Goal
Implement a simple, per-component secrets mechanism that:
- persists across runs,
- requires no server restart,
- is easy to edit and audit via CLI,
- mirrors conventions from aws/az/kubectl,
- avoids over-engineering secure storage in v0.
Storage & Permissions
-
Dir
- Linux/macOS:
~/.config/wassette/secrets/
- Windows:
%APPDATA%\wassette\secrets\
-
Mode: create with 0700 (Windows: user-only ACL). On startup & every CLI op: verify; warn and optionally --fix.
-
Files: one file per component: <component-id>.yaml
<component-id> is a sanitized, stable identifier.- Sanitize: map
[^A-Za-z0-9._-] → _; collapse repeats; trim to 128 bytes.
-
Format: flat String -> String map (YAML). No nesting, no templating, no env expansion.
Example
# ~/.config/wassette/secrets/get-weather.yaml
WEATHER_API_KEY: "abc123"
REGION: "us-west-2"
Loading & Injection
-
When: lazily at component invocation.
-
Cache: per-component entry { env: HashMap<String,String>, last_mtime }.
-
Reload: check mtime at each invocation; if changed, reload.
-
Inject: as environment variables for the component process.
-
Precedence
- Explicit env passed by user/configured permission values (if any)
- Secrets file
- Inherited process env
- Do not override critical system vars (
PATH, HOME, etc.). Warn on attempted override.
CLI
wassette secret list <component-id> [--show-values]
wassette secret set <component-id> KEY=VALUE [KEY=VALUE ...]
wassette secret delete <component-id> KEY [KEY ...]
list shows keys only by default; --show-values prompts y/N unless --yes.set merges keys; creates file/dir if missing (with correct perms).- All commands bootstrap the secrets dir with correct perms if absent.
Configuration
Internal Design
- Path resolver:
dirs/directories crate or small cross-platform helper.
- YAML:
serde_yaml with strict HashMap<String,String>.
- Atomic writes: write
*.tmp, fsync, rename.
- Concurrency: per-component mutex protecting cache entry; read-mostly.
- Watch: none in v0 (mtime only). (FS watch can be a follow-up.)
Future
v1: see #177
Goal
Implement a simple, per-component secrets mechanism that:
Storage & Permissions
Dir
~/.config/wassette/secrets/%APPDATA%\wassette\secrets\Mode: create with
0700(Windows: user-only ACL). On startup & every CLI op: verify; warn and optionally--fix.Files: one file per component:
<component-id>.yaml<component-id>is a sanitized, stable identifier.[^A-Za-z0-9._-]→_; collapse repeats; trim to 128 bytes.Format: flat
String -> Stringmap (YAML). No nesting, no templating, no env expansion.Example
Loading & Injection
When: lazily at component invocation.
Cache: per-component entry
{ env: HashMap<String,String>, last_mtime }.Reload: check
mtimeat each invocation; if changed, reload.Inject: as environment variables for the component process.
Precedence
PATH,HOME, etc.). Warn on attempted override.CLI
listshows keys only by default;--show-valuespromptsy/Nunless--yes.setmerges keys; creates file/dir if missing (with correct perms).Configuration
--secrets-dir <path>(CLI) andsecrets.dirinconfig.yaml.Internal Design
dirs/directoriescrate or small cross-platform helper.serde_yamlwith strictHashMap<String,String>.*.tmp,fsync,rename.Future
v1: see #177