Commit Graph

1 Commits

  • feat(secrets): add codex-secrets crate (#10142)
    ## Summary
    This introduces the first working foundation for Codex managed secrets:
    a small Rust crate that can securely store and retrieve secrets locally.
    
    Concretely, it adds a `codex-secrets` crate that:
    - encrypts a local secrets file using `age`
    - generates a high-entropy encryption key
    - stores that key in the OS keyring
    
    ## What this enables
    - A secure local persistence model for secrets
    - A clean, isolated place for future provider backends
    - A clear boundary: Codex can become a credential broker without putting
    plaintext secrets in config files
    
    ## Implementation details
    - New crate: `codex-rs/secrets/`
    - Encryption: `age` with scrypt recipient/identity
    - Key generation: `OsRng` (32 random bytes)
    - Key storage: OS keyring via `codex-keyring-store`
    
    ## Testing
    - `cd codex-rs && just fmt`
    - `cd codex-rs && cargo test -p codex-secrets`