jeevesagent.security.secrets
============================

.. py:module:: jeevesagent.security.secrets

.. autoapi-nested-parse::

   Concrete :class:`~jeevesagent.core.protocols.Secrets`
   implementations.

   Two ship in the framework, neither requiring extra dependencies:

   * :class:`EnvSecrets` — reads from ``os.environ``. Default for
     :class:`~jeevesagent.Agent` so today's behaviour is preserved
     (API keys come from environment variables) without callers
     having to wire anything.
   * :class:`DictSecrets` — explicit in-memory dict, useful in tests
     and for callers who load secrets from a config file or a
     vault-fetch-once-at-startup script.

   Production users running on AWS / GCP / Vault should write a
   custom :class:`Secrets` adapter that calls their secret manager
   inside ``resolve()`` and caches into a local dict for
   ``lookup_sync()``. The framework only requires
   ``lookup_sync()`` to return synchronously (it's called from
   inside Agent / model-adapter constructors); ``resolve()`` /
   ``store()`` can do whatever async work you need.

   A simple regex-based redaction is also provided here so callers
   who don't wire a vault still get safe-by-default audit log
   behaviour.



Classes
-------

.. autoapisummary::

   jeevesagent.security.secrets.DictSecrets
   jeevesagent.security.secrets.EnvSecrets


Module Contents
---------------

.. py:class:: DictSecrets(initial: dict[str, str] | None = None)

   In-process :class:`Secrets` backed by an explicit dict.

   Useful in tests and for callers that fetch secrets once at
   startup (from a config file, a one-shot Vault read, etc.) and
   want to make them available to the framework without leaking
   them into ``os.environ``.

   Mutable: ``store()`` updates the in-process map. Not durable
   across process restarts.


   .. py:method:: lookup_sync(ref: str) -> str | None


   .. py:method:: redact(text: str) -> str


   .. py:method:: resolve(ref: str) -> str
      :async:



   .. py:method:: store(ref: str, value: str) -> None
      :async:



.. py:class:: EnvSecrets

   Reads secrets from ``os.environ``.

   The default :class:`Secrets` impl wired by :class:`Agent` when
   the caller doesn't pass an explicit one. Behaviour matches the
   pre-M10 framework: API keys are looked up as the corresponding
   environment variable name (``OPENAI_API_KEY``,
   ``ANTHROPIC_API_KEY``, etc.).


   .. py:method:: lookup_sync(ref: str) -> str | None


   .. py:method:: redact(text: str) -> str


   .. py:method:: resolve(ref: str) -> str
      :async:



   .. py:method:: store(ref: str, value: str) -> None
      :abstractmethod:

      :async:



