feat: lazy load secrets (issue: #152)

Author: Robitx

lua/gp/dispatcher.lua

@@ -44,9 +44,8 @@ D.setup = function(opts)
 		end
 	end
 
-	local callbacks = { copilot = vault.refresh_copilot_bearer }
 	for name, provider in pairs(D.providers) do
-		vault.resolve_secret(name, provider.secret, callbacks[name])
+		vault.add_secret(name, provider.secret)
 		provider.secret = nil
 	end
 
@@ -168,7 +167,7 @@ end
 ---@param handler function # response handler
 ---@param on_exit function | nil # optional on_exit handler
 ---@param callback function | nil # optional callback handler
-D.query = function(buf, provider, payload, handler, on_exit, callback)
+local query = function(buf, provider, payload, handler, on_exit, callback)
 	-- make sure handler is a function
 	if type(handler) ~= "function" then
 		logger.error(
@@ -296,19 +295,18 @@ D.query = function(buf, provider, payload, handler, on_exit, callback)
 	---TODO: this could be moved to a separate function returning endpoint and headers
 	local endpoint = D.providers[provider].endpoint
 	local headers = {}
-	local bearer = vault.get_secret(provider)
+
+	local secret = provider
+	if provider == "copilot" then
+		secret = "copilot_bearer"
+	end
+	local bearer = vault.get_secret(secret)
 	if not bearer then
+		logger.warning(provider .. " bearer token is missing")
 		return
 	end
 
 	if provider == "copilot" then
-		vault.refresh_copilot_bearer()
-		bearer = vault.get_secret("copilot_bearer")
-		local expires_at = vault.get_secret("copilot_bearer_expires_at")
-		if not bearer or not expires_at or expires_at < os.time() then
-			logger.warning("copilot bearer token is missing or expired, trying to refresh..")
-			return
-		end
 		headers = {
 			"-H",
 			"editor-version: vscode/1.85.1",
@@ -373,6 +371,26 @@ D.query = function(buf, provider, payload, handler, on_exit, callback)
 	tasker.run(buf, "curl", curl_params, nil, out_reader(), nil)
 end
 
+-- gpt query
+---@param buf number | nil # buffer number
+---@param provider string # provider name
+---@param payload table # payload for api
+---@param handler function # response handler
+---@param on_exit function | nil # optional on_exit handler
+---@param callback function | nil # optional callback handler
+D.query = function(buf, provider, payload, handler, on_exit, callback)
+	if provider == "copilot" then
+		return vault.run_with_secret(provider, function()
+			vault.refresh_copilot_bearer(function()
+				query(buf, provider, payload, handler, on_exit, callback)
+			end)
+		end)
+	end
+	vault.run_with_secret(provider, function()
+		query(buf, provider, payload, handler, on_exit, callback)
+	end)
+end
+
 -- response handler
 ---@param buf number | nil # buffer to insert response into
 ---@param win number | nil # window to insert response into

lua/gp/imager.lua

@@ -75,7 +75,7 @@ I.setup = function(opts)
 	I.refresh()
 
 	for cmd, _ in pairs(I.cmd) do
-		helpers.create_user_command(I.config.cmd_prefix .. cmd, I.cmd[cmd],  function()
+		helpers.create_user_command(I.config.cmd_prefix .. cmd, I.cmd[cmd], function()
 			if cmd == "ImageAgent" then
 				return I._agents
 			end
@@ -84,7 +84,7 @@ I.setup = function(opts)
 		end)
 	end
 
-	vault.resolve_secret("imager_secret", I.config.secret)
+	vault.add_secret("imager_secret", I.config.secret)
 	I.config.secret = nil
 
 	logger.debug("imager setup finished")
@@ -156,7 +156,7 @@ I.cmd.Image = function(params)
 	end
 end
 
-I.generate_image = function(prompt, model, quality, style, size)
+local generate_image = function(prompt, model, quality, style, size)
 	local bearer = vault.get_secret("imager_secret")
 	if not bearer then
 		return
@@ -262,4 +262,10 @@ I.generate_image = function(prompt, model, quality, style, size)
 	end)
 end
 
+I.generate_image = function(prompt, model, quality, style, size)
+	vault.run_with_secret("imager_secret", function()
+		generate_image(prompt, model, quality, style, size)
+	end)
+end
+
 return I

lua/gp/init.lua

@@ -66,7 +66,7 @@ M.setup = function(opts)
 
 	M.vault.setup({ state_dir = state_dir, curl_params = curl_params })
 
-	M.vault.resolve_secret("openai_api_key", openai_api_key)
+	M.vault.add_secret("openai_api_key", openai_api_key)
 	M.config.openai_api_key = nil
 	opts.openai_api_key = nil
 

lua/gp/vault.lua

@@ -32,13 +32,23 @@ V.setup = function(opts)
 	logger.debug("vault setup finished\n" .. vim.inspect(V), true)
 end
 
+---@param name string # provider name
+---@param secret string | table | nil # secret or command to retrieve it
+V.add_secret = function(name, secret)
+	local s = { secret = secret }
+	s = vim.deepcopy(s)
+	name = alias[name] or name
+	secrets[name] = s.secret
+	logger.debug("vault adding secret " .. name .. ": " .. vim.inspect(s.secret), true)
+end
+
 ---@param name string # secret name
 ---@return string | nil # secret or nil if not found
 V.get_secret = function(name)
 	name = alias[name] or name
 
 	local secret = secrets[name]
-	logger.debug("vault get_secret " .. name .. ":	" .. vim.inspect(secret), true)
+	logger.debug("vault get_secret:" .. name .. ": " .. vim.inspect(secret), true)
 
 	if not secret then
 		logger.warning("vault secret " .. name .. " not found", true)
@@ -58,8 +68,10 @@ end
 V.resolve_secret = function(name, secret, callback)
 	logger.debug("vault resolver started for " .. name .. ": " .. vim.inspect(secret), true)
 	name = alias[name] or name
-	if secrets[name] then
-		logger.debug("vault resolver secret " .. name .. " already exists", true)
+	callback = callback or function() end
+	if secrets[name] and type(secrets[name]) ~= "table" then
+		logger.debug("vault resolver secret " .. name .. " already resolved", true)
+		callback()
 		return
 	end
 
@@ -72,13 +84,11 @@ V.resolve_secret = function(name, secret, callback)
 
 		V._obfuscated_secrets[name] = s:sub(1, 3) .. string.rep("*", #s - 6) .. s:sub(-3)
 
-		if callback then
-			callback()
-		end
+		callback()
 	end
 
 	if not secret then
-		logger.debug("vault resolver for " .. name .. " got empty secret", true)
+		logger.warning("vault resolver for " .. name .. " got empty secret", true)
 		return
 	end
 
@@ -118,12 +128,14 @@ V.resolve_secret = function(name, secret, callback)
 	end
 end
 
-V.refresh_copilot_bearer = function()
+V.refresh_copilot_bearer = function(callback)
 	local secret = secrets.copilot
 	if not secret or type(secret) == "table" then
 		return
 	end
-	logger.debug("vault refresh_copilot_bearer started", true)
+	logger.debug("vault refresh_copilot_bearer: started", true)
+
+	callback = callback or function() end
 
 	local state_file = V.config.state_dir .. "/vault_state.json"
 
@@ -134,9 +146,9 @@ V.refresh_copilot_bearer = function()
 
 	local bearer = V._state.copilot_bearer or state.copilot_bearer or {}
 	if bearer.token and bearer.expires_at and bearer.expires_at > os.time() then
-		logger.debug("vault refresh_copilot_bearer token still valid", true)
 		secrets.copilot_bearer = bearer.token
-		secrets.copilot_bearer_expires_at = bearer.expires_at
+		logger.debug("vault refresh_copilot_bearer: token still valid, running callback", true)
+		callback()
 		return
 	end
 
@@ -171,10 +183,30 @@ V.refresh_copilot_bearer = function()
 
 		V._state.copilot_bearer = vim.json.decode(stdout)
 		secrets.copilot_bearer = V._state.copilot_bearer.token
-
-		logger.debug("vault refresh_copilot_bearer finished", true)
 		helpers.table_to_file(V._state, state_file)
+
+		logger.debug("vault refresh_copilot_bearer: token resolved, running callback", true)
+		callback()
 	end, nil, nil)
 end
 
+---@param name string # secret name
+---@param callback function # function to run after secret is resolved
+V.run_with_secret = function(name, callback)
+	name = alias[name] or name
+	if not secrets[name] then
+		logger.warning("vault secret " .. name .. " not found", true)
+		return
+	end
+	if type(secrets[name]) == "table" then
+		V.resolve_secret(name, secrets[name], function()
+			logger.debug("vault run_with_secret: " .. name .. " resolved, running callback", true)
+			callback()
+		end)
+	else
+		logger.debug("vault run_with_secret: " .. name .. " already resolved, running callback", true)
+		callback()
+	end
+end
+
 return V

lua/gp/whisper.lua

@@ -44,7 +44,7 @@ end
 
 ---@param callback function # callback function(text)
 ---@param language string | nil # language code
-W.Whisper = function(callback, language)
+local whisper = function(callback, language)
 	language = language or W.config.language
 	-- make sure sox is installed
 	if vim.fn.executable("sox") == 0 then
@@ -297,6 +297,14 @@ W.Whisper = function(callback, language)
 	end)
 end
 
+---@param callback function # callback function(text)
+---@param language string | nil # language code
+W.Whisper = function(callback, language)
+	vault.run_with_secret("openai_api_key", function()
+		whisper(callback, language)
+	end)
+end
+
 W.cmd.Whisper = function(params)
 	local buf = vim.api.nvim_get_current_buf()
 	local start_line = vim.api.nvim_win_get_cursor(0)[1]