jeevesagent.security.secrets¶
Concrete Secrets
implementations.
Two ship in the framework, neither requiring extra dependencies:
EnvSecrets— reads fromos.environ. Default forAgentso today’s behaviour is preserved (API keys come from environment variables) without callers having to wire anything.DictSecrets— explicit in-memory dict, useful in tests and for callers who load secrets from a config file or a vault-fetch-once-at-startup script.
Production users running on AWS / GCP / Vault should write a
custom Secrets adapter that calls their secret manager
inside resolve() and caches into a local dict for
lookup_sync(). The framework only requires
lookup_sync() to return synchronously (it’s called from
inside Agent / model-adapter constructors); resolve() /
store() can do whatever async work you need.
A simple regex-based redaction is also provided here so callers who don’t wire a vault still get safe-by-default audit log behaviour.
Classes¶
In-process |
|
Reads secrets from |
Module Contents¶
- class jeevesagent.security.secrets.DictSecrets(initial: dict[str, str] | None = None)[source]¶
In-process
Secretsbacked by an explicit dict.Useful in tests and for callers that fetch secrets once at startup (from a config file, a one-shot Vault read, etc.) and want to make them available to the framework without leaking them into
os.environ.Mutable:
store()updates the in-process map. Not durable across process restarts.
- class jeevesagent.security.secrets.EnvSecrets[source]¶
Reads secrets from
os.environ.The default
Secretsimpl wired byAgentwhen the caller doesn’t pass an explicit one. Behaviour matches the pre-M10 framework: API keys are looked up as the corresponding environment variable name (OPENAI_API_KEY,ANTHROPIC_API_KEY, etc.).