hyf

Context-aware query service for Radroots
git clone https://radroots.dev/git/hyf.git
Log | Files | Refs | README | LICENSE

commit 07be61b48ac53deb4f83b4aa373f22b40786c88f
parent 002d16da89328f345cb7bf1e1d78a08ad08fb2da
Author: triesap <tyson@radroots.org>
Date:   Thu,  9 Apr 2026 17:50:48 +0000

runtime: report reserved hyf secret posture

Diffstat:
Asrc/hyf_runtime/secrets.mojo | 41+++++++++++++++++++++++++++++++++++++++++
Msrc/hyf_runtime/status.mojo | 52+++++++++++++++++++++++++++++++++++++++++++++++++---
Mtests/test_stdio_contract.mojo | 68+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 157 insertions(+), 4 deletions(-)

diff --git a/src/hyf_runtime/secrets.mojo b/src/hyf_runtime/secrets.mojo @@ -0,0 +1,41 @@ +from hyf_runtime.paths import RuntimePaths, join_runtime_path + + +# Runtime status posture only: do not load, create, wrap, or persist secrets here. +comptime _DEFAULT_SECRET_BACKEND = "encrypted_file" +comptime _SECRET_STORAGE_STATUS = "reserved_pending_shared_secret_storage" +comptime _PROTECTED_LOCAL_DATA_STATUS = "reserved_pending_protected_store" + + +def default_secret_backend_name() -> String: + return _DEFAULT_SECRET_BACKEND + + +def secret_storage_status_name() -> String: + return _SECRET_STORAGE_STATUS + + +def secret_storage_backend_implemented() -> Bool: + return False + + +def identity_material_loaded() -> Bool: + return False + + +def identity_material_created_by_startup() -> Bool: + return False + + +def protected_local_data_status_name() -> String: + return _PROTECTED_LOCAL_DATA_STATUS + + +def protected_local_data_store_open() -> Bool: + return False + + +def protected_local_data_dir_for_runtime_paths( + paths: RuntimePaths, +) raises -> String: + return join_runtime_path(paths.data_dir, "protected") diff --git a/src/hyf_runtime/status.mojo b/src/hyf_runtime/status.mojo @@ -1,5 +1,15 @@ from mojson import Value, loads +from hyf_runtime.secrets import ( + default_secret_backend_name, + identity_material_created_by_startup, + identity_material_loaded, + protected_local_data_dir_for_runtime_paths, + protected_local_data_status_name, + protected_local_data_store_open, + secret_storage_backend_implemented, + secret_storage_status_name, +) from hyf_runtime.startup import RuntimeStartupContext @@ -37,9 +47,45 @@ def build_runtime_status_value(context: RuntimeStartupContext) raises -> Value: config.set("compiled_defaults_active", Value(True)) status.set("config", config) + status.set("secret_storage", _secret_storage_status_value(context)) + status.set( + "protected_local_data", _protected_local_data_status_value(context) + ) + + return status^ + + +def _secret_storage_status_value( + context: RuntimeStartupContext, +) raises -> Value: var secret_storage = loads("{}") - secret_storage.set("default_backend", Value("local_file")) + secret_storage.set("default_backend", Value(default_secret_backend_name())) + secret_storage.set("status", Value(secret_storage_status_name())) + secret_storage.set( + "backend_implemented", Value(secret_storage_backend_implemented()) + ) + secret_storage.set( + "identity_path", Value(String(context.paths.identity_path)) + ) + secret_storage.set( + "identity_material_loaded", Value(identity_material_loaded()) + ) + secret_storage.set( + "identity_material_created_by_startup", + Value(identity_material_created_by_startup()), + ) secret_storage.set("secret_values_reported", Value(False)) - status.set("secret_storage", secret_storage) + return secret_storage^ - return status^ + +def _protected_local_data_status_value( + context: RuntimeStartupContext, +) raises -> Value: + var protected_data = loads("{}") + protected_data.set("status", Value(protected_local_data_status_name())) + protected_data.set( + "default_dir", + Value(protected_local_data_dir_for_runtime_paths(context.paths)), + ) + protected_data.set("store_open", Value(protected_local_data_store_open())) + return protected_data^ diff --git a/tests/test_stdio_contract.mojo b/tests/test_stdio_contract.mojo @@ -104,7 +104,37 @@ def test_status_reports_repo_local_runtime_truth() raises: response["output"]["runtime"]["secret_storage"][ "default_backend" ].string_value(), - "local_file", + "encrypted_file", + ) + assert_equal( + response["output"]["runtime"]["secret_storage"][ + "status" + ].string_value(), + "reserved_pending_shared_secret_storage", + ) + assert_equal( + response["output"]["runtime"]["secret_storage"][ + "identity_path" + ].string_value(), + temp_dir + "/secrets/services/hyf/identity.secret.json", + ) + assert_equal( + response["output"]["runtime"]["secret_storage"][ + "backend_implemented" + ].bool_value(), + False, + ) + assert_equal( + response["output"]["runtime"]["secret_storage"][ + "identity_material_loaded" + ].bool_value(), + False, + ) + assert_equal( + response["output"]["runtime"]["secret_storage"][ + "identity_material_created_by_startup" + ].bool_value(), + False, ) assert_equal( response["output"]["runtime"]["secret_storage"][ @@ -112,6 +142,42 @@ def test_status_reports_repo_local_runtime_truth() raises: ].bool_value(), False, ) + assert_equal( + response["output"]["runtime"]["protected_local_data"][ + "status" + ].string_value(), + "reserved_pending_protected_store", + ) + assert_equal( + response["output"]["runtime"]["protected_local_data"][ + "default_dir" + ].string_value(), + temp_dir + "/data/services/hyf/protected", + ) + assert_equal( + response["output"]["runtime"]["protected_local_data"][ + "store_open" + ].bool_value(), + False, + ) + assert_true( + not exists( + Path(temp_dir) + / "secrets" + / "services" + / "hyf" + / "identity.secret.json" + ) + ) + assert_true( + not exists( + Path(temp_dir) + / "data" + / "services" + / "hyf" + / "protected" + ) + ) def test_capabilities_success() raises: