envseal 0.3.12

Write-only secret vault with process-level access control — post-agent secret management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

//! Integration contracts and registry.
//!
//! This module defines stable extension points so new integrations
//! (OAuth providers, cloud secret backends, CI systems, etc.) can be
//! added without rewiring CLI/MCP/Desktop layers.

use std::collections::BTreeMap;

/// Built-in integrations shipped with envseal.
pub mod builtin;

/// Lifecycle phase of an integration.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum IntegrationStage {
    /// Experimental, disabled by default.
    Experimental,
    /// Available but not yet considered stable API.
    Beta,
    /// Stable and intended for broad use.
    Stable,
    /// Deprecated and pending removal.
    Deprecated,
}

/// Capability surface advertised by an integration.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
#[allow(clippy::struct_excessive_bools)]
pub struct IntegrationCapabilities {
    /// Supports OAuth-style user authorization flows.
    pub oauth: bool,
    /// Supports importing secrets from external source.
    pub import: bool,
    /// Supports exporting secrets to external source.
    pub export: bool,
    /// Supports runtime token refresh.
    pub refresh_tokens: bool,
}

/// Stable contract every integration must implement.
pub trait IntegrationProvider: Send + Sync + 'static {
    /// Stable machine name (e.g. `github`, `aws-secrets-manager`).
    fn id(&self) -> &'static str;
    /// Human-readable display name.
    fn display_name(&self) -> &'static str;
    /// Current lifecycle stage.
    fn stage(&self) -> IntegrationStage;
    /// Capability flags.
    fn capabilities(&self) -> IntegrationCapabilities;
}

/// Runtime registry of available integrations.
#[derive(Default)]
pub struct IntegrationRegistry {
    providers: BTreeMap<&'static str, Box<dyn IntegrationProvider>>,
}

impl IntegrationRegistry {
    /// Create an empty registry.
    pub fn new() -> Self {
        Self::default()
    }

    /// Register a provider by its stable id.
    pub fn register<P: IntegrationProvider>(&mut self, provider: P) {
        self.providers.insert(provider.id(), Box::new(provider));
    }

    /// Whether a provider id exists.
    pub fn has(&self, id: &str) -> bool {
        self.providers.contains_key(id)
    }

    /// Return all provider ids in deterministic order.
    pub fn ids(&self) -> Vec<&'static str> {
        self.providers.keys().copied().collect()
    }
}

/// Build the canonical integration registry for this build.
///
/// New integrations should be added by implementing `IntegrationProvider`
/// in their own module and registering in `builtin::register_all`.
pub fn default_registry() -> IntegrationRegistry {
    let mut registry = IntegrationRegistry::new();
    builtin::register_all(&mut registry);
    registry
}