Expand description
SecretProvider: reads and writes secrets from the platform credential
store.
§SecretProvider (Environment)
Implements the SecretProvider trait for MountainEnvironment. Contains
the core logic for secure secret storage using the system keyring, powered
by the keyring crate.
§Keyring integration
The keyring crate provides cross-platform secure storage:
- macOS: Native Keychain (OSXKeychain)
- Windows: Windows Credential Manager (WinCredential)
- Linux: Secret Service API (dbus-secret-service) or GNOME Keyring
Each secret is identified by a service name
(<app>.<ExtensionIdentifier>) and a key string.
§Security considerations
- Secrets are never logged or included in error messages.
- The keyring handles encryption at the OS level.
- OS keychain manages access permissions and unlocking.
- Failed operations do not expose secret values.
- Extension and key identifiers are validated before use.
§Air integration
When the AirIntegration feature is enabled, GetSecret, StoreSecret,
and DeleteSecret delegate to Air service RPCs when the client is healthy,
falling back to the local keyring otherwise. The three Air stub functions
(GetSecretFromAir, StoreSecretToAir, DeleteSecretFromAir) are gated
behind #[cfg(feature = "AirIntegration")] and currently return
NotImplemented.
§VS Code reference
vs/platform/secrets/common/secrets.tsvs/platform/secrets/electron-simulator/electronSecretStorage.ts
Functions§
- Delete
Secret 🔒From Air - Deletes a secret from the Air service.
- GetKeyring
Service 🔒Name - Constructs the service name for the keyring entry.
- GetSecret
From 🔒Air - Air stub: retrieves a secret from the remote Air service.
- IsAir
Available 🔒 - Helper to check if the Air gRPC client is available without a
proper health check. The raw client requires
&mut selfforhealth_check, butMountainEnvironmentholds an immutable reference. This returnstruewhenever a client is attached. Blocked on proper wrapper integration. - Store
Secret 🔒ToAir - Air stub: stores a secret in the remote Air service.