curo/Pyra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(vault): API key storage in vault only

Browse Source 
- vault/reader.py: get_key() reads from ~/.pyra/vault/secrets/api_keys.json
- vault/writer.py: set_key(), delete_key() — only writer callable from setup
- Both call assert_safe_path() as defense-in-depth
- Keys file stays chmod 400; temporarily 600 during write then locked again
- Config.yaml never touched by either module

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
2026-05-17 12:50:24 +02:00
parent 43a8a363ba
commit 7617a80595
2 changed files with 63 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pyra/vault/reader.py
+21
View File
@@ -0,0 +1,21 @@
import json
from pathlib import Path
from pyra.security.boundaries import assert_safe_path
from pyra.utils.paths import pyra_home, safe_chmod
_KEYS_FILE = pyra_home() / "vault" / "secrets" / "api_keys.json"
def get_key(provider_id: str) -> str | None:
"""Read an API key from the vault. Never exposed to the AI."""
assert_safe_path(_KEYS_FILE) # defense-in-depth
if not _KEYS_FILE.exists():
return None
# Ensure permissions remain tight before reading
safe_chmod(_KEYS_FILE, 0o400)
data: dict = json.loads(_KEYS_FILE.read_text())
return data.get(provider_id)
src/pyra/vault/writer.py
+42
View File
@@ -0,0 +1,42 @@
import json
from pathlib import Path
from pyra.security.boundaries import assert_safe_path
from pyra.utils.paths import ensure_dir, pyra_home, safe_chmod
_KEYS_FILE = pyra_home() / "vault" / "secrets" / "api_keys.json"
def set_key(provider_id: str, api_key: str) -> None:
"""Store an API key in the vault. Called only by the setup wizard."""
assert_safe_path(_KEYS_FILE) # defense-in-depth
ensure_dir(_KEYS_FILE.parent, 0o700)
# Temporarily make writable to update
if _KEYS_FILE.exists():
safe_chmod(_KEYS_FILE, 0o600)
data: dict = json.loads(_KEYS_FILE.read_text())
else:
data = {}
data[provider_id] = api_key
_KEYS_FILE.write_text(json.dumps(data, indent=2))
safe_chmod(_KEYS_FILE, 0o400)
def delete_key(provider_id: str) -> bool:
"""Remove an API key from the vault. Returns True if key existed."""
assert_safe_path(_KEYS_FILE)
if not _KEYS_FILE.exists():
return False
safe_chmod(_KEYS_FILE, 0o600)
data: dict = json.loads(_KEYS_FILE.read_text())
existed = provider_id in data
data.pop(provider_id, None)
_KEYS_FILE.write_text(json.dumps(data, indent=2))
safe_chmod(_KEYS_FILE, 0o400)
return existed