1use anyhow::{Context, Result};
2use serde::{Deserialize, Serialize};
3use std::collections::HashMap;
4use std::path::Path;
5use std::sync::OnceLock;
6
7use crate::profile::{resolve_with_home, SecretsSource, SecretsValidationMode};
8use crate::profile_bootstrap::ProfileBootstrap;
9
10static SECRETS: OnceLock<Secrets> = OnceLock::new();
11
12#[derive(Debug, Clone, Serialize, Deserialize)]
13pub struct Secrets {
14 pub jwt_secret: String,
15
16 pub database_url: String,
17
18 #[serde(default, skip_serializing_if = "Option::is_none")]
19 pub sync_token: Option<String>,
20
21 #[serde(default, skip_serializing_if = "Option::is_none")]
22 pub gemini: Option<String>,
23
24 #[serde(default, skip_serializing_if = "Option::is_none")]
25 pub anthropic: Option<String>,
26
27 #[serde(default, skip_serializing_if = "Option::is_none")]
28 pub openai: Option<String>,
29
30 #[serde(default, skip_serializing_if = "Option::is_none")]
31 pub github: Option<String>,
32
33 #[serde(default, flatten)]
34 pub custom: HashMap<String, String>,
35}
36
37const JWT_SECRET_MIN_LENGTH: usize = 32;
38
39impl Secrets {
40 pub fn parse(content: &str) -> Result<Self> {
41 let secrets: Self =
42 serde_json::from_str(content).context("Failed to parse secrets JSON")?;
43 secrets.validate()?;
44 Ok(secrets)
45 }
46
47 fn validate(&self) -> Result<()> {
48 if self.jwt_secret.len() < JWT_SECRET_MIN_LENGTH {
49 anyhow::bail!(
50 "jwt_secret must be at least {} characters (got {})",
51 JWT_SECRET_MIN_LENGTH,
52 self.jwt_secret.len()
53 );
54 }
55 Ok(())
56 }
57
58 pub const fn has_ai_provider(&self) -> bool {
59 self.gemini.is_some() || self.anthropic.is_some() || self.openai.is_some()
60 }
61
62 pub fn get(&self, key: &str) -> Option<&String> {
63 match key {
64 "jwt_secret" | "JWT_SECRET" => Some(&self.jwt_secret),
65 "database_url" | "DATABASE_URL" => Some(&self.database_url),
66 "sync_token" | "SYNC_TOKEN" => self.sync_token.as_ref(),
67 "gemini" | "GEMINI_API_KEY" => self.gemini.as_ref(),
68 "anthropic" | "ANTHROPIC_API_KEY" => self.anthropic.as_ref(),
69 "openai" | "OPENAI_API_KEY" => self.openai.as_ref(),
70 "github" | "GITHUB_TOKEN" => self.github.as_ref(),
71 other => self.custom.get(other),
72 }
73 }
74
75 pub fn log_configured_providers(&self) {
76 let configured: Vec<&str> = [
77 self.gemini.as_ref().map(|_| "gemini"),
78 self.anthropic.as_ref().map(|_| "anthropic"),
79 self.openai.as_ref().map(|_| "openai"),
80 self.github.as_ref().map(|_| "github"),
81 ]
82 .into_iter()
83 .flatten()
84 .collect();
85
86 tracing::info!(providers = ?configured, "Configured API providers");
87 }
88
89 pub fn custom_env_vars(&self) -> Vec<(String, &str)> {
90 self.custom
91 .iter()
92 .flat_map(|(key, value)| {
93 let upper_key = key.to_uppercase();
94 let value_str = value.as_str();
95 if upper_key == *key {
96 vec![(key.clone(), value_str)]
97 } else {
98 vec![(key.clone(), value_str), (upper_key, value_str)]
99 }
100 })
101 .collect()
102 }
103
104 pub fn custom_env_var_names(&self) -> Vec<String> {
105 self.custom.keys().map(|key| key.to_uppercase()).collect()
106 }
107}
108
109#[derive(Debug, Clone, Copy)]
110pub struct SecretsBootstrap;
111
112#[derive(Debug, thiserror::Error)]
113pub enum SecretsBootstrapError {
114 #[error(
115 "Secrets not initialized. Call SecretsBootstrap::init() after ProfileBootstrap::init()"
116 )]
117 NotInitialized,
118
119 #[error("Secrets already initialized")]
120 AlreadyInitialized,
121
122 #[error("Profile not initialized. Call ProfileBootstrap::init() first")]
123 ProfileNotInitialized,
124
125 #[error("Secrets file not found: {path}")]
126 FileNotFound { path: String },
127
128 #[error("Invalid secrets file: {message}")]
129 InvalidSecretsFile { message: String },
130
131 #[error("No secrets configured. Create a secrets.json file.")]
132 NoSecretsConfigured,
133
134 #[error(
135 "JWT secret is required. Add 'jwt_secret' to your secrets file or set JWT_SECRET \
136 environment variable."
137 )]
138 JwtSecretRequired,
139
140 #[error(
141 "Database URL is required. Add 'database_url' to your secrets.json or set DATABASE_URL \
142 environment variable."
143 )]
144 DatabaseUrlRequired,
145}
146
147impl SecretsBootstrap {
148 pub fn init() -> Result<&'static Secrets> {
149 if SECRETS.get().is_some() {
150 anyhow::bail!(SecretsBootstrapError::AlreadyInitialized);
151 }
152
153 let secrets = Self::load_from_profile_config()?;
154
155 Self::log_loaded_secrets(&secrets);
156
157 SECRETS
158 .set(secrets)
159 .map_err(|_| anyhow::anyhow!(SecretsBootstrapError::AlreadyInitialized))?;
160
161 SECRETS
162 .get()
163 .ok_or_else(|| anyhow::anyhow!(SecretsBootstrapError::NotInitialized))
164 }
165
166 pub fn jwt_secret() -> Result<&'static str, SecretsBootstrapError> {
167 Ok(&Self::get()?.jwt_secret)
168 }
169
170 pub fn database_url() -> Result<&'static str, SecretsBootstrapError> {
171 Ok(&Self::get()?.database_url)
172 }
173
174 fn load_from_env() -> Result<Secrets> {
175 let jwt_secret = std::env::var("JWT_SECRET")
176 .ok()
177 .filter(|s| !s.is_empty())
178 .ok_or(SecretsBootstrapError::JwtSecretRequired)?;
179
180 let database_url = std::env::var("DATABASE_URL")
181 .ok()
182 .filter(|s| !s.is_empty())
183 .ok_or(SecretsBootstrapError::DatabaseUrlRequired)?;
184
185 let custom = std::env::var("SYSTEMPROMPT_CUSTOM_SECRETS")
186 .ok()
187 .filter(|s| !s.is_empty())
188 .map(|keys| {
189 keys.split(',')
190 .filter_map(|key| {
191 let key = key.trim();
192 std::env::var(key)
193 .ok()
194 .filter(|v| !v.is_empty())
195 .map(|v| (key.to_owned(), v))
196 })
197 .collect()
198 })
199 .unwrap_or_default();
200
201 let secrets = Secrets {
202 jwt_secret,
203 database_url,
204 sync_token: std::env::var("SYNC_TOKEN").ok().filter(|s| !s.is_empty()),
205 gemini: std::env::var("GEMINI_API_KEY")
206 .ok()
207 .filter(|s| !s.is_empty()),
208 anthropic: std::env::var("ANTHROPIC_API_KEY")
209 .ok()
210 .filter(|s| !s.is_empty()),
211 openai: std::env::var("OPENAI_API_KEY")
212 .ok()
213 .filter(|s| !s.is_empty()),
214 github: std::env::var("GITHUB_TOKEN").ok().filter(|s| !s.is_empty()),
215 custom,
216 };
217
218 secrets.validate()?;
219 Ok(secrets)
220 }
221
222 fn load_from_profile_config() -> Result<Secrets> {
223 let is_fly_environment = std::env::var("FLY_APP_NAME").is_ok();
224 let is_subprocess = std::env::var("SYSTEMPROMPT_SUBPROCESS").is_ok();
225
226 if is_subprocess || is_fly_environment {
227 if let Ok(jwt_secret) = std::env::var("JWT_SECRET") {
228 if jwt_secret.len() >= JWT_SECRET_MIN_LENGTH {
229 tracing::debug!(
230 "Using JWT_SECRET from environment (subprocess/container mode)"
231 );
232 return Self::load_from_env();
233 }
234 }
235 }
236
237 let profile =
238 ProfileBootstrap::get().map_err(|_| SecretsBootstrapError::ProfileNotInitialized)?;
239
240 let secrets_config = profile
241 .secrets
242 .as_ref()
243 .ok_or(SecretsBootstrapError::NoSecretsConfigured)?;
244
245 let is_fly_environment = std::env::var("FLY_APP_NAME").is_ok();
246
247 match secrets_config.source {
248 SecretsSource::Env if is_fly_environment => {
249 tracing::debug!("Loading secrets from environment (Fly.io container)");
250 Self::load_from_env()
251 },
252 SecretsSource::Env => {
253 tracing::debug!(
254 "Profile source is 'env' but running locally, trying file first..."
255 );
256 Self::resolve_and_load_file(&secrets_config.secrets_path).or_else(|_| {
257 tracing::debug!("File load failed, falling back to environment");
258 Self::load_from_env()
259 })
260 },
261 SecretsSource::File => {
262 tracing::debug!("Loading secrets from file (profile source: file)");
263 Self::resolve_and_load_file(&secrets_config.secrets_path)
264 .or_else(|e| Self::handle_load_error(e, secrets_config.validation))
265 },
266 }
267 }
268
269 fn handle_load_error(e: anyhow::Error, mode: SecretsValidationMode) -> Result<Secrets> {
270 log_secrets_issue(&e, mode);
271 Err(e)
272 }
273
274 pub fn get() -> Result<&'static Secrets, SecretsBootstrapError> {
275 SECRETS.get().ok_or(SecretsBootstrapError::NotInitialized)
276 }
277
278 pub fn require() -> Result<&'static Secrets, SecretsBootstrapError> {
279 Self::get()
280 }
281
282 pub fn is_initialized() -> bool {
283 SECRETS.get().is_some()
284 }
285
286 pub fn try_init() -> Result<&'static Secrets> {
287 if SECRETS.get().is_some() {
288 return Self::get().map_err(Into::into);
289 }
290 Self::init()
291 }
292
293 fn resolve_and_load_file(path_str: &str) -> Result<Secrets> {
294 let profile_path = ProfileBootstrap::get_path()
295 .context("SYSTEMPROMPT_PROFILE not set - cannot resolve secrets path")?;
296
297 let profile_dir = Path::new(profile_path)
298 .parent()
299 .context("Invalid profile path - no parent directory")?;
300
301 let resolved_path = resolve_with_home(profile_dir, path_str);
302 Self::load_from_file(&resolved_path)
303 }
304
305 fn load_from_file(path: &Path) -> Result<Secrets> {
306 if !path.exists() {
307 anyhow::bail!(SecretsBootstrapError::FileNotFound {
308 path: path.display().to_string()
309 });
310 }
311
312 let content = std::fs::read_to_string(path)
313 .with_context(|| format!("Failed to read secrets file: {}", path.display()))?;
314
315 let secrets = Secrets::parse(&content).map_err(|e| {
316 anyhow::anyhow!(SecretsBootstrapError::InvalidSecretsFile {
317 message: e.to_string(),
318 })
319 })?;
320
321 tracing::debug!("Loaded secrets from {}", path.display());
322
323 Ok(secrets)
324 }
325
326 fn log_loaded_secrets(secrets: &Secrets) {
327 let message = build_loaded_secrets_message(secrets);
328 tracing::debug!("{}", message);
329 }
330}
331
332fn log_secrets_issue(e: &anyhow::Error, mode: SecretsValidationMode) {
333 match mode {
334 SecretsValidationMode::Warn => log_secrets_warn(e),
335 SecretsValidationMode::Skip => log_secrets_skip(e),
336 SecretsValidationMode::Strict => {},
337 }
338}
339
340fn log_secrets_warn(e: &anyhow::Error) {
341 tracing::warn!("Secrets file issue: {}", e);
342}
343
344fn log_secrets_skip(e: &anyhow::Error) {
345 tracing::debug!("Skipping secrets file: {}", e);
346}
347
348fn build_loaded_secrets_message(secrets: &Secrets) -> String {
349 let base = ["jwt_secret", "database_url"];
350 let optional_providers = [
351 secrets.gemini.as_ref().map(|_| "gemini"),
352 secrets.anthropic.as_ref().map(|_| "anthropic"),
353 secrets.openai.as_ref().map(|_| "openai"),
354 secrets.github.as_ref().map(|_| "github"),
355 ];
356
357 let loaded: Vec<&str> = base
358 .into_iter()
359 .chain(optional_providers.into_iter().flatten())
360 .collect();
361
362 if secrets.custom.is_empty() {
363 format!("Loaded secrets: {}", loaded.join(", "))
364 } else {
365 format!(
366 "Loaded secrets: {}, {} custom",
367 loaded.join(", "),
368 secrets.custom.len()
369 )
370 }
371}