Class: Aidp::Security::SecretsRegistry

Inherits:

Object

• Object
• Aidp::Security::SecretsRegistry

Defined in:

lib/aidp/security/secrets_registry.rb

Overview

Registry for user-declared secrets that should be proxied Secrets are registered by name, with the actual value stored securely and never exposed directly to agents.

Storage: .aidp/security/secrets_registry.json Format: { “SECRET_NAME”: { “env_var”: “ACTUAL_ENV_VAR”, “registered_at”: timestamp } }

The registry only stores metadata - actual secret values come from environment variables at runtime. This ensures secrets are never persisted to disk.

Constant Summary

REGISTRY_FILENAME =

"secrets_registry.json"

Instance Attribute Summary

• #project_dir ⇒ Object readonly

  Returns the value of attribute project_dir.

Instance Method Summary

• #clear_cache! ⇒ Object

  Clear the in-memory cache (forces reload on next access).

• #env_var_for(name) ⇒ String^?

  Get the environment variable name for a secret.

• #env_var_registered?(env_var) ⇒ Boolean

  Check if an environment variable is registered as a secret.

• #env_vars_to_strip ⇒ Array<String>

  Get list of environment variables that should be stripped from agent environment.

• #get(name) ⇒ Hash^?

  Get registration details for a secret (without the actual value).

• #initialize(project_dir: Dir.pwd) ⇒ SecretsRegistry constructor

  A new instance of SecretsRegistry.

• #list ⇒ Array<Hash>

  List all registered secrets (names and metadata only, never values).

• #name_for_env_var(env_var) ⇒ String^?

  Get the secret name for an environment variable.

• #register(name:, env_var:, description: nil, scopes: []) ⇒ Hash

  Register a secret by name.

• #registered?(name) ⇒ Boolean

  Check if a secret is registered.

• #unregister(name:) ⇒ Boolean

  Unregister a secret.

Constructor Details

#initialize(project_dir: Dir.pwd) ⇒ SecretsRegistry

Returns a new instance of SecretsRegistry.

# File 'lib/aidp/security/secrets_registry.rb', line 24

def initialize(project_dir: Dir.pwd)
  @project_dir = project_dir
  @cache = nil
  @cache_mtime = nil
  @mutex = Mutex.new
end

Instance Attribute Details

#project_dir ⇒ Object (readonly)

Returns the value of attribute project_dir.

# File 'lib/aidp/security/secrets_registry.rb', line 22

def project_dir
  @project_dir
end

Instance Method Details

#clear_cache! ⇒ Object

Clear the in-memory cache (forces reload on next access)

# File 'lib/aidp/security/secrets_registry.rb', line 169

def clear_cache!
  @mutex.synchronize do
    @cache = nil
    @cache_mtime = nil
  end
end

#env_var_for(name) ⇒ String^?

Get the environment variable name for a secret

Parameters:

• name (String) —

  The secret name

Returns:

• (String, nil) —

  The env var name or nil if not registered

# File 'lib/aidp/security/secrets_registry.rb', line 116

def env_var_for(name)
  entry = get(name)
  entry&.dig(:env_var) || entry&.dig("env_var")
end

#env_var_registered?(env_var) ⇒ Boolean

Check if an environment variable is registered as a secret

Parameters:

• env_var (String) —

  The environment variable name

Returns:

• (Boolean)

# File 'lib/aidp/security/secrets_registry.rb', line 151

def env_var_registered?(env_var)
  @mutex.synchronize do
    registry = load_registry
    registry.values.any? { |entry| (entry[:env_var] || entry["env_var"]) == env_var }
  end
end

#env_vars_to_strip ⇒ Array<String>

Get list of environment variables that should be stripped from agent environment

Returns:

• (Array<String>) —

  List of env var names to remove

# File 'lib/aidp/security/secrets_registry.rb', line 141

def env_vars_to_strip
  @mutex.synchronize do
    registry = load_registry
    registry.values.map { |entry| entry[:env_var] || entry["env_var"] }.compact.uniq
  end
end

#get(name) ⇒ Hash^?

Get registration details for a secret (without the actual value)

Parameters:

• name (String) —

  The secret name

Returns:

• (Hash, nil) —

  Registration details or nil if not found

# File 'lib/aidp/security/secrets_registry.rb', line 103

def get(name)
  @mutex.synchronize do
    registry = load_registry
    entry = registry[name.to_sym] || registry[name.to_s]
    return nil unless entry

    entry.merge(name: name)
  end
end

#list ⇒ Array<Hash>

List all registered secrets (names and metadata only, never values)

Returns:

• (Array<Hash>) —

  List of registered secrets with metadata

# File 'lib/aidp/security/secrets_registry.rb', line 123

def list
  @mutex.synchronize do
    registry = load_registry
    registry.map do |name, details|
      {
        name: name,
        env_var: details[:env_var] || details["env_var"],
        description: details[:description] || details["description"],
        scopes: details[:scopes] || details["scopes"] || [],
        registered_at: details[:registered_at] || details["registered_at"],
        has_value: ENV.key?(details[:env_var] || details["env_var"])
      }
    end
  end
end

#name_for_env_var(env_var) ⇒ String^?

Get the secret name for an environment variable

Parameters:

• env_var (String) —

  The environment variable name

Returns:

• (String, nil) —

  The secret name or nil if not found

# File 'lib/aidp/security/secrets_registry.rb', line 161

def name_for_env_var(env_var)
  @mutex.synchronize do
    registry = load_registry
    registry.find { |_name, entry| (entry[:env_var] || entry["env_var"]) == env_var }&.first
  end
end

#register(name:, env_var:, description: nil, scopes: []) ⇒ Hash

Register a secret by name

Parameters:

• name (String) —

  The name to reference this secret by

• env_var (String) —

  The environment variable containing the secret

• description (String) (defaults to: nil) —

  Optional description of what this secret is for

• scopes (Array<String>) (defaults to: []) —

  Optional list of allowed operations for this secret

Returns:

• (Hash) —

  Registration details

# File 'lib/aidp/security/secrets_registry.rb', line 37

def register(name:, env_var:, description: nil, scopes: [])
  @mutex.synchronize do
    registry = load_registry

    # Validate the environment variable exists (but don't store the value)
    unless ENV.key?(env_var)
      Aidp.log_warn("security.registry", "env_var_not_found",
        name: name,
        env_var: env_var)
    end

    registration = {
      env_var: env_var,
      description: description,
      scopes: scopes,
      registered_at: Time.now.iso8601,
      id: SecureRandom.hex(8)
    }

    registry[name] = registration
    save_registry(registry)

    Aidp.log_info("security.registry", "secret_registered",
      name: name,
      env_var: env_var,
      scopes: scopes)

    registration.merge(name: name)
  end
end

#registered?(name) ⇒ Boolean

Check if a secret is registered

Parameters:

• name (String) —

  The secret name

Returns:

• (Boolean)

# File 'lib/aidp/security/secrets_registry.rb', line 93

def registered?(name)
  @mutex.synchronize do
    registry = load_registry
    registry.key?(name.to_sym) || registry.key?(name.to_s)
  end
end

#unregister(name:) ⇒ Boolean

Unregister a secret

Parameters:

• name (String) —

  The secret name to remove

Returns:

• (Boolean) —

  true if removed, false if not found

# File 'lib/aidp/security/secrets_registry.rb', line 71

def unregister(name:)
  @mutex.synchronize do
    registry = load_registry

    key = registry.key?(name.to_sym) ? name.to_sym : name.to_s
    unless registry.key?(key)
      Aidp.log_warn("security.registry", "secret_not_found_for_unregister",
        name: name)
      return false
    end

    registry.delete(key)
    save_registry(registry)

    Aidp.log_info("security.registry", "secret_unregistered", name: name)
    true
  end
end