refactor(services): use SecretString for api_key in Config and providers (#3 F-004)

Sephyi · Sephyi · commit b03f0a1b28b4 · 2026-03-28T06:46:59.000+01:00
Replace plain String with SecretString to prevent accidental exposure of
sensitive API keys in logs or memory dumps. Update AnthropicProvider and
OpenAiProvider to use expose_secret() when accessing keys for API
requests.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -83,6 +83,9 @@ indicatif = "0.18"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 
+# Secret management
+secrecy = { version = "0.10", features = ["serde"] }
+
 # Utilities
 regex = "1.12"
 globset = "0.4"
diff --git a/src/config.rs b/src/config.rs
@@ -5,6 +5,7 @@
 use directories::ProjectDirs;
 use figment::Figment;
 use figment::providers::{Env, Format, Serialized, Toml};
+use secrecy::SecretString;
 use serde::{Deserialize, Serialize};
 use std::fs;
 use std::path::PathBuf;
@@ -74,8 +75,8 @@ pub struct Config {
     #[serde(default = "default_ollama_host")]
     pub ollama_host: String,
 
-    #[serde(default)]
-    pub api_key: Option<String>,
+    #[serde(default, skip_serializing)]
+    pub api_key: Option<SecretString>,
 
     #[serde(default = "default_max_diff_lines")]
     pub max_diff_lines: usize,
@@ -316,8 +317,10 @@ impl Config {
         // Provider-specific API key fallback (after CLI overrides set the provider)
         if config.api_key.is_none() {
             config.api_key = match config.provider {
-                Provider::OpenAI => std::env::var("OPENAI_API_KEY").ok(),
-                Provider::Anthropic => std::env::var("ANTHROPIC_API_KEY").ok(),
+                Provider::OpenAI => std::env::var("OPENAI_API_KEY").ok().map(SecretString::from),
+                Provider::Anthropic => {
+                    std::env::var("ANTHROPIC_API_KEY").ok().map(SecretString::from)
+                }
                 Provider::Ollama => None,
             };
         }
@@ -329,7 +332,7 @@ impl Config {
             if let Ok(entry) = keyring::Entry::new("commitbee", &provider_name)
                 && let Ok(key) = entry.get_password()
             {
-                config.api_key = Some(key);
+                config.api_key = Some(SecretString::from(key));
             }
         }
 
diff --git a/src/services/llm/anthropic.rs b/src/services/llm/anthropic.rs
@@ -10,6 +10,8 @@ use tokio::sync::mpsc;
 use tokio_stream::StreamExt;
 use tokio_util::sync::CancellationToken;
 
+use secrecy::{ExposeSecret, SecretString};
+
 use crate::config::Config;
 use crate::error::{Error, Result};
 
@@ -22,7 +24,7 @@ pub struct AnthropicProvider {
     client: Client,
     base_url: String,
     model: String,
-    api_key: String,
+    api_key: SecretString,
     temperature: f32,
     max_tokens: u32,
 }
@@ -83,7 +85,7 @@ impl AnthropicProvider {
     pub async fn verify_connection(&self) -> Result<()> {
         // Anthropic doesn't have a lightweight endpoint for verification,
         // so we just validate that the key looks plausible
-        if self.api_key.is_empty() {
+        if self.api_key.expose_secret().is_empty() {
             return Err(Error::Provider {
                 provider: "anthropic".into(),
                 message: "API key not configured".into(),
@@ -104,7 +106,7 @@ impl AnthropicProvider {
         let response = self
             .client
             .post(&url)
-            .header("x-api-key", &self.api_key)
+            .header("x-api-key", self.api_key.expose_secret())
             .header("anthropic-version", API_VERSION)
             .header("content-type", "application/json")
             .json(&MessagesRequest {
diff --git a/src/services/llm/openai.rs b/src/services/llm/openai.rs
@@ -10,6 +10,8 @@ use tokio::sync::mpsc;
 use tokio_stream::StreamExt;
 use tokio_util::sync::CancellationToken;
 
+use secrecy::{ExposeSecret, SecretString};
+
 use crate::config::Config;
 use crate::error::{Error, Result};
 
@@ -21,7 +23,7 @@ pub struct OpenAiProvider {
     client: Client,
     base_url: String,
     model: String,
-    api_key: String,
+    api_key: SecretString,
     temperature: f32,
     max_tokens: u32,
 }
@@ -88,7 +90,7 @@ impl OpenAiProvider {
         let response = self
             .client
             .get(&url)
-            .header("Authorization", format!("Bearer {}", self.api_key))
+            .header("Authorization", format!("Bearer {}", self.api_key.expose_secret()))
             .send()
             .await
             .map_err(|e| Error::Provider {
@@ -118,7 +120,7 @@ impl OpenAiProvider {
         let response = self
             .client
             .post(&url)
-            .header("Authorization", format!("Bearer {}", self.api_key))
+            .header("Authorization", format!("Bearer {}", self.api_key.expose_secret()))
             .json(&ChatRequest {
                 model: self.model.clone(),
                 messages: vec![
