envvault/vault/secret.rs
1//! Secret and SecretMetadata types stored inside a vault.
2//!
3//! Each secret holds its name, the encrypted value (as raw bytes),
4//! and creation/update timestamps. The `encrypted_value` field uses
5//! custom serde helpers so it serializes as a base64 string in JSON
6//! rather than a raw byte array.
7
8use chrono::{DateTime, Utc};
9use serde::{Deserialize, Serialize};
10
11// Re-use the base64 serde helpers from format.rs (no duplication).
12use super::format::{base64_decode, base64_encode};
13
14/// A single encrypted secret stored in the vault.
15#[derive(Debug, Clone, Serialize, Deserialize)]
16pub struct Secret {
17 /// The name of the secret (e.g. "DATABASE_URL").
18 pub name: String,
19
20 /// The encrypted value bytes (nonce + ciphertext).
21 /// Serialized as a base64 string in JSON for readability.
22 #[serde(serialize_with = "base64_encode", deserialize_with = "base64_decode")]
23 pub encrypted_value: Vec<u8>,
24
25 /// When this secret was first created.
26 pub created_at: DateTime<Utc>,
27
28 /// When this secret was last updated.
29 pub updated_at: DateTime<Utc>,
30}
31
32/// Lightweight metadata about a secret (no encrypted value).
33///
34/// Returned by `VaultStore::list_secrets` so callers can display
35/// secret names and timestamps without touching any ciphertext.
36#[derive(Debug, Clone)]
37pub struct SecretMetadata {
38 pub name: String,
39 pub created_at: DateTime<Utc>,
40 pub updated_at: DateTime<Utc>,
41}