CredentialStore
Category: Credentials
Source: credential_store.dart
Resolves [CredentialRef]s to secret strings.
Reads and writes ~/.glue/credentials.json with mode 0600 (owner-only). Writes are atomic: the new contents are written to a sibling .tmp file, permissions are set, and rename(2) replaces the original. Interrupted writes can leave no orphaned tmp files in practice, but any found at construction time can be ignored.
Credentials resolution intentionally does NOT log the resolved value. Error messages include provider ids but never key fragments.
Classes
CredentialStore
Constructor
CredentialStore({required this.path, Map<String, String>? env})Properties
| Property | Type | Description |
|---|---|---|
path | String | Absolute path to credentials.json. |
Methods
String? resolve(CredentialRef ref)
Resolve a direct credential reference.
String? resolveForProvider(ProviderDef provider)
Walk a provider's [AuthSpec] and return the api_key value when [AuthKind.apiKey]:
- env var named in [AuthSpec.envVar] (if set + non-empty)
- stored
api_keyfield under the provider id
Returns null for [AuthKind.none] and [AuthKind.oauth] — OAuth providers use [getField] to read their specific token fields.
void setApiKey(String providerId, String value)
Convenience for the common single-field api-key providers. Equivalent to setFields(providerId, {'api_key': value}).
void setFields(String providerId, Map<String, String> values)
Multi-field write — replaces any existing fields under [providerId]. OAuth providers use this to store {github_token, copilot_token, ...} in one atomic commit.
String? readEnv(String name)
Read an environment variable from the captured env map. Adapters use this for the "[using $ENV]" pre-fill hint in auth flows.
String? getField(String providerId, String fieldName)
Read a single stored field for [providerId]. Returns null if the provider or field is absent.