Module secrets 

Hot-rotating secrets without restarts and without locks.

The problem

Secrets read from env at boot are frozen for the process lifetime: rotating JWT_SECRET means restarting the whole fleet and invalidating every live token at once. Plaintext also lingers in the container environment (/proc/<pid>/environ), which fails most compliance reviews.

The model

• SecretSource — where secrets come from (Vault, AWS Secrets Manager, env for dev). The app implements it; the framework never links a cloud SDK — the same rule that keeps OAuth2Provider implementations app-side.
• Rotating<T> — how live key material is held: an ArcSwap, so the request hot path pays one atomic pointer load (no Mutex/RwLock), while a background watcher swaps in new material atomically.
• spawn_secret_watcher — polls the source on an interval from ArclyPlugin::on_start and invokes a callback when the version changes.

Services that own derived key material (JwtService, CookieService) hold a Rotating<…bundle…> internally and keep the previous key for verification during a grace window, so rotation never mass-invalidates tokens that are still inside their TTL.

Structs

Rotating

Atomically swappable key material.

SecretVersion

One fetched secret value plus a monotonically increasing version.

Traits

SecretSource

External secret backend — Vault, AWS Secrets Manager, env (dev), …

Functions

spawn_secret_watcher

Poll source for key every interval; when the version increases, invoke on_change with the new secret.