sesame/
helpers.rs

1use core_types::TrustProfileName;
2
3/// Validate a secret key name at the CLI trust boundary.
4/// Delegates to the canonical implementation in core-types.
5pub(crate) fn validate_secret_key(key: &str) -> anyhow::Result<()> {
6    core_types::validate_secret_key(key).map_err(|e| anyhow::anyhow!("{e}"))
7}
8
9/// Validate that a profile exists in config before sending an RPC.
10/// Fails fast at the CLI boundary with a clear error message.
11pub(crate) fn validate_profile_in_config(profile: &str) -> anyhow::Result<()> {
12    let config = core_config::load_config(None).map_err(|e| anyhow::anyhow!("{e}"))?;
13    if !config.profiles.contains_key(profile) {
14        anyhow::bail!("profile '{}' not found in config", profile);
15    }
16    Ok(())
17}
18
19pub(crate) fn format_denial_reason(
20    reason: &core_types::SecretDenialReason,
21    key: &str,
22    profile: &TrustProfileName,
23) -> String {
24    use core_types::SecretDenialReason;
25    match reason {
26        SecretDenialReason::Locked => "vault locked -- run `sesame unlock`".into(),
27        SecretDenialReason::ProfileNotActive => format!(
28            "profile '{}' is not active -- run `sesame profile activate {}`",
29            profile, profile
30        ),
31        SecretDenialReason::AccessDenied => format!("access denied for secret '{}'", key),
32        SecretDenialReason::RateLimited => "rate limited -- try again later".into(),
33        SecretDenialReason::NotFound => {
34            format!("secret '{}' not found in profile '{}'", key, profile)
35        }
36        SecretDenialReason::VaultError(e) => format!("vault error: {}", e),
37        _ => format!("secret access denied for '{}': {:?}", key, reason),
38    }
39}
sesame/helpers.rs

sesame/
helpers.rs
