(())
90}