Package dev.dokimos.server.service

Class LlmCredentialService

java.lang.Object
dev.dokimos.server.service.LlmCredentialService
@Service public class LlmCredentialService extends Object
Resolves and protects the API key for an LlmConnection. Inline keys are encrypted with AES-256-GCM under a key derived from the configured encryption secret; external keys are read from the named environment variable at resolution time. The master encryption secret is required only when an inline key is encrypted or decrypted, so deployments that use only environment-backed connections need not configure it.

  • Constructor Details

    • LlmCredentialService

      public LlmCredentialService(ApiKeyProperties properties)

  • Method Details

    • encryptInlineKey

      public LlmConnection encryptInlineKey(LlmConnection connection, String rawKey)
      Returns a copy of the connection with its inline key encrypted. Used on the create path before the connection is persisted.
      Parameters:
      connection - the connection to populate
      rawKey - the plaintext API key supplied by the caller
      Returns:
      the connection with encryptedApiKey set
      Throws:
      IllegalStateException - if the encryption secret is not configured

    • resolveKey

      public String resolveKey(LlmConnection connection)
      Resolves the effective plaintext API key for a connection.
      Parameters:
      connection - the connection to resolve
      Returns:
      the plaintext API key
      Throws:
      IllegalStateException - if a referenced environment variable is absent, or if an inline key cannot be decrypted, or if neither credential source is set