Encrypted credential store for spel auth save/login/list/delete.
Goal: the LLM never sees the password. Credentials are encrypted at rest with AES-256-GCM. The decryption key comes from:
SPEL_ENCRYPTION_KEY (64-char hex = 32 bytes), or~/.spel/.encryption-key (chmod 600 on POSIX).Records live in ~/.spel/vault/<name>.json.enc as:
[12-byte IV][ciphertext][16-byte GCM tag]
The JSON payload (before encryption) has :name :url :username :password.
Threat model: this protects credentials from casual disk inspection and from the LLM driving the CLI — NOT from a local attacker with filesystem read. Use OS-level keyring for stronger guarantees.
Encrypted credential store for `spel auth save/login/list/delete`. Goal: the LLM never sees the password. Credentials are encrypted at rest with AES-256-GCM. The decryption key comes from: 1. Env `SPEL_ENCRYPTION_KEY` (64-char hex = 32 bytes), or 2. Auto-generated file at `~/.spel/.encryption-key` (chmod 600 on POSIX). Records live in `~/.spel/vault/<name>.json.enc` as: [12-byte IV][ciphertext][16-byte GCM tag] The JSON payload (before encryption) has `:name :url :username :password`. Threat model: this protects credentials from casual disk inspection and from the LLM driving the CLI — NOT from a local attacker with filesystem read. Use OS-level keyring for stronger guarantees.
(decrypt blob)Decrypts a byte[] previously produced by encrypt. Returns the plaintext
String. Throws on authentication failure (tampered ciphertext or wrong key).
Decrypts a byte[] previously produced by `encrypt`. Returns the plaintext String. Throws on authentication failure (tampered ciphertext or wrong key).
(delete-credential! name)Removes a credential from the vault. Returns true on success, false if nothing was deleted.
Removes a credential from the vault. Returns true on success, false if nothing was deleted.
(encrypt plaintext)Encrypts plaintext (String) with AES-256-GCM using the resolved key.
Returns a byte[] in the format [iv (12)][ciphertext][tag (16)].
Encrypts `plaintext` (String) with AES-256-GCM using the resolved key. Returns a byte[] in the format `[iv (12)][ciphertext][tag (16)]`.
(list-credentials)Lists stored credentials. Returns a vector of public-safe maps with :name :url :username — never the password.
Lists stored credentials. Returns a vector of public-safe maps with `:name :url :username` — **never** the password.
(load-credential name)Reads and decrypts the credential record for name. Returns the map or
throws if the record is missing or authentication fails.
Reads and decrypts the credential record for `name`. Returns the map or throws if the record is missing or authentication fails.
(save-credential! record)Encrypts and writes a credential record to the vault.
record must be a map with at least :name :url :username :password.
The write is atomic: content is written to a .tmp file and renamed.
Returns the absolute path (String) to the stored encrypted file.
Encrypts and writes a credential record to the vault. `record` must be a map with at least `:name :url :username :password`. The write is atomic: content is written to a `.tmp` file and renamed. Returns the absolute path (String) to the stored encrypted file.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |