systemprompt_models/

secrets.rs

//! Secrets document model.
//!
//! [`Secrets`] is the deserialized on-disk secrets file: JWT signing
//! secret, database URLs, and provider credentials. [`JWT_SECRET_MIN_LENGTH`]
//! is the enforced minimum for the signing secret.
//! Validation returns [`crate::errors::SecretsError`].

use serde::{Deserialize, Serialize};
use std::collections::HashMap;

use crate::errors::SecretsError;

pub const JWT_SECRET_MIN_LENGTH: usize = 32;

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Secrets {
    pub jwt_secret: String,

    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub manifest_signing_secret_seed: Option<String>,

    pub database_url: String,

    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub database_write_url: Option<String>,

    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub external_database_url: Option<String>,

    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub internal_database_url: Option<String>,

    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub sync_token: Option<String>,

    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub gemini: Option<String>,

    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub anthropic: Option<String>,

    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub openai: Option<String>,

    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub github: Option<String>,

    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub moonshot: Option<String>,

    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub qwen: Option<String>,

    #[serde(default, flatten)]
    pub custom: HashMap<String, String>,
}

impl Secrets {
    pub fn parse(content: &str) -> Result<Self, SecretsError> {
        let mut value: serde_json::Value =
            serde_json::from_str(content).map_err(|source| SecretsError::Parse {
                context: "Failed to parse secrets JSON",
                source,
            })?;
        if let Some(obj) = value.as_object_mut() {
            obj.retain(|_, v| !v.is_null());
        }
        let secrets: Self =
            serde_json::from_value(value).map_err(|source| SecretsError::Parse {
                context: "Failed to deserialize secrets after null stripping",
                source,
            })?;
        secrets.validate()?;
        Ok(secrets)
    }

    pub fn validate(&self) -> Result<(), SecretsError> {
        if self.jwt_secret.len() < JWT_SECRET_MIN_LENGTH {
            return Err(SecretsError::Invalid(format!(
                "jwt_secret must be at least {} characters (got {})",
                JWT_SECRET_MIN_LENGTH,
                self.jwt_secret.len()
            )));
        }
        Ok(())
    }

    pub fn effective_database_url(&self, external_db_access: bool) -> &str {
        if external_db_access {
            if let Some(url) = &self.external_database_url {
                return url;
            }
        }
        &self.database_url
    }

    pub const fn has_ai_provider(&self) -> bool {
        self.gemini.is_some()
            || self.anthropic.is_some()
            || self.openai.is_some()
            || self.moonshot.is_some()
            || self.qwen.is_some()
    }

    pub fn get(&self, key: &str) -> Option<&String> {
        match key {
            "jwt_secret" | "JWT_SECRET" => Some(&self.jwt_secret),
            "database_url" | "DATABASE_URL" => Some(&self.database_url),
            "database_write_url" | "DATABASE_WRITE_URL" => self.database_write_url.as_ref(),
            "external_database_url" | "EXTERNAL_DATABASE_URL" => {
                self.external_database_url.as_ref()
            },
            "internal_database_url" | "INTERNAL_DATABASE_URL" => {
                self.internal_database_url.as_ref()
            },
            "sync_token" | "SYNC_TOKEN" => self.sync_token.as_ref(),
            "gemini" | "GEMINI_API_KEY" => self.gemini.as_ref(),
            "anthropic" | "ANTHROPIC_API_KEY" => self.anthropic.as_ref(),
            "openai" | "OPENAI_API_KEY" => self.openai.as_ref(),
            "github" | "GITHUB_TOKEN" => self.github.as_ref(),
            "moonshot" | "MOONSHOT_API_KEY" | "kimi" | "KIMI_API_KEY" => self.moonshot.as_ref(),
            "qwen" | "QWEN_API_KEY" | "dashscope" | "DASHSCOPE_API_KEY" => self.qwen.as_ref(),
            other => self.custom.get(other).or_else(|| {
                let alternate = if other.chars().any(char::is_uppercase) {
                    other.to_lowercase()
                } else {
                    other.to_uppercase()
                };
                self.custom.get(&alternate)
            }),
        }
    }

    pub fn log_configured_providers(&self) {
        let configured: Vec<&str> = [
            self.gemini.as_ref().map(|_| "gemini"),
            self.anthropic.as_ref().map(|_| "anthropic"),
            self.openai.as_ref().map(|_| "openai"),
            self.github.as_ref().map(|_| "github"),
            self.moonshot.as_ref().map(|_| "moonshot"),
            self.qwen.as_ref().map(|_| "qwen"),
        ]
        .into_iter()
        .flatten()
        .collect();

        tracing::info!(providers = ?configured, "Configured API providers");
    }

    pub fn custom_env_vars(&self) -> Vec<(String, &str)> {
        self.custom
            .iter()
            .flat_map(|(key, value)| {
                let upper_key = key.to_uppercase();
                let value_str = value.as_str();
                if upper_key == *key {
                    vec![(key.clone(), value_str)]
                } else {
                    vec![(key.clone(), value_str), (upper_key, value_str)]
                }
            })
            .collect()
    }

    pub fn custom_env_var_names(&self) -> Vec<String> {
        self.custom.keys().map(|key| key.to_uppercase()).collect()
    }
}