Hare/yoi
1
1
Fork 0
Code Actions Packages Releases Activity
f858f48c34
yoi/work-items/closed/20260529-145355-manifest-profile-encrypted-secrets/artifacts/resolution-20260531.md
Hare 681a37905c
close: local secret store
2026-06-01 07:23:54 +09:00

2.2 KiB
Raw Blame History

Implemented and merged local key-value secret store support.

Merged commits:

  • cc2c9a2 secrets: add local key store
  • 7ddf745 secrets: polish key manager and docs
  • 629159a merge: local secret store

Review:

  • Review approved in c9e48b3 review: approve local secret store.
  • Focused follow-up review approved the docs example and key-manager terminal cleanup polish.

Summary:

  • Added a provider-independent local id -> value secret store under the user data directory.
  • Added id validation, atomic persistence, and lightweight at-rest obfuscation consistent with the ticket's modest security target.
  • Added insomnia keys interactive TUI management for listing ids, setting values with masked display, deleting with confirmation, and quitting without displaying plaintext values.
  • Wired provider secret_ref auth through the store.
  • Added WebSearch api_key_secret and removed normal WebSearch/provider credential env configuration.
  • Updated bundled resources and docs to point users to insomnia keys plus explicit secret refs.
  • Left Codex OAuth behavior unchanged.

Validation after merge:

  • cargo fmt --check — passed
  • cargo test -p secrets — passed
  • cargo test -p manifest secret --lib — passed
  • cargo test -p provider secret --lib — passed
  • cargo test -p tools web::tests::search_requires_configuration --lib — passed
  • cargo test -p tools web::tests::searches_brave_with_secret_ref --lib — passed
  • cargo test -p tools web::tests::searches_brave_with_bounded_output --lib — passed
  • cargo test -p tui keys::tests --lib — passed
  • cargo test -p insomnia parse_keys_subcommand --bin insomnia — passed
  • cargo check -p manifest -p provider -p tools -p tui -p insomnia — passed
  • ./tickets.sh doctor — passed
  • git diff --check — passed

Credential/env grep:

  • api_key_env, BRAVE_SEARCH_API_KEY, INSOMNIA_API_KEY, and default_env_var are absent from crates docs resources after the merge.
  • Remaining sk-/secret-value/test-secret hits are fake test values, docs/comments, or Codex OAuth test fixtures, not new persisted real credentials.

Caveat:

  • The store should continue to be described as local obfuscation / limited at-rest protection, not a high-assurance password manager.