Encrypted AI provider key persistence backed by SQLite (migration 005).
Stores API keys and Ollama config in the api_keys table so they survive
server restarts. Cloud provider keys are encrypted at rest using the same
AES-256-GCM utility used for project credentials. The plaintext key is
never persisted — only the encrypted blob.
Exports
set— Upsert an encrypted key or Ollama config for a provider.get— Retrieve and decrypt a stored key (or Ollama config).remove— Delete the stored key for a provider.getAll— Return all stored providers with decrypted values.
Methods
(static) get(provider) → {string|Object|null}
Retrieve and decrypt the stored value for a provider.
For cloud providers this returns a plaintext API key string.
For "local" this returns the parsed Ollama config object.
Parameters:
| Name | Type | Description |
|---|---|---|
provider |
string |
Returns:
Decrypted value, or null if not found / empty.
- Type
- string | Object | null
(static) getAll() → {Array.<{provider: string, value: (string|Object)}>}
Return all stored providers with their decrypted values. Useful at startup to restore all persisted keys into the runtime cache.
Returns:
- Type
- Array.<{provider: string, value: (string|Object)}>
(static) remove(provider)
Remove the stored key for a provider. Silently succeeds if the provider has no stored key.
Parameters:
| Name | Type | Description |
|---|---|---|
provider |
string |
(static) set(provider, value)
Persist (upsert) an API key or Ollama config for the given provider. Cloud provider values are encrypted before storage. Ollama config is JSON-serialised (not sensitive) then encrypted for consistency.
Parameters:
| Name | Type | Description |
|---|---|---|
provider |
string |
|
value |
string | Object | Plaintext API key string, or Ollama config object. |
Throws:
-
If provider is not a recognised value.
- Type
- Error