flip_api.scripts.generate_trust_internal_service_keys ===================================================== .. py:module:: flip_api.scripts.generate_trust_internal_service_keys .. autoapi-nested-parse:: Generate per-trust internal-service keys used across the trust services. This is the trust-side analogue of ``generate_internal_service_key.py`` (which covers the hub's fl-server → flip-api boundary). Each trust gets a distinct plaintext key shared by every trust-internal service (trust-api, imaging-api, data-access-api, fl-client) — the receiver does a constant-time compare against its own copy. The hub never sees these keys. Trust names are read from the ``TRUST_NAMES`` env var (a JSON list). The plaintext keys are written as a JSON dict into ``TRUST_INTERNAL_SERVICE_KEYS`` in the environment file. ``trust/Makefile`` extracts the per-trust value at deploy time via ``get_json_value``, the same way it already handles ``TRUST_API_KEYS``. Usage: make generate-trust-internal-service-keys make generate-trust-internal-service-keys ENV_FILE=.env.stag make generate-trust-internal-service-keys FORCE=1 Attributes ---------- .. autoapisummary:: flip_api.scripts.generate_trust_internal_service_keys.REPO_ROOT Functions --------- .. autoapisummary:: flip_api.scripts.generate_trust_internal_service_keys._parse_trust_names flip_api.scripts.generate_trust_internal_service_keys.main Module Contents --------------- .. py:data:: REPO_ROOT .. py:function:: _parse_trust_names(lines: list[str]) -> list[str] Extract trust names from the TRUST_NAMES env var line. :param lines: Lines of the environment file. :type lines: list[str] :returns: List of trust names, e.g. ``["Trust_1", "Trust_2"]``. :rtype: list[str] .. py:function:: main() -> None Generate per-trust internal service keys and update the environment file. Existing per-trust keys are preserved unless ``--force`` is given. :raises SystemExit: If the env file is missing or contains no ``TRUST_NAMES`` entry.