gemstone_utils.experimental.secrets_resolver¶
Experimental. API and behavior may change; see Experimental secrets resolver for usage guidance.
Experimental secret reference resolver for configuration bootstrap.
- exception gemstone_utils.experimental.secrets_resolver.BackendNotImplemented(prefix, message, *, reason)[source]¶
Bases:
RuntimeErrorReference uses a removed or unregistered backend prefix.
- exception gemstone_utils.experimental.secrets_resolver.FilePathNotAllowed(path, allowed_prefixes)[source]¶
Bases:
ValueErrorA
file:path is outside the configured allowlist.
- gemstone_utils.experimental.secrets_resolver.allowed_file_path_prefixes()[source]¶
Return resolved absolute prefix strings for the
file:allowlist.
- gemstone_utils.experimental.secrets_resolver.is_backend_registered(prefix)[source]¶
Return whether a backend prefix is registered.
- gemstone_utils.experimental.secrets_resolver.list_backends()[source]¶
Return sorted registered backend prefix names.
- gemstone_utils.experimental.secrets_resolver.register_backend(prefix, resolver, *, replace=False)[source]¶
Register a pluggable backend for a reference prefix.
Built-in backends
env,file,secret, andliteralare pre-registered. Useliteral:for opaque values containing colons.- Parameters:
- Raises:
ValueError – If
prefixis empty or already registered (and notreplace).- Return type:
None
- gemstone_utils.experimental.secrets_resolver.resolve_secret(value)[source]¶
Resolve a secret reference string to its plaintext value.
Supported forms:
env:VAR— environment variable (cached, then scrubbed)file:/absolute/path— UTF-8 file under allowlistsecret:name— container secret mountliteral:opaque— substring after first colon unchangedRegistered backends via
register_backend()Encrypted-field wire strings (requires
set_keyctx_resolver())Plain strings without
:returned unchanged
- Parameters:
value (str) – Reference string or plaintext.
- Returns:
Resolved secret string.
- Raises:
BackendNotImplemented – Unknown or removed prefix.
FilePathNotAllowed –
file:path outside allowlist.KeyError, FileNotFoundError, ValueError – Backend-specific failures.
- Return type:
- gemstone_utils.experimental.secrets_resolver.set_allowed_file_path_prefixes(prefixes)[source]¶
Replace the
file:path allowlist entirely.Until called, only paths under
/app/secretare allowed. Prefixes must be absolute;~is rejected. Bare/etcor filesystem root logs a warning but is not blocked.
- gemstone_utils.experimental.secrets_resolver.set_keyctx_resolver(func)[source]¶
Register resolver for encrypted wire values in secret strings.
Required before resolving values that match
is_encrypted_prefix. Separate fromEncryptedString.set_keyctx_resolver.- Parameters:
func (Callable[[str], KeyContext]) – Callable
(keyid: str) -> KeyContext.- Return type:
None