devsecrets

package
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 3, 2026 License: MIT Imports: 13 Imported by: 0

Documentation

Overview

Package devsecrets seeds local development secrets for projects that don't use a secrets provider (provider = "none"). Several preset services fail startup without app-level config the compose generator deliberately doesn't own — the auth service needs a JWT signing key and an OTP pepper, the gateway needs a verifying keyset — so a freshly scaffolded project won't `docker compose up` cleanly out of the box.

This package fills that gap for local dev only: it writes ready-to-run values into the same per-service files the Doppler flow uses (.secrets/dev_<service>.env, already git-ignored), so the compose env_file wiring picks them up. The auth issuer and the gateway verifier share one generated ES256 keypair (EnsureSigningKey), so tokens minted by auth verify at the gateway with no manual step.

These are throwaway dev values, never committed and never for production — production secrets still come from a real provider.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Contributions

func Contributions(root, presetName string, serviceNames []string) (map[string][]EnvEntry, error)

Contributions returns the dev env entries each of the preset's services needs, keyed by on-disk service name. Returns nil for presets that need none. serviceNames are the services this preset just scaffolded.

func EnsureSigningKey

func EnsureSigningKey(root string) (kid, privateKeyB64, publicKeysetB64 string, err error)

EnsureSigningKey returns the project's shared dev ES256 key material, generating and persisting it under .secrets/dev_jwt.json on first call so the auth issuer and gateway verifier agree. Idempotent.

func GenerateSigningKey

func GenerateSigningKey(kid string) (privateKeyB64, publicKeysetB64 string, err error)

GenerateSigningKey creates a fresh ES256 keypair and returns it in the env-ready base64 forms, performing no I/O: privateKeyB64 is base64(PEM) for an issuer's JWT_PRIVATE_KEY; publicKeysetB64 is base64(JSON {kid: PEM}) for a verifier's JWT_PUBLIC_KEYS. Used both by the local dev-secrets flow and by `maestro secrets keygen`, which emits the values for the user to load into a secrets provider.

func RandomHex

func RandomHex(n int) (string, error)

func Write

func Write(root string, serviceEnv map[string][]EnvEntry) ([]string, error)

Write merges the entries into .secrets/dev_<service>.env for each service, never overwriting a key that already exists (so re-applies and hand-edits are preserved). Creates .secrets/ as needed. Returns the paths of the files it created or appended to, so callers (e.g. refresh) can report what was regenerated; files left untouched are not listed.

Types

type EnvEntry

type EnvEntry struct {
	Key       string
	Value     string
	Comment   string
	Commented bool
}

EnvEntry is one line in a generated dev secrets file. Commented entries are written as a `# KEY=value` placeholder — used for values the user must supply (e.g. the gateway's upstream routing table, which no tool can infer).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL