Struct Vault 

pub struct Vault {
    pub paths: VaultPaths,
}

Fields

paths: VaultPaths

Implementations

impl Vault

pub fn open(root: &Path) -> Result<Self, VaultError>

Open a vault rooted at the given directory.

pub fn init(root: &Path) -> Result<Self, VaultError>

Initialize a new vault in the given directory.

pub fn add_agent(&self, name: &str) -> Result<PathBuf, VaultError>

Add a new agent to the vault.

pub fn set_secret( &self, secret_path: &str, value: &str, group: &str, expires: Option<DateTime<Utc>>, extra_agents: Option<&[String]>, ) -> Result<(), VaultError>

Set (create or update) a secret. extra_agents allows encrypting for specific agents beyond the group members.

pub fn pull(&self) -> Result<(), VaultError>

Pull latest from git (best-effort, silently skips if no remote).

pub fn get_secret( &self, secret_path: &str, key_path: &Path, ) -> Result<SecretString, VaultError>

Get (decrypt) a secret using the provided identity key.

pub fn list_agents(&self) -> Result<Vec<(String, Vec<String>)>, VaultError>

List all agents in the vault.

pub fn list_secrets( &self, group_filter: Option<&str>, ) -> Result<Vec<SecretMetadata>, VaultError>

List all secrets, optionally filtered by group.

pub fn grant_agent( &self, agent_name: &str, group_name: &str, ) -> Result<Vec<String>, VaultError>

Grant an agent access to a group. Re-encrypts all secrets in that group.

pub fn revoke_agent( &self, agent_name: &str, group_name: &str, ) -> Result<Vec<String>, VaultError>

Revoke an agent’s access to a group. Re-encrypts all secrets in that group. Returns the list of secret paths that were re-encrypted.

pub fn remove_agent(&self, name: &str) -> Result<Vec<String>, VaultError>

Remove an agent from the vault entirely. Re-encrypts all secrets the agent had access to, removes agent files. Returns the list of groups the agent belonged to (for rotation warnings).

pub fn recover_agent(&self, name: &str) -> Result<PathBuf, VaultError>

Recover an agent: decrypt escrow, generate new keypair, re-encrypt secrets, new escrow. Returns the path to the new private key.

pub fn restore_agent( &self, name: &str, to_path: &Path, ) -> Result<(), VaultError>

Restore an agent’s original private key from escrow. Writes the decrypted key to the specified path.

pub fn check(&self) -> Result<Vec<CheckIssue>, VaultError>

Audit the vault for issues.

pub fn resolve_identity_key( key_flag: Option<&str>, ) -> Result<PathBuf, VaultError>

Resolve the identity key to use for decryption. Priority: –key flag > AGENT_VAULT_KEY env > ~/.agent-vault/owner.key

AGENT_VAULT_KEY supports both file paths and raw key strings (starting with AGE-SECRET-KEY-).