berrypod/lib/simpleshop_theme/secrets.ex

defmodule SimpleshopTheme.Secrets do
  @moduledoc """
  Loads encrypted secrets from the database into Application env at runtime.

  Secrets are stored encrypted in the settings table via `Settings.put_secret/2`
  and loaded into the appropriate Application config on startup. This keeps all
  credentials in the portable SQLite database, encrypted via the Vault module.

  The only external dependency is `SECRET_KEY_BASE` (used to derive encryption keys).
  """

  alias SimpleshopTheme.Settings

  require Logger

  @doc """
  Loads all secrets from the database into Application env.

  Called at startup from the supervision tree, after the Repo is ready.
  """
  def load_all do
    load_stripe_config()
  end

  @doc """
  Loads Stripe credentials from encrypted settings into Application env.
  """
  def load_stripe_config do
    api_key = Settings.get_secret("stripe_api_key")
    signing_secret = Settings.get_secret("stripe_signing_secret")

    if api_key do
      Application.put_env(:stripity_stripe, :api_key, api_key)
      Logger.debug("Stripe API key loaded from database")
    end

    if signing_secret do
      Application.put_env(:stripity_stripe, :signing_secret, signing_secret)
      Logger.debug("Stripe webhook secret loaded from database")
    end

    :ok
  end
end
feat: add encrypted settings, guided Stripe setup, and admin credentials page Store API keys and secrets encrypted in the SQLite database via the existing Vault module (AES-256-GCM). The only external dependency is SECRET_KEY_BASE — everything else lives in the portable DB file. - Add encrypted_value column to settings table with new "encrypted" type - Add put_secret/get_secret/delete_setting/secret_hint to Settings context - Add Secrets module to load encrypted config into Application env at startup - Add Stripe.Setup module with connect/disconnect/verify_api_key flow - Auto-creates webhook endpoints via Stripe API in production - Detects localhost and shows Stripe CLI instructions for dev - Add admin credentials page at /admin/settings with guided setup: - Not configured: single Secret key input with dashboard link - Connected (production): status display, webhook info, disconnect - Connected (dev): Stripe CLI instructions, manual signing secret input - Remove Stripe env vars from dev.exs and runtime.exs - Fix CSSCache test startup crash (handle_continue instead of init) - Add nav link for Credentials page 507 tests, 0 failures. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-07 17:12:53 +00:00			`defmodule SimpleshopTheme.Secrets do`
			`@moduledoc """`
			`Loads encrypted secrets from the database into Application env at runtime.`

			Secrets are stored encrypted in the settings table via `Settings.put_secret/2`
			`and loaded into the appropriate Application config on startup. This keeps all`
			`credentials in the portable SQLite database, encrypted via the Vault module.`

			The only external dependency is `SECRET_KEY_BASE` (used to derive encryption keys).
			`"""`

			`alias SimpleshopTheme.Settings`

			`require Logger`

			`@doc """`
			`Loads all secrets from the database into Application env.`

			`Called at startup from the supervision tree, after the Repo is ready.`
			`"""`
			`def load_all do`
			`load_stripe_config()`
			`end`

			`@doc """`
			`Loads Stripe credentials from encrypted settings into Application env.`
			`"""`
			`def load_stripe_config do`
			`api_key = Settings.get_secret("stripe_api_key")`
			`signing_secret = Settings.get_secret("stripe_signing_secret")`

			`if api_key do`
			`Application.put_env(:stripity_stripe, :api_key, api_key)`
			`Logger.debug("Stripe API key loaded from database")`
			`end`

			`if signing_secret do`
			`Application.put_env(:stripity_stripe, :signing_secret, signing_secret)`
			`Logger.debug("Stripe webhook secret loaded from database")`
			`end`

			`:ok`
			`end`
			`end`