From 67f6d69cc7fbd0473b81dd7bce747ff5448d96d2 Mon Sep 17 00:00:00 2001
From: dan <dan@delpad>
Date: Thu, 4 Dec 2025 20:45:48 -0800
Subject: [PATCH] feat: add apiKeys lib for direnv/sops single source of truth

- apiKeys: list of API key names (openai, google, anthropic, openrouter)
- mkDirenvStdlib: generates use_api_keys() bash function
- mkSopsSecrets: generates sops-nix secrets attribute set

Consumers (ops-dev, dotfiles) can now import from skills.lib
instead of maintaining duplicate key lists.
---
 flake.nix | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/flake.nix b/flake.nix
index c3fc704..f2c9ea9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -96,12 +96,48 @@
       # Export skills paths for direct use
       lib = {
         inherit availableSkills;
-        
+
         # Helper to get skill path
         getSkillPath = skillName: ./skills/${skillName};
-        
+
         # Helper to get all skill paths
         getAllSkillPaths = map (name: ./skills/${name}) availableSkills;
+
+        # API Keys - Single Source of Truth
+        # Used by both direnv stdlib and sops-nix configuration
+        apiKeys = [ "openai" "google" "anthropic" "openrouter" ];
+
+        # Generate direnv stdlib use_api_keys function
+        mkDirenvStdlib = keys:
+          let
+            toEnvVar = key: {
+              "openai" = "OPENAI_API_KEY";
+              "google" = "GEMINI_API_KEY";
+              "anthropic" = "ANTHROPIC_API_KEY";
+              "openrouter" = "OPENROUTER_API_KEY";
+            }.${key} or (builtins.throw "Unknown API key: ${key}");
+
+            # Google key exports both GEMINI_API_KEY and GOOGLE_API_KEY
+            mkExport = key:
+              if key == "google" then ''
+              [ -f /run/secrets/api_keys/${key} ] && export ${toEnvVar key}="$(cat /run/secrets/api_keys/${key})" && export GOOGLE_API_KEY="$GEMINI_API_KEY"''
+              else ''
+              [ -f /run/secrets/api_keys/${key} ] && export ${toEnvVar key}="$(cat /run/secrets/api_keys/${key})"'';
+          in ''
+            use_api_keys() {
+              ${builtins.concatStringsSep "\n  " (map mkExport keys)}
+            }
+          '';
+
+        # Generate sops-nix secrets attribute set
+        mkSopsSecrets = { keys, owner, group ? "users" }:
+          builtins.listToAttrs (map (key: {
+            name = "api_keys/${key}";
+            value = {
+              mode = "0600";
+              inherit owner group;
+            };
+          }) keys);
       };
     };
 }