dugout 0.1.9

Git-native secrets manager for development teams, written in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

//! A local secrets manager for development teams
//!
//! Dugout encrypts secrets at rest using age encryption with optional
//! cloud KMS hybrid mode (AWS KMS, GCP KMS) and provides a simple CLI
//! for managing secrets across teams.
//!
//! # Quick start
//!
//! ```no_run
//! use dugout::Vault;
//!
//! let mut vault = Vault::open()?;
//! vault.set("DATABASE_URL", "postgres://localhost/db", false)?;
//! let value = vault.get("DATABASE_URL")?;
//! # Ok::<(), dugout::error::Error>(())
//! ```
//!
//! # Architecture
//!
//! The crate is organized into two main modules:
//!
//! - **`core`**: Library code with [`Vault`] as the main entry point
//! - **`cli`**: Command-line interface and user-facing commands
//!
//! ## Core Components
//!
//! - [`Vault`]: Main API for all secret operations
//! - Domain types: [`Secret`], [`Recipient`], [`Identity`], [`Env`], [`Diff`]
//! - Cipher backends: age (default) + hybrid age+KMS
//! - Configuration in `.dugout.toml`
//!
//! # Features
//!
//! - **Fast**: Age encryption with x25519 keys
//! - **Team-ready**: Multiple recipients, key rotation
//! - **Flexible**: Two cipher backends: age (default) and hybrid age+KMS
//! - **Developer-friendly**: `.env` file integration, shell completion
//! - **Secure**: No secrets in git history, encrypted at rest
//!
//! # Example: Initialize and use a vault
//!
//! ```rust,no_run
//! use dugout::Vault;
//!
//! # fn main() -> Result<(), Box<dyn std::error::Error>> {
//! // Initialize a new vault with default age cipher
//! let mut vault = Vault::init("alice", None)?;
//!
//! // Set a secret
//! vault.set("DATABASE_URL", "postgres://localhost/db", false)?;
//!
//! // Get a secret
//! let value = vault.get("DATABASE_URL")?;
//!
//! // Add a team member
//! vault.add_recipient("bob", "age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p")?;
//!
//! // List all secrets
//! for secret in vault.list() {
//!     println!("{}", secret.key());
//! }
//! # Ok(())
//! # }
//! ```

pub mod cli;
pub mod core;
pub mod error;

// Re-export the public API
pub use core::domain::*;
pub use core::types::*;
pub use core::vault::Vault;

/// Benchmark support: re-export cipher and config internals.
#[doc(hidden)]
pub mod bench {
    pub use crate::core::cipher::{Age, Cipher};
    pub use crate::core::config::Config;
}

/// Test-only exports for KMS integration tests.
#[cfg(any(feature = "test-aws", feature = "test-gcp"))]
#[doc(hidden)]
pub mod test {
    #[cfg(feature = "test-aws")]
    pub use crate::core::cipher::aws;
    #[cfg(feature = "test-gcp")]
    pub use crate::core::cipher::gcp;
    pub use crate::core::cipher::Cipher;
}