feat(ai): vault_path secret resolver (env:/file:)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-01 18:04:21 +10:00
parent 5f601c1a3c
commit d0d61575e3
2 changed files with 48 additions and 0 deletions
--- a/lib/ai/secret.js
+++ b/lib/ai/secret.js
@@ -0,0 +1,18 @@
+import { readFileSync } from 'node:fs';
+
+// Resolve a vault_path-style secret reference. v1 supports:
+//   env:NAME   -> process.env.NAME
+//   file:/path -> file contents (trimmed)
+//   <raw>      -> returned as-is
+// Vaultwarden item-id resolution is a future swap (see spec).
+export function resolveSecret(spec) {
+  if (!spec) return null;
+  if (spec.startsWith('env:')) {
+    return process.env[spec.slice(4)] ?? null;
+  }
+  if (spec.startsWith('file:')) {
+    try { return readFileSync(spec.slice(5), 'utf8').trim(); }
+    catch { return null; }
+  }
+  return spec;
+}