Struct Secrets 

pub struct Secrets {
    pub store: Arc<dyn KeyringStore>,
    /* private fields */
}

High-level facade combining a KeyringStore with environment variable fallbacks.

Lookup precedence: secret store -> env -> none. Callers that also have a TOML config layer must wire that themselves at the very end of the chain (the config crate handles this).

Examples

use codewhale_secrets::Secrets;

let secrets = Secrets::auto_detect();
if let Some(key) = secrets.resolve("deepseek") {
    // use the API key
}

Fields

store: Arc<dyn KeyringStore>

Underlying secret store backend.

Implementations

impl Secrets

pub fn new(store: Arc<dyn KeyringStore>) -> Secrets

Build a new facade around the given store, using the DEFAULT_SERVICE service name.

pub fn auto_detect() -> Secrets

Auto-detect the best available backend based on the environment.

Selection logic:

1. If SECRET_BACKEND_ENV is set to system/keyring/os/os-keyring, probe the OS keyring. If the probe succeeds, use it; otherwise fall back to the file-based store with a warning.
2. If the env var is unset, empty, or file/local/json, use the file-based store directly.
3. If the env var is set to an unrecognised value, log a warning and use the file-based store.

pub fn file_backed() -> Secrets

Construct the file-backed default backend directly.

pub fn system_keyring() -> Secrets

Construct the opt-in OS credential backend, falling back to the file-backed store when the platform backend is unavailable.

pub fn backend_name(&self) -> &'static str

Backend label, suitable for doctor output.

pub fn resolve(&self, name: &str) -> Option<String>

Resolve a secret with secret store → env → none precedence.

name is the canonical provider name or a supported provider alias. Empty strings on either layer are treated as “not set”.

pub fn resolve_with_source(&self, name: &str) -> Option<(String, SecretSource)>

Resolve a secret and report which layer supplied it.

pub fn set(&self, name: &str, value: &str) -> Result<(), SecretsError>

Convenience: write a secret through the underlying store.

pub fn delete(&self, name: &str) -> Result<(), SecretsError>

Convenience: delete a secret through the underlying store.

pub fn get(&self, name: &str) -> Result<Option<String>, SecretsError>

Convenience: read a secret directly (no env fallback).

pub fn resolve_direct( &self, key: &str, source_hint: Option<&str>, ) -> Option<String>

Resolve a secret by key name with an optional source constraint.

This is the fleet-worker secret resolution path. Unlike resolve, this does NOT map provider names to their canonical env vars — the caller controls the exact key and resolution order.

source_hint controls the resolution order:

• Some("env") — only check environment variables
• Some("keyring") — only check the keyring/file store
• None — try the store first, then fall back to environment

Trait Implementations

impl Clone for Secrets

fn clone(&self) -> Secrets

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Secrets

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.