systemprompt_models/
secrets_bootstrap.rs1use anyhow::{Context, Result};
2use std::collections::HashMap;
3use std::path::Path;
4
5use crate::paths::constants::env_vars;
6use crate::profile::{SecretsSource, SecretsValidationMode, resolve_with_home};
7use crate::profile_bootstrap::ProfileBootstrap;
8use crate::secrets::{JWT_SECRET_MIN_LENGTH, SECRETS, Secrets};
9
10#[derive(Debug, Clone, Copy)]
11pub struct SecretsBootstrap;
12
13#[derive(Debug, thiserror::Error)]
14pub enum SecretsBootstrapError {
15 #[error(
16 "Secrets not initialized. Call SecretsBootstrap::init() after ProfileBootstrap::init()"
17 )]
18 NotInitialized,
19
20 #[error("Secrets already initialized")]
21 AlreadyInitialized,
22
23 #[error("Profile not initialized. Call ProfileBootstrap::init() first")]
24 ProfileNotInitialized,
25
26 #[error("Secrets file not found: {path}")]
27 FileNotFound { path: String },
28
29 #[error("Invalid secrets file: {message}")]
30 InvalidSecretsFile { message: String },
31
32 #[error("No secrets configured. Create a secrets.json file.")]
33 NoSecretsConfigured,
34
35 #[error(
36 "JWT secret is required. Add 'jwt_secret' to your secrets file or set JWT_SECRET \
37 environment variable."
38 )]
39 JwtSecretRequired,
40
41 #[error(
42 "Database URL is required. Add 'database_url' to your secrets.json or set DATABASE_URL \
43 environment variable."
44 )]
45 DatabaseUrlRequired,
46}
47
48impl SecretsBootstrap {
49 pub fn init() -> Result<&'static Secrets> {
50 if SECRETS.get().is_some() {
51 anyhow::bail!(SecretsBootstrapError::AlreadyInitialized);
52 }
53
54 let secrets = Self::load_from_profile_config()?;
55
56 Self::log_loaded_secrets(&secrets);
57
58 SECRETS
59 .set(secrets)
60 .map_err(|_| anyhow::anyhow!(SecretsBootstrapError::AlreadyInitialized))?;
61
62 SECRETS
63 .get()
64 .ok_or_else(|| anyhow::anyhow!(SecretsBootstrapError::NotInitialized))
65 }
66
67 pub fn jwt_secret() -> Result<&'static str, SecretsBootstrapError> {
68 Ok(&Self::get()?.jwt_secret)
69 }
70
71 pub fn database_url() -> Result<&'static str, SecretsBootstrapError> {
72 Ok(&Self::get()?.database_url)
73 }
74
75 pub fn database_write_url() -> Result<Option<&'static str>, SecretsBootstrapError> {
76 Ok(Self::get()?.database_write_url.as_deref())
77 }
78
79 fn load_from_env() -> Result<Secrets> {
80 let jwt_secret = std::env::var("JWT_SECRET")
81 .ok()
82 .filter(|s| !s.is_empty())
83 .ok_or(SecretsBootstrapError::JwtSecretRequired)?;
84
85 let database_url = std::env::var("DATABASE_URL")
86 .ok()
87 .filter(|s| !s.is_empty())
88 .ok_or(SecretsBootstrapError::DatabaseUrlRequired)?;
89
90 let custom = std::env::var(env_vars::CUSTOM_SECRETS)
91 .ok()
92 .filter(|s| !s.is_empty())
93 .map_or_else(HashMap::new, |keys| {
94 keys.split(',')
95 .filter_map(|key| {
96 let key = key.trim();
97 std::env::var(key)
98 .ok()
99 .filter(|v| !v.is_empty())
100 .map(|v| (key.to_owned(), v))
101 })
102 .collect()
103 });
104
105 let secrets = Secrets {
106 jwt_secret,
107 database_url,
108 database_write_url: std::env::var("DATABASE_WRITE_URL")
109 .ok()
110 .filter(|s| !s.is_empty()),
111 external_database_url: std::env::var("EXTERNAL_DATABASE_URL")
112 .ok()
113 .filter(|s| !s.is_empty()),
114 internal_database_url: std::env::var("INTERNAL_DATABASE_URL")
115 .ok()
116 .filter(|s| !s.is_empty()),
117 sync_token: std::env::var("SYNC_TOKEN").ok().filter(|s| !s.is_empty()),
118 gemini: std::env::var("GEMINI_API_KEY")
119 .ok()
120 .filter(|s| !s.is_empty()),
121 anthropic: std::env::var("ANTHROPIC_API_KEY")
122 .ok()
123 .filter(|s| !s.is_empty()),
124 openai: std::env::var("OPENAI_API_KEY")
125 .ok()
126 .filter(|s| !s.is_empty()),
127 github: std::env::var("GITHUB_TOKEN").ok().filter(|s| !s.is_empty()),
128 moonshot: std::env::var("MOONSHOT_API_KEY")
129 .ok()
130 .or_else(|| std::env::var("KIMI_API_KEY").ok())
131 .filter(|s| !s.is_empty()),
132 qwen: std::env::var("QWEN_API_KEY")
133 .ok()
134 .or_else(|| std::env::var("DASHSCOPE_API_KEY").ok())
135 .filter(|s| !s.is_empty()),
136 custom,
137 };
138
139 secrets.validate()?;
140 Ok(secrets)
141 }
142
143 fn load_from_profile_config() -> Result<Secrets> {
144 let is_fly_environment = std::env::var("FLY_APP_NAME").is_ok();
145 let is_subprocess = std::env::var("SYSTEMPROMPT_SUBPROCESS").is_ok();
146
147 if is_subprocess || is_fly_environment {
148 if let Ok(jwt_secret) = std::env::var("JWT_SECRET") {
149 if jwt_secret.len() >= JWT_SECRET_MIN_LENGTH {
150 tracing::debug!(
151 "Using JWT_SECRET from environment (subprocess/container mode)"
152 );
153 return Self::load_from_env();
154 }
155 }
156 }
157
158 let profile =
159 ProfileBootstrap::get().map_err(|_| SecretsBootstrapError::ProfileNotInitialized)?;
160
161 let secrets_config = profile
162 .secrets
163 .as_ref()
164 .ok_or(SecretsBootstrapError::NoSecretsConfigured)?;
165
166 let is_fly_environment = std::env::var("FLY_APP_NAME").is_ok();
167
168 match secrets_config.source {
169 SecretsSource::Env if is_fly_environment => {
170 tracing::debug!("Loading secrets from environment (Fly.io container)");
171 Self::load_from_env()
172 },
173 SecretsSource::Env => {
174 tracing::debug!(
175 "Profile source is 'env' but running locally, trying file first..."
176 );
177 Self::resolve_and_load_file(&secrets_config.secrets_path).or_else(|_| {
178 tracing::debug!("File load failed, falling back to environment");
179 Self::load_from_env()
180 })
181 },
182 SecretsSource::File => {
183 tracing::debug!("Loading secrets from file (profile source: file)");
184 Self::resolve_and_load_file(&secrets_config.secrets_path)
185 .or_else(|e| Self::handle_load_error(e, secrets_config.validation))
186 },
187 }
188 }
189
190 fn handle_load_error(e: anyhow::Error, mode: SecretsValidationMode) -> Result<Secrets> {
191 log_secrets_issue(&e, mode);
192 Err(e)
193 }
194
195 pub fn get() -> Result<&'static Secrets, SecretsBootstrapError> {
196 SECRETS.get().ok_or(SecretsBootstrapError::NotInitialized)
197 }
198
199 pub fn require() -> Result<&'static Secrets, SecretsBootstrapError> {
200 Self::get()
201 }
202
203 pub fn is_initialized() -> bool {
204 SECRETS.get().is_some()
205 }
206
207 pub fn try_init() -> Result<&'static Secrets> {
208 if SECRETS.get().is_some() {
209 return Self::get().map_err(Into::into);
210 }
211 Self::init()
212 }
213
214 fn resolve_and_load_file(path_str: &str) -> Result<Secrets> {
215 let profile_path = ProfileBootstrap::get_path()
216 .context("SYSTEMPROMPT_PROFILE not set - cannot resolve secrets path")?;
217
218 let profile_dir = Path::new(profile_path)
219 .parent()
220 .context("Invalid profile path - no parent directory")?;
221
222 let resolved_path = resolve_with_home(profile_dir, path_str);
223 Self::load_from_file(&resolved_path)
224 }
225
226 fn load_from_file(path: &Path) -> Result<Secrets> {
227 if !path.exists() {
228 anyhow::bail!(SecretsBootstrapError::FileNotFound {
229 path: path.display().to_string()
230 });
231 }
232
233 let content = std::fs::read_to_string(path)
234 .with_context(|| format!("Failed to read secrets file: {}", path.display()))?;
235
236 let secrets = Secrets::parse(&content).map_err(|e| {
237 anyhow::anyhow!(SecretsBootstrapError::InvalidSecretsFile {
238 message: e.to_string(),
239 })
240 })?;
241
242 tracing::debug!("Loaded secrets from {}", path.display());
243
244 Ok(secrets)
245 }
246
247 fn log_loaded_secrets(secrets: &Secrets) {
248 let message = build_loaded_secrets_message(secrets);
249 tracing::debug!("{}", message);
250 }
251}
252
253pub fn log_secrets_issue(e: &anyhow::Error, mode: SecretsValidationMode) {
254 match mode {
255 SecretsValidationMode::Warn => log_secrets_warn(e),
256 SecretsValidationMode::Skip => log_secrets_skip(e),
257 SecretsValidationMode::Strict => {},
258 }
259}
260
261pub fn log_secrets_warn(e: &anyhow::Error) {
262 tracing::warn!("Secrets file issue: {}", e);
263}
264
265pub fn log_secrets_skip(e: &anyhow::Error) {
266 tracing::debug!("Skipping secrets file: {}", e);
267}
268
269pub fn build_loaded_secrets_message(secrets: &Secrets) -> String {
270 let base = ["jwt_secret", "database_url"];
271 let optional_providers = [
272 secrets
273 .database_write_url
274 .as_ref()
275 .map(|_| "database_write_url"),
276 secrets
277 .external_database_url
278 .as_ref()
279 .map(|_| "external_database_url"),
280 secrets
281 .internal_database_url
282 .as_ref()
283 .map(|_| "internal_database_url"),
284 secrets.gemini.as_ref().map(|_| "gemini"),
285 secrets.anthropic.as_ref().map(|_| "anthropic"),
286 secrets.openai.as_ref().map(|_| "openai"),
287 secrets.github.as_ref().map(|_| "github"),
288 ];
289
290 let loaded: Vec<&str> = base
291 .into_iter()
292 .chain(optional_providers.into_iter().flatten())
293 .collect();
294
295 if secrets.custom.is_empty() {
296 format!("Loaded secrets: {}", loaded.join(", "))
297 } else {
298 format!(
299 "Loaded secrets: {}, {} custom",
300 loaded.join(", "),
301 secrets.custom.len()
302 )
303 }
304}