feat(secrets): secret management (#1605)

* feat(secrets): initial draft

Signed-off-by: melodicore <[email protected]>

* feat(secrets): use DI

Signed-off-by: melodicore <[email protected]>

* fmt(secrets): use project conventions

Signed-off-by: melodicore <[email protected]>

* feat(secrets): various changes

Signed-off-by: melodicore <[email protected]>

* feat(secrets): next revision

Signed-off-by: melodicore <[email protected]>

* feat(secrets): initial integration with runtime and manifest

Signed-off-by: melodicore <[email protected]>

* feat(secrets): refactoring, reformatting, bug squashing and quality of life features

Signed-off-by: melodicore <[email protected]>

* feat(secrets): apply secret environment variables

Signed-off-by: melodicore <[email protected]>

* feat(secrets): secrets package tests

Signed-off-by: melodicore <[email protected]>

* fmt(secrets): correct detekt and spotless issues

Signed-off-by: melodicore <[email protected]>

* feat(secrets): final additions

Signed-off-by: melodicore <[email protected]>

* fix(secrets): make native build work

Signed-off-by: melodicore <[email protected]>

* fix(secrets): fix crashes when loading secrets and things go wrong

Signed-off-by: melodicore <[email protected]>

* fix(secrets): reset initialized state in tests

Signed-off-by: melodicore <[email protected]>

* docs(secrets): add api comments, fix formatting

Signed-off-by: melodicore <[email protected]>

* feat(secrets): regenerate api pins

Signed-off-by: melodicore <[email protected]>

* feat(secrets): add new api pins

Signed-off-by: melodicore <[email protected]>

* fix(secrets): fix some displayed messages

Signed-off-by: melodicore <[email protected]>

* fix(secrets): fix unused import

Signed-off-by: melodicore <[email protected]>

* feat(secrets): allow changing encryption details and regenerating profile keys

Signed-off-by: melodicore <[email protected]>

* feat(secrets): python module

Signed-off-by: melodicore <[email protected]>

* chore(secrets): spotless

Signed-off-by: melodicore <[email protected]>

* chore(secrets): api dump

Signed-off-by: melodicore <[email protected]>

* fix(secrets): review fixes

Signed-off-by: melodicore <[email protected]>

* fix(secrets): api dump again

Signed-off-by: melodicore <[email protected]>

---------

Signed-off-by: melodicore <[email protected]>

Author: melodicore

gradle/elide.versions.toml

@@ -639,6 +639,10 @@ kotlinx-io-bytestring-jvm = { group = "org.jetbrains.kotlinx", name = "kotlinx-i
 kotlinx-knit = { group = "org.jetbrains.kotlinx", name = "kotlinx-knit", version.ref = "kotlinx-knit" }
 kotlinx-metadata-jvm = { group = "org.jetbrains.kotlinx", name = "kotlinx-metadata-jvm", version.ref = "kotlinx-metadata-jvm" }
 kotlinx-nodejs = { group = "org.jetbrains.kotlinx", name = "kotlinx-nodejs", version.ref = "kotlinx-nodejs" }
+kotlinx-serialization-cbor = { group = "org.jetbrains.kotlinx", name = "kotlinx-serialization-cbor", version.ref = "kotlinx-serialization" }
+kotlinx-serialization-cbor-js = { group = "org.jetbrains.kotlinx", name = "kotlinx-serialization-cbor-js", version.ref = "kotlinx-serialization" }
+kotlinx-serialization-cbor-jvm = { group = "org.jetbrains.kotlinx", name = "kotlinx-serialization-cbor-jvm", version.ref = "kotlinx-serialization" }
+kotlinx-serialization-cbor-wasm = { group = "org.jetbrains.kotlinx", name = "kotlinx-serialization-cbor-wasm", version.ref = "kotlinx-serialization" }
 kotlinx-serialization-core = { group = "org.jetbrains.kotlinx", name = "kotlinx-serialization-core", version.ref = "kotlinx-serialization" }
 kotlinx-serialization-core-js = { group = "org.jetbrains.kotlinx", name = "kotlinx-serialization-core-js", version.ref = "kotlinx-serialization" }
 kotlinx-serialization-core-jvm = { group = "org.jetbrains.kotlinx", name = "kotlinx-serialization-core-jvm", version.ref = "kotlinx-serialization" }
@@ -691,6 +695,10 @@ kotlinx-wrappers-web = { group = "org.jetbrains.kotlin-wrappers", name = "kotlin
 ksp = { group = "com.google.devtools.ksp", name = "symbol-processing", version.ref = "ksp" }
 ksp-api = { group = "com.google.devtools.ksp", name = "symbol-processing-api", version.ref = "ksp" }
 ksp-cmdline = { group = "com.google.devtools.ksp", name = "symbol-processing-cmdline", version.ref = "ksp" }
+ktor-client-core = { group = "io.ktor", name = "ktor-client-core", version.ref = "ktor" }
+ktor-client-cio = { group = "io.ktor", name = "ktor-client-cio", version.ref = "ktor" }
+ktor-client-contentNegotiation = { group = "io.ktor", name = "ktor-client-content-negotiation", version.ref = "ktor" }
+ktor-serialization-kotlinx-json = { group = "io.ktor", name = "ktor-serialization-kotlinx-json", version.ref = "ktor" }
 ktor-server-core = { group = "io.ktor", name = "ktor-server-core", version.ref = "ktor" }
 ktor-server-cio = { group = "io.ktor", name = "ktor-server-cio", version.ref = "ktor" }
 ktor-server-netty = { group = "io.ktor", name = "ktor-server-netty", version.ref = "ktor" }
@@ -1024,3 +1032,9 @@ ktor-server = [
   "ktor-server-hsts",
   "ktor-server-websockets",
 ]
+
+ktor-client = [
+  "ktor-client-core",
+  "ktor-client-contentNegotiation",
+  "ktor-serialization-kotlinx-json",
+]

packages/cli/build.gradle.kts

@@ -604,6 +604,9 @@ dependencies {
   // TODO: patched
   // implementation(libs.graalvm.tools.coverage)
 
+  // Secrets
+  implementation(projects.packages.secrets)
+
   // KotlinX
   implementation(libs.kotlinx.serialization.core)
   implementation(libs.kotlinx.serialization.json)
@@ -1805,6 +1808,7 @@ val linuxOnlyArgs = defaultPlatformArgs.plus(
     "--initialize-at-run-time=io.netty.channel.kqueue.KQueue",
     "--initialize-at-run-time=io.netty.channel.kqueue.KQueueIoHandler",
     "--initialize-at-run-time=io.netty.channel.kqueue.AbstractKQueueChannel",
+    "--initialize-at-run-time=io.netty.internal.tcnative.CertificateCompressionAlgo",
   ).plus(
     listOfNotNull(
       onlyIf(enableStatic, "--libc=musl"),

packages/cli/src/main/kotlin/elide/tool/cli/Elide.kt

@@ -56,6 +56,7 @@ import elide.tool.cli.cmd.pkl.ToolPklCommand
 import elide.tool.cli.cmd.project.ToolProjectCommand
 import elide.tool.cli.cmd.tool.ToolInvokeCommand
 import elide.tool.cli.cmd.repl.ToolShellCommand
+import elide.tool.cli.cmd.secrets.ToolSecretsCommand
 import elide.tool.cli.cmd.tool.jar.JarToolAdapter
 import elide.tool.cli.cmd.tool.javac.JavaCompilerAdapter
 import elide.tool.cli.cmd.tool.javadoc.JavadocToolAdapter
@@ -130,6 +131,7 @@ internal const val ELIDE_HEADER = ("@|bold,fg(magenta)%n" +
     LspCommand::class,
     McpCommand::class,
     Elide.Completions::class,
+    ToolSecretsCommand::class,
   ],
   customSynopsis = [
     "",

packages/cli/src/main/kotlin/elide/tool/cli/cmd/repl/ToolShellCommand.kt

@@ -105,6 +105,7 @@ import elide.runtime.precompiler.Precompiler
 import elide.runtime.runner.JvmRunner
 import elide.runtime.runner.RunnerOutcome
 import elide.runtime.runner.Runners
+import elide.secrets.Secrets
 import elide.tool.cli.*
 import elide.tool.cli.GuestLanguage.*
 import elide.tool.cli.cmd.builder.emitCommand
@@ -2454,6 +2455,7 @@ internal class ToolShellCommand : ProjectAwareSubcommand<ToolState, CommandConte
     appEnvironment.apply(
       project,
       this,
+    beanContext.getBean(Secrets::class.java).getEnv(),
       host = accessControl.allowAll || accessControl.allowEnv,
       dotenv = appEnvironment.dotenv,
     )
@@ -2762,6 +2764,27 @@ internal class ToolShellCommand : ProjectAwareSubcommand<ToolState, CommandConte
 
     val effectiveInitLangs = onByDefaultLangs + projectLangs
 
+    // initialize secrets
+    val secretsResolution = launch {
+      run {
+        projectResolution.join()
+
+        val secrets = beanContext.getBean(Secrets::class.java)
+        try {
+          secrets.init(projectPath, activeProject.value?.manifest)
+        } catch (t: Throwable) {
+          logging.warn { "Secrets were not initialized with message: ${t.message}" }
+        }
+        if(secrets.initialized) {
+          if (secrets.getProfile() == null) {
+            val profiles = secrets.listProfiles()
+            if (profiles.size != 1) logging.warn { "No secret profile will be loaded" }
+            else secrets.loadProfile(profiles.first())
+          }
+        }
+      }
+    }
+
     // if no entrypoint was specified, attempt to use the one in the project manifest, or try resolving the runnable as
     // a script name in either `elide.pkl` or a foreign manifest.
     when (val tgt = runnable) {
@@ -2892,6 +2915,7 @@ internal class ToolShellCommand : ProjectAwareSubcommand<ToolState, CommandConte
     try {
       projectResolution.join()
       lockfileResolution.join()
+      secretsResolution.join()
 
       resolveEngine(effectiveInitLangs).unwrap().use {
         withDeferredContext(effectiveInitLangs) {

packages/cli/src/main/kotlin/elide/tool/cli/cmd/runner/EnvironmentConfig.kt

@@ -45,6 +45,7 @@ import elide.tooling.project.ElideProject
   internal fun apply(
     project: ElideProject?,
     config: PolyglotEngineConfiguration,
+    secretsEnv: Map<String, String>,
     host: Boolean = false,
     dotenv: Boolean = true,
   ) = config.environment {
@@ -59,7 +60,10 @@ import elide.tooling.project.ElideProject
       mapToHostEnv(it.key)
     }
 
-    // apply project-level environment variables first (if applicable)
+    // apply secret environment variables first
+    secretsEnv.forEach { environment(it.key, it.value) }
+
+    // apply project-level environment variables (if applicable)
     project?.env?.vars?.forEach {
       if (it.value.isPresent) {
         if (it.value.source == EnvVariableSource.DOTENV && !dotenv) {