amr/passepartout
1
0
Fork 0
Code Issues 15 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
94a8a0ab0bffafb22a3336062fc78c7033f0412c
passepartout/skills/org-skill-credentials-vault.org
Amr Gharbeia dd3873cd5e
Some checks failed
Deploy-Agent-V15-Stdin / JOB-V15-STDIN (push) Failing after 2s
Details
DOCS: Systematic overhaul of Literate source (Granularity & Technical Reasoning)
2026-04-21 11:49:58 -04:00

108 lines
4.7 KiB
Org Mode
Raw Blame History

#+TITLE: SKILL: Credentials Vault (Universal Literate Note)
#+AUTHOR: Amr
#+FILETAGS: :auth:security:infrastructure:autonomy:
#+STARTUP: content
* Overview
The *Credentials Vault* is the high-security enclave for the OpenCortex. It centralizes the management of LLM API keys, OAuth sessions, and browser cookies. By consolidating these into a single vault, we ensure that sensitive tokens are handled with uniform masking, validation, and Merkle-integrated persistence.
** Architectural Intent: The Secure Enclave
The vault provides a secure lookup table in RAM, backed by the persistent Memory. Access is restricted to internal kernel requests and explicitly authorized deterministic gates.
The primary goal of the vault is to prevent "Credential Bleed"—the accidental leaking of API keys into logs, terminal history, or neural contexts. It achieves this by providing a unified getter that automatically masks its output for diagnostic use.
* Implementation
** Package Initialization
#+begin_src lisp
(in-package :cl-user)
(defpackage :opencortex.skills.org-skill-credentials-vault
(:use :cl :opencortex))
(in-package :opencortex.skills.org-skill-credentials-vault)
#+end_src
** Vault State
We maintain an in-memory hash table for secrets, which is hydrated from and persisted to the Memory.
#+begin_src lisp
(defvar opencortex::*vault-memory* (make-hash-table :test 'equal)
"In-memory cache of sensitive credentials, preventing constant disk I/O for auth.")
#+end_src
** Helper: Secret Masking (vault-mask-string)
Ensures that diagnostic output never contains the full plaintext of a sensitive token. Used by the harness and gateways for transparent but safe logging.
#+begin_src lisp
(defun vault-mask-string (str)
"Returns a masked version of a sensitive string. (e.g. sk-a...3f9)"
(if (and str (> (length str) 8))
(format nil "~a...~a" (subseq str 0 4) (subseq str (- (length str) 4)))
"[REDACTED]"))
#+end_src
** Retrieval (vault-get-secret)
The secure getter for all system secrets. It follows a strict priority:
1. **Vault Memory:** High-integrity, versioned storage.
2. **Environment Fallback:** OS-level variables for bootstrap and legacy compatibility.
#+begin_src lisp
(defun vault-get-secret (provider &key (type :api-key))
"Retrieves a credential. Type can be :api-key or :session."
(let* ((key (format nil "~a-~a" provider type))
(val (gethash key opencortex::*vault-memory*)))
(if (and val (not (string= val "")))
val
;; Fallback to environment mapping
(let ((env-var (case provider
((:gemini :gemini-api) "GEMINI_API_KEY")
(:openai "OPENAI_API_KEY")
(:anthropic "ANTHROPIC_API_KEY")
(:groq "GROQ_API_KEY")
(:openrouter "OPENROUTER_API_KEY")
(:telegram "TELEGRAM_BOT_TOKEN")
(:signal "SIGNAL_ACCOUNT_NUMBER")
(:matrix-homeserver "MATRIX_HOMESERVER")
(:matrix-token "MATRIX_ACCESS_TOKEN")
(t nil))))
(when (and env-var (eq type :api-key))
(uiop:getenv env-var))))))
#+end_src
** Persistence (vault-set-secret)
When a secret is updated, we immediately snapshot the Memory to ensure the change is versioned and durable.
#+begin_src lisp
(defun vault-set-secret (provider secret &key (type :api-key))
"Securely stores a secret and triggers a Merkle snapshot for durability."
(let ((key (format nil "~a-~a" provider type)))
(setf (gethash key opencortex::*vault-memory*) secret)
(harness-log "VAULT: Updated ~a for ~a. Snapshotting memory." type provider)
(snapshot-memory)
t))
#+end_src
** Automated Onboarding Instructions
Provides instructions for the autonomous cookie handshake (retained from legacy components).
#+begin_src lisp
(defun vault-onboard-gemini-web ()
"Displays instructions for the Gemini Web cookie handshake."
(harness-log "--- GEMINI WEB ONBOARDING ---")
(harness-log "1. Visit gemini.google.com")
(harness-log "2. Run the 'Get Gemini Cookies' Bookmarklet.")
(harness-log " CODE: javascript:(function(){const c=document.cookie.split('; ').reduce((r,v)=>{const [n,val]=v.split('=');r[n]=val;return r},{});const target=['__Secure-1PSID','__Secure-1PSIDTS'];const out=target.map(n=>({name:n,value:c[n]}));prompt('Copy JSON:',JSON.stringify(out));})();")
t)
#+end_src
** Skill Registration
#+begin_src lisp
(defskill :skill-credentials-vault
:priority 200 ; Foundational Priority
:trigger (lambda (ctx) (eq (getf (getf ctx :payload) :sensor) :onboarding-request))
:probabilistic nil
:deterministic (lambda (action ctx)
(declare (ignore ctx))
(vault-onboard-gemini-web)
action))
#+end_src
Reference in New Issue View Git Blame Copy Permalink