iron_secrets 0.3.0

Secrets management and encryption for Iron Cage
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

# iron_secrets

Encrypted secrets storage and access control for AI agents.

[![Documentation](https://img.shields.io/badge/docs.rs-iron_secrets-E5E7EB.svg)](https://docs.rs/iron_secrets)

## Installation

```toml
[dependencies]
iron_secrets = { path = "../iron_secrets" }
```


## Quick Start

```rust
use iron_secrets::SecretsManager;

// Initialize with master key from environment
let manager = SecretsManager::new("./secrets.db")?;

// Store encrypted secret
manager.create("openai-api-key", "sk-proj-abc123...")?;

// Retrieve decrypted secret for agent use
let api_key = manager.get("openai-api-key")?;

// Audit trail is automatically maintained
```


<details>
<summary>Scope & Boundaries</summary>

**Responsibilities:**
Provides secure secrets management with AES-256-GCM encryption at rest, Argon2id key derivation, role-based access control, and comprehensive audit logging. Enables safe storage and runtime injection of sensitive credentials (API keys, database passwords, tokens).

**In Scope:**
- AES-256-GCM encryption for secrets at rest
- Argon2id key derivation from master key
- SQLite storage for encrypted blobs and metadata
- CRUD operations (create, read, update, delete, list)
- Role-based access control (Admin, Viewer, Agent)
- Audit logging for all secret operations
- Environment isolation (Development, Staging, Production)
- Secret masking for display (`sk-proj-abc...xyz`)
- Master key from environment variable

**Out of Scope:**
- AWS KMS integration (future)
- HashiCorp Vault integration (future)
- Secret versioning and history (future)
- Secret expiration and auto-rotation (future)
- Multi-tenancy isolation (future)
- External secret providers (GitHub Secrets, Azure Key Vault)
- REST API endpoints (see iron_control_api)
- Dashboard UI (see iron_dashboard)

</details>


<details>
<summary>Directory Structure</summary>

### Source Files

| File | Responsibility |
|------|----------------|
| lib.rs | Secure secrets management for AI agents |
| access_control.rs | Access control for secrets |
| audit.rs | Audit logging for secrets access |
| crypto.rs | Cryptographic operations for secret encryption/decryption |
| error.rs | Error types |
| secrets_manager.rs | Secrets manager service |
| storage.rs | Encrypted storage backend |

**Notes:**
- Entries marked 'TBD' require manual documentation
- Entries marked '⚠️ ANTI-PATTERN' should be renamed to specific responsibilities

</details>


## License

Apache-2.0