1use anyhow::{Context, Result};
2use serde::{Deserialize, Serialize};
3use std::collections::HashMap;
4use std::path::Path;
5use std::sync::OnceLock;
6
7use crate::profile::{resolve_with_home, SecretsSource, SecretsValidationMode};
8use crate::profile_bootstrap::ProfileBootstrap;
9
10static SECRETS: OnceLock<Secrets> = OnceLock::new();
11
12#[derive(Debug, Clone, Serialize, Deserialize)]
13pub struct Secrets {
14 pub jwt_secret: String,
15
16 pub database_url: String,
17
18 #[serde(default, skip_serializing_if = "Option::is_none")]
19 pub gemini: Option<String>,
20
21 #[serde(default, skip_serializing_if = "Option::is_none")]
22 pub anthropic: Option<String>,
23
24 #[serde(default, skip_serializing_if = "Option::is_none")]
25 pub openai: Option<String>,
26
27 #[serde(default, skip_serializing_if = "Option::is_none")]
28 pub github: Option<String>,
29
30 #[serde(default, flatten)]
31 pub custom: HashMap<String, String>,
32}
33
34const JWT_SECRET_MIN_LENGTH: usize = 32;
35
36impl Secrets {
37 pub fn parse(content: &str) -> Result<Self> {
38 let secrets: Self =
39 serde_json::from_str(content).context("Failed to parse secrets JSON")?;
40 secrets.validate()?;
41 Ok(secrets)
42 }
43
44 fn validate(&self) -> Result<()> {
45 if self.jwt_secret.len() < JWT_SECRET_MIN_LENGTH {
46 anyhow::bail!(
47 "jwt_secret must be at least {} characters (got {})",
48 JWT_SECRET_MIN_LENGTH,
49 self.jwt_secret.len()
50 );
51 }
52 Ok(())
53 }
54
55 pub const fn has_ai_provider(&self) -> bool {
56 self.gemini.is_some() || self.anthropic.is_some() || self.openai.is_some()
57 }
58
59 pub fn get(&self, key: &str) -> Option<&String> {
60 match key {
61 "jwt_secret" | "JWT_SECRET" => Some(&self.jwt_secret),
62 "database_url" | "DATABASE_URL" => Some(&self.database_url),
63 "gemini" | "GEMINI_API_KEY" => self.gemini.as_ref(),
64 "anthropic" | "ANTHROPIC_API_KEY" => self.anthropic.as_ref(),
65 "openai" | "OPENAI_API_KEY" => self.openai.as_ref(),
66 "github" | "GITHUB_TOKEN" => self.github.as_ref(),
67 other => self.custom.get(other),
68 }
69 }
70
71 pub fn log_configured_providers(&self) {
72 let configured: Vec<&str> = [
73 self.gemini.as_ref().map(|_| "gemini"),
74 self.anthropic.as_ref().map(|_| "anthropic"),
75 self.openai.as_ref().map(|_| "openai"),
76 self.github.as_ref().map(|_| "github"),
77 ]
78 .into_iter()
79 .flatten()
80 .collect();
81
82 tracing::info!(providers = ?configured, "Configured API providers");
83 }
84}
85
86#[derive(Debug, Clone, Copy)]
87pub struct SecretsBootstrap;
88
89#[derive(Debug, thiserror::Error)]
90pub enum SecretsBootstrapError {
91 #[error(
92 "Secrets not initialized. Call SecretsBootstrap::init() after ProfileBootstrap::init()"
93 )]
94 NotInitialized,
95
96 #[error("Secrets already initialized")]
97 AlreadyInitialized,
98
99 #[error("Profile not initialized. Call ProfileBootstrap::init() first")]
100 ProfileNotInitialized,
101
102 #[error("Secrets file not found: {path}")]
103 FileNotFound { path: String },
104
105 #[error("Invalid secrets file: {message}")]
106 InvalidSecretsFile { message: String },
107
108 #[error("No secrets configured. Create a secrets.json file.")]
109 NoSecretsConfigured,
110
111 #[error(
112 "JWT secret is required. Add 'jwt_secret' to your secrets file or set JWT_SECRET \
113 environment variable."
114 )]
115 JwtSecretRequired,
116
117 #[error(
118 "Database URL is required. Add 'database_url' to your secrets.json or set DATABASE_URL \
119 environment variable."
120 )]
121 DatabaseUrlRequired,
122}
123
124impl SecretsBootstrap {
125 pub fn init() -> Result<&'static Secrets> {
126 if SECRETS.get().is_some() {
127 anyhow::bail!(SecretsBootstrapError::AlreadyInitialized);
128 }
129
130 let secrets = Self::load_from_profile_config()?;
131
132 Self::log_loaded_secrets(&secrets);
133
134 SECRETS
135 .set(secrets)
136 .map_err(|_| anyhow::anyhow!(SecretsBootstrapError::AlreadyInitialized))?;
137
138 SECRETS
139 .get()
140 .ok_or_else(|| anyhow::anyhow!(SecretsBootstrapError::NotInitialized))
141 }
142
143 pub fn jwt_secret() -> Result<&'static str, SecretsBootstrapError> {
144 Ok(&Self::get()?.jwt_secret)
145 }
146
147 pub fn database_url() -> Result<&'static str, SecretsBootstrapError> {
148 Ok(&Self::get()?.database_url)
149 }
150
151 fn load_from_env() -> Result<Secrets> {
152 let jwt_secret = std::env::var("JWT_SECRET")
153 .ok()
154 .filter(|s| !s.is_empty())
155 .ok_or(SecretsBootstrapError::JwtSecretRequired)?;
156
157 let database_url = std::env::var("DATABASE_URL")
158 .ok()
159 .filter(|s| !s.is_empty())
160 .ok_or(SecretsBootstrapError::DatabaseUrlRequired)?;
161
162 let custom = std::env::var("SYSTEMPROMPT_CUSTOM_SECRETS")
163 .ok()
164 .filter(|s| !s.is_empty())
165 .map(|keys| {
166 keys.split(',')
167 .filter_map(|key| {
168 let key = key.trim();
169 std::env::var(key)
170 .ok()
171 .filter(|v| !v.is_empty())
172 .map(|v| (key.to_owned(), v))
173 })
174 .collect()
175 })
176 .unwrap_or_default();
177
178 let secrets = Secrets {
179 jwt_secret,
180 database_url,
181 gemini: std::env::var("GEMINI_API_KEY")
182 .ok()
183 .filter(|s| !s.is_empty()),
184 anthropic: std::env::var("ANTHROPIC_API_KEY")
185 .ok()
186 .filter(|s| !s.is_empty()),
187 openai: std::env::var("OPENAI_API_KEY")
188 .ok()
189 .filter(|s| !s.is_empty()),
190 github: std::env::var("GITHUB_TOKEN").ok().filter(|s| !s.is_empty()),
191 custom,
192 };
193
194 secrets.validate()?;
195 Ok(secrets)
196 }
197
198 fn load_from_profile_config() -> Result<Secrets> {
199 if let Ok(jwt_secret) = std::env::var("JWT_SECRET") {
200 if jwt_secret.len() >= JWT_SECRET_MIN_LENGTH {
201 tracing::debug!("Using JWT_SECRET from environment (subprocess mode)");
202 return Self::load_from_env();
203 }
204 }
205
206 let profile =
207 ProfileBootstrap::get().map_err(|_| SecretsBootstrapError::ProfileNotInitialized)?;
208
209 let secrets_config = profile
210 .secrets
211 .as_ref()
212 .ok_or(SecretsBootstrapError::NoSecretsConfigured)?;
213
214 let is_fly_environment = std::env::var("FLY_APP_NAME").is_ok();
215
216 match secrets_config.source {
217 SecretsSource::Env if is_fly_environment => {
218 tracing::debug!("Loading secrets from environment (Fly.io container)");
219 Self::load_from_env()
220 },
221 SecretsSource::Env => {
222 tracing::debug!(
223 "Profile source is 'env' but running locally, trying file first..."
224 );
225 Self::resolve_and_load_file(&secrets_config.secrets_path).or_else(|_| {
226 tracing::debug!("File load failed, falling back to environment");
227 Self::load_from_env()
228 })
229 },
230 SecretsSource::File => {
231 tracing::debug!("Loading secrets from file (profile source: file)");
232 Self::resolve_and_load_file(&secrets_config.secrets_path)
233 .or_else(|e| Self::handle_load_error(e, secrets_config.validation))
234 },
235 }
236 }
237
238 fn handle_load_error(e: anyhow::Error, mode: SecretsValidationMode) -> Result<Secrets> {
239 log_secrets_issue(&e, mode);
240 Err(e)
241 }
242
243 pub fn get() -> Result<&'static Secrets, SecretsBootstrapError> {
244 SECRETS.get().ok_or(SecretsBootstrapError::NotInitialized)
245 }
246
247 pub fn require() -> Result<&'static Secrets, SecretsBootstrapError> {
248 Self::get()
249 }
250
251 pub fn is_initialized() -> bool {
252 SECRETS.get().is_some()
253 }
254
255 pub fn try_init() -> Result<&'static Secrets> {
256 if SECRETS.get().is_some() {
257 return Self::get().map_err(Into::into);
258 }
259 Self::init()
260 }
261
262 fn resolve_and_load_file(path_str: &str) -> Result<Secrets> {
263 let profile_path = ProfileBootstrap::get_path()
264 .context("SYSTEMPROMPT_PROFILE not set - cannot resolve secrets path")?;
265
266 let profile_dir = Path::new(profile_path)
267 .parent()
268 .context("Invalid profile path - no parent directory")?;
269
270 let resolved_path = resolve_with_home(profile_dir, path_str);
271 Self::load_from_file(&resolved_path)
272 }
273
274 fn load_from_file(path: &Path) -> Result<Secrets> {
275 if !path.exists() {
276 anyhow::bail!(SecretsBootstrapError::FileNotFound {
277 path: path.display().to_string()
278 });
279 }
280
281 let content = std::fs::read_to_string(path)
282 .with_context(|| format!("Failed to read secrets file: {}", path.display()))?;
283
284 let secrets = Secrets::parse(&content).map_err(|e| {
285 anyhow::anyhow!(SecretsBootstrapError::InvalidSecretsFile {
286 message: e.to_string(),
287 })
288 })?;
289
290 tracing::debug!("Loaded secrets from {}", path.display());
291
292 Ok(secrets)
293 }
294
295 fn log_loaded_secrets(secrets: &Secrets) {
296 let message = build_loaded_secrets_message(secrets);
297 tracing::debug!("{}", message);
298 }
299}
300
301fn log_secrets_issue(e: &anyhow::Error, mode: SecretsValidationMode) {
302 match mode {
303 SecretsValidationMode::Warn => log_secrets_warn(e),
304 SecretsValidationMode::Skip => log_secrets_skip(e),
305 SecretsValidationMode::Strict => {},
306 }
307}
308
309fn log_secrets_warn(e: &anyhow::Error) {
310 tracing::warn!("Secrets file issue: {}", e);
311}
312
313fn log_secrets_skip(e: &anyhow::Error) {
314 tracing::debug!("Skipping secrets file: {}", e);
315}
316
317fn build_loaded_secrets_message(secrets: &Secrets) -> String {
318 let base = ["jwt_secret", "database_url"];
319 let optional_providers = [
320 secrets.gemini.as_ref().map(|_| "gemini"),
321 secrets.anthropic.as_ref().map(|_| "anthropic"),
322 secrets.openai.as_ref().map(|_| "openai"),
323 secrets.github.as_ref().map(|_| "github"),
324 ];
325
326 let loaded: Vec<&str> = base
327 .into_iter()
328 .chain(optional_providers.into_iter().flatten())
329 .collect();
330
331 if secrets.custom.is_empty() {
332 format!("Loaded secrets: {}", loaded.join(", "))
333 } else {
334 format!(
335 "Loaded secrets: {}, {} custom",
336 loaded.join(", "),
337 secrets.custom.len()
338 )
339 }
340}