Secret Store
Centralized secret management with pluggable backends. Ed25519 signing keys stored at ~/.config/tetrapus/signing_key.bin.
Backends
| Backend | Use Case | Trait |
|---|---|---|
| Environment | Container/CI — secrets via env vars | EnvSecretManager |
| Keyring | Desktop — OS keychain integration | SecretManager trait |
| EncryptedFile | Standalone — age-encrypted local file | SecretManager trait |
Default Keys
| Key | Env Variable |
|---|---|
| anthropic_api_key | ANTHROPIC_API_KEY |
| clickhouse_password | CLICKHOUSE_PASSWORD |
| tileserver_api_key | TILE_SERVER_API_KEY |
Signing Keys
- Algorithm: Ed25519 via
ed25519-dalek - Private key:
~/.config/tetrapus/signing_key.bin(32 bytes, mode 0o600) - Public key:
~/.config/tetrapus/signing_key.pub(hex-encoded) - Auto-generated:
load_or_generate()creates key if missing
Questions?
Reach out for help with integration, deployment, or custom domain codecs.