Documentation
¶
Overview ¶
Package credentials adapts cli-common/credstore to cr's command surface.
Index ¶
- Constants
- Variables
- func AllowedKeys() []string
- func BackendEnvVar() string
- func BackendMetadata(flagValue string, flagSet bool, cfg config.File) (credstore.Backend, credstore.Source, error)
- func ExpectedKeysForConfigRef(cfg config.File, ref string) ([]string, error)
- func FormatRef(profile string) (string, error)
- func KeyForPurpose(ref config.CredentialRef) (string, error)
- func LLMAPIKeyForProvider(provider config.LLMProvider) (string, error)
- func MissingRequiredKeys(status CredentialStatus) []string
- func OpenResolvedStore(flagValue string, flagSet bool, cfg config.File, ...) (*credstore.Store, error)
- func OpenStore(flagValue string, flagSet bool, cfg config.File) (*credstore.Store, error)
- func RequiredKeysSatisfied(status CredentialStatus) bool
- func StoreOptions(flagValue string, flagSet bool, cfg config.File) (credstore.Options, error)
- func StoreOptionsForResolvedProfile(flagValue string, flagSet bool, cfg config.File, ...) (credstore.Options, error)
- func TrimSecretIngress(value string) string
- func ValidateAllowedKey(key string) error
- func ValidateAllowedKeyForConfig(cfg config.File, ref, key string) error
- type CredentialStatus
- type KeySpec
- type KeyStatus
- type KeyStatusStore
- type Ref
- type ResolvedSecretsProfile
- type SecretsProfileSelectionSource
Constants ¶
const ( // ServiceName is the credential-ref service segment owned by cr. ServiceName = "codereview" // BackendSourceSecretsProfile records that a named secrets-management // profile selected the active credential backend. BackendSourceSecretsProfile credstore.Source = "secrets_profile" // GitTokenKey stores the Git host access token for PAT auth. GitTokenKey = "git_token" // GitHubAppIDKey stores the GitHub App JWT issuer, usually the app ID. // #nosec G101 -- this is a keyring item name, not a secret value. GitHubAppIDKey = "github_app_id" // GitHubAppPrivateKeyKey stores the GitHub App PEM private key. // #nosec G101 -- this is a keyring item name, not a secret value. GitHubAppPrivateKeyKey = "github_app_private_key" // GitHubAppInstallationIDKey stores an optional explicit GitHub App installation ID. // #nosec G101 -- this is a keyring item name, not a secret value. GitHubAppInstallationIDKey = "github_app_installation_id" // AnthropicAPIKeyKey stores the key name for Anthropic direct API adapters. // #nosec G101 -- this is a keyring item name, not a secret value. AnthropicAPIKeyKey = "anthropic_api_key" // OpenAIAPIKeyKey stores the key name for OpenAI direct API adapters. // #nosec G101 -- this is a keyring item name, not a secret value. OpenAIAPIKeyKey = "openai_api_key" // LegacyLLMAPIKeyKey is the pre-matrix generic key. It is intentionally // not in the v1 allowlist. // #nosec G101 -- this is a keyring item name, not a secret value. LegacyLLMAPIKeyKey = "llm_api_key" )
Variables ¶
var ( // ErrWrongService means a credential ref points at another CLI's keyring namespace. ErrWrongService = errors.New("credentials: credential ref uses wrong service") // ErrInvalidBackendSelection means a CLI/config backend selector was malformed. ErrInvalidBackendSelection = errors.New("credentials: invalid backend selection") )
Functions ¶
func BackendEnvVar ¶
func BackendEnvVar() string
BackendEnvVar returns cr's backend selector environment variable name.
func BackendMetadata ¶
func BackendMetadata(flagValue string, flagSet bool, cfg config.File) (credstore.Backend, credstore.Source, error)
BackendMetadata reports the selected backend/source without opening the store.
func ExpectedKeysForConfigRef ¶ added in v0.1.34
ExpectedKeysForConfigRef returns the sorted union of expected keys for supported declarations of ref across profiles. Unsupported matching declarations fail only when no supported declaration contributes keys. An undeclared ref returns nil.
func KeyForPurpose ¶
func KeyForPurpose(ref config.CredentialRef) (string, error)
KeyForPurpose returns the single required keyring key expected for a config credential ref.
func LLMAPIKeyForProvider ¶ added in v0.1.34
func LLMAPIKeyForProvider(provider config.LLMProvider) (string, error)
LLMAPIKeyForProvider returns the provider-specific key for API-key LLM auth.
func MissingRequiredKeys ¶ added in v0.3.101
func MissingRequiredKeys(status CredentialStatus) []string
MissingRequiredKeys reports required keys that are known-missing.
func OpenResolvedStore ¶ added in v0.3.148
func OpenResolvedStore(flagValue string, flagSet bool, cfg config.File, resolved ResolvedSecretsProfile) (*credstore.Store, error)
OpenResolvedStore opens the resolved service-scoped keyring store.
func RequiredKeysSatisfied ¶ added in v0.3.101
func RequiredKeysSatisfied(status CredentialStatus) bool
RequiredKeysSatisfied reports whether every required key is known-present.
func StoreOptions ¶
StoreOptions validates backend selectors and returns credstore options.
func StoreOptionsForResolvedProfile ¶ added in v0.3.148
func StoreOptionsForResolvedProfile(flagValue string, flagSet bool, cfg config.File, resolved ResolvedSecretsProfile) (credstore.Options, error)
StoreOptionsForResolvedProfile builds credstore options for one resolved secrets-management profile.
func TrimSecretIngress ¶
TrimSecretIngress removes the terminal newline produced by echo/heredocs without treating other whitespace as disposable.
func ValidateAllowedKey ¶
ValidateAllowedKey fails when key is not in cr's write allowlist.
Types ¶
type CredentialStatus ¶ added in v0.3.101
type CredentialStatus struct {
Purpose string
Ref string
Mode string
Provider string
Keys []KeyStatus
}
CredentialStatus reports declared ref context and per-key presence state.
func CredentialRefStatus ¶ added in v0.3.101
func CredentialRefStatus(store KeyStatusStore, ref config.CredentialRef, storeErr error) (CredentialStatus, error)
CredentialRefStatus returns per-key presence state for one declared ref.
func CredentialStatuses ¶ added in v0.3.101
func CredentialStatuses(store KeyStatusStore, refs []config.CredentialRef, storeErr error) ([]CredentialStatus, error)
CredentialStatuses returns per-ref, per-key presence state for declared refs.
type KeySpec ¶ added in v0.1.34
KeySpec describes one key in a declared credential bundle.
func KeySpecsForPurpose ¶ added in v0.1.34
func KeySpecsForPurpose(ref config.CredentialRef) ([]KeySpec, error)
KeySpecsForPurpose returns the exact keyring keys expected for a config credential ref.
type KeyStatus ¶ added in v0.3.101
KeyStatus reports the presence state for one declared keyring key.
type KeyStatusStore ¶ added in v0.3.101
KeyStatusStore is the read-only store surface needed for credential health inspection.
type ResolvedSecretsProfile ¶ added in v0.3.148
type ResolvedSecretsProfile struct {
ID string
Label string
Backend string
Source config.EffectiveSecretsProfileSource
SelectionSource SecretsProfileSelectionSource
}
ResolvedSecretsProfile is the typed runtime store-selection result.
func ResolveSecretsProfileForProfile ¶ added in v0.3.148
func ResolveSecretsProfileForProfile(cfg config.File, profile config.Profile) (ResolvedSecretsProfile, error)
ResolveSecretsProfileForProfile resolves the effective secrets-management profile for one review profile.
func ResolveSecretsProfileForRef ¶ added in v0.3.148
func ResolveSecretsProfileForRef(cfg config.File, ref string, selectedProfile string) (ResolvedSecretsProfile, error)
ResolveSecretsProfileForRef resolves the effective secrets-management profile for a low-level credential ref write/read, optionally narrowed by the global --profile selection.
func (ResolvedSecretsProfile) DisplayName ¶ added in v0.3.148
func (r ResolvedSecretsProfile) DisplayName() string
DisplayName returns the best user-facing label for the resolved store.
func (ResolvedSecretsProfile) Equal ¶ added in v0.3.148
func (r ResolvedSecretsProfile) Equal(other ResolvedSecretsProfile) bool
Equal reports whether two resolved secrets-profile selections point at the same logical credential store.
func (ResolvedSecretsProfile) IsNamed ¶ added in v0.3.148
func (r ResolvedSecretsProfile) IsNamed() bool
IsNamed reports whether the selection came from an explicit named secrets profile.
type SecretsProfileSelectionSource ¶ added in v0.3.148
type SecretsProfileSelectionSource string
SecretsProfileSelectionSource identifies why a secrets-management profile was selected.
const ( // SecretsProfileSelectionExplicit means the active profile selected a named // secrets-management profile directly. SecretsProfileSelectionExplicit SecretsProfileSelectionSource = "profile" // SecretsProfileSelectionDefault means the configured global default // secrets-management profile selected the store. SecretsProfileSelectionDefault SecretsProfileSelectionSource = "default_profile" // SecretsProfileSelectionLegacyDefault means no named secrets-management // profile applied, so legacy backend fallback rules selected the store. SecretsProfileSelectionLegacyDefault SecretsProfileSelectionSource = "legacy_fallback" )