ringkernel-core 0.4.2

Core traits and types for RingKernel GPU-native actor system
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836

//! Secrets management for secure key storage and retrieval.
//!
//! This module provides a pluggable secrets management system with support for
//! multiple backends including environment variables, HashiCorp Vault, and AWS Secrets Manager.
//!
//! # Feature Flags
//!
//! - `crypto` - Enables secure key derivation and encryption of cached secrets
//!
//! # Example
//!
//! ```rust,ignore
//! use ringkernel_core::secrets::{SecretStore, EnvVarSecretStore, SecretKey};
//!
//! // Using environment variables (for development)
//! let store = EnvVarSecretStore::new("MYAPP_");
//! let api_key = store.get_secret(&SecretKey::new("api_key")).await?;
//!
//! // Using HashiCorp Vault (for production)
//! let vault = VaultSecretStore::new("https://vault.example.com:8200")
//!     .with_token_auth(env::var("VAULT_TOKEN")?)
//!     .with_mount_path("secret/data/myapp");
//! let db_password = vault.get_secret(&SecretKey::new("database/password")).await?;
//! ```

use async_trait::async_trait;
use parking_lot::RwLock;
use std::collections::HashMap;
use std::fmt;
use std::sync::Arc;
use std::time::{Duration, Instant};

#[cfg(feature = "crypto")]
use zeroize::Zeroize;

// ============================================================================
// SECRET KEY
// ============================================================================

/// A key identifying a secret in the store.
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct SecretKey {
    /// The secret path/name.
    path: String,
    /// Optional version specifier.
    version: Option<String>,
}

impl SecretKey {
    /// Create a new secret key.
    pub fn new(path: impl Into<String>) -> Self {
        Self {
            path: path.into(),
            version: None,
        }
    }

    /// Create a secret key with a specific version.
    pub fn with_version(path: impl Into<String>, version: impl Into<String>) -> Self {
        Self {
            path: path.into(),
            version: Some(version.into()),
        }
    }

    /// Get the path.
    pub fn path(&self) -> &str {
        &self.path
    }

    /// Get the version.
    pub fn version(&self) -> Option<&str> {
        self.version.as_deref()
    }
}

impl fmt::Display for SecretKey {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        if let Some(version) = &self.version {
            write!(f, "{}@{}", self.path, version)
        } else {
            write!(f, "{}", self.path)
        }
    }
}

// ============================================================================
// SECRET VALUE
// ============================================================================

/// A secret value retrieved from the store.
///
/// When the `crypto` feature is enabled, the secret data is automatically
/// zeroed when dropped using the `zeroize` crate.
pub struct SecretValue {
    /// The secret data.
    #[cfg(feature = "crypto")]
    data: zeroize::Zeroizing<Vec<u8>>,
    #[cfg(not(feature = "crypto"))]
    data: Vec<u8>,
    /// When the secret was retrieved.
    retrieved_at: Instant,
    /// Optional expiration time.
    expires_at: Option<Instant>,
    /// Metadata about the secret.
    metadata: HashMap<String, String>,
}

impl SecretValue {
    /// Create a new secret value.
    #[cfg(feature = "crypto")]
    pub fn new(data: Vec<u8>) -> Self {
        Self {
            data: zeroize::Zeroizing::new(data),
            retrieved_at: Instant::now(),
            expires_at: None,
            metadata: HashMap::new(),
        }
    }

    /// Create a new secret value (non-crypto version).
    #[cfg(not(feature = "crypto"))]
    pub fn new(data: Vec<u8>) -> Self {
        Self {
            data,
            retrieved_at: Instant::now(),
            expires_at: None,
            metadata: HashMap::new(),
        }
    }

    /// Create a secret value from a string.
    pub fn from_string(s: impl Into<String>) -> Self {
        Self::new(s.into().into_bytes())
    }

    /// Set the expiration time.
    pub fn with_expiry(mut self, duration: Duration) -> Self {
        self.expires_at = Some(Instant::now() + duration);
        self
    }

    /// Add metadata.
    pub fn with_metadata(mut self, key: impl Into<String>, value: impl Into<String>) -> Self {
        self.metadata.insert(key.into(), value.into());
        self
    }

    /// Get the secret data as bytes.
    pub fn as_bytes(&self) -> &[u8] {
        &self.data
    }

    /// Get the secret data as a string (if valid UTF-8).
    pub fn as_str(&self) -> Option<&str> {
        std::str::from_utf8(&self.data).ok()
    }

    /// Check if the secret has expired.
    pub fn is_expired(&self) -> bool {
        self.expires_at
            .map(|exp| Instant::now() > exp)
            .unwrap_or(false)
    }

    /// Get the age of this secret value.
    pub fn age(&self) -> Duration {
        self.retrieved_at.elapsed()
    }

    /// Get metadata.
    pub fn metadata(&self) -> &HashMap<String, String> {
        &self.metadata
    }
}

impl fmt::Debug for SecretValue {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("SecretValue")
            .field("length", &self.data.len())
            .field("retrieved_at", &"<instant>")
            .field("is_expired", &self.is_expired())
            .field("metadata", &self.metadata)
            .finish()
    }
}

// ============================================================================
// SECRET STORE TRAIT
// ============================================================================

/// Error type for secret store operations.
#[derive(Debug, Clone)]
pub enum SecretError {
    /// Secret not found.
    NotFound(String),
    /// Access denied.
    AccessDenied(String),
    /// Connection error.
    ConnectionError(String),
    /// Invalid secret format.
    InvalidFormat(String),
    /// Secret has expired.
    Expired(String),
    /// Rate limited.
    RateLimited(String),
    /// Other error.
    Other(String),
}

impl fmt::Display for SecretError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::NotFound(msg) => write!(f, "Secret not found: {}", msg),
            Self::AccessDenied(msg) => write!(f, "Access denied: {}", msg),
            Self::ConnectionError(msg) => write!(f, "Connection error: {}", msg),
            Self::InvalidFormat(msg) => write!(f, "Invalid format: {}", msg),
            Self::Expired(msg) => write!(f, "Secret expired: {}", msg),
            Self::RateLimited(msg) => write!(f, "Rate limited: {}", msg),
            Self::Other(msg) => write!(f, "Secret error: {}", msg),
        }
    }
}

impl std::error::Error for SecretError {}

/// Result type for secret store operations.
pub type SecretResult<T> = Result<T, SecretError>;

/// Trait for pluggable secret storage backends.
#[async_trait]
pub trait SecretStore: Send + Sync {
    /// Get a secret by key.
    async fn get_secret(&self, key: &SecretKey) -> SecretResult<SecretValue>;

    /// Check if a secret exists.
    async fn secret_exists(&self, key: &SecretKey) -> SecretResult<bool>;

    /// List available secrets (if supported).
    async fn list_secrets(&self, prefix: Option<&str>) -> SecretResult<Vec<SecretKey>>;

    /// Get the store name for logging/debugging.
    fn store_name(&self) -> &str;

    /// Check if the store is healthy/connected.
    async fn health_check(&self) -> SecretResult<()>;
}

// ============================================================================
// ENVIRONMENT VARIABLE SECRET STORE
// ============================================================================

/// Secret store backed by environment variables.
///
/// This is suitable for development and simple deployments.
/// Secret keys are transformed to environment variable names by:
/// 1. Applying the prefix
/// 2. Converting to uppercase
/// 3. Replacing `/` and `.` with `_`
///
/// Example: Key "database/password" with prefix "MYAPP_" becomes "MYAPP_DATABASE_PASSWORD"
pub struct EnvVarSecretStore {
    /// Prefix for environment variable names.
    prefix: String,
    /// Cache for retrieved secrets.
    cache: RwLock<HashMap<SecretKey, SecretValue>>,
    /// Cache duration.
    cache_duration: Duration,
}

impl EnvVarSecretStore {
    /// Create a new environment variable secret store.
    pub fn new(prefix: impl Into<String>) -> Self {
        Self {
            prefix: prefix.into(),
            cache: RwLock::new(HashMap::new()),
            cache_duration: Duration::from_secs(300), // 5 minutes default
        }
    }

    /// Set the cache duration.
    pub fn with_cache_duration(mut self, duration: Duration) -> Self {
        self.cache_duration = duration;
        self
    }

    /// Convert a secret key to an environment variable name.
    fn key_to_env_var(&self, key: &SecretKey) -> String {
        let path = key.path().to_uppercase().replace(['/', '.'], "_");
        format!("{}{}", self.prefix, path)
    }
}

#[async_trait]
impl SecretStore for EnvVarSecretStore {
    async fn get_secret(&self, key: &SecretKey) -> SecretResult<SecretValue> {
        // Check cache first
        {
            let cache = self.cache.read();
            if let Some(secret) = cache.get(key) {
                if !secret.is_expired() && secret.age() < self.cache_duration {
                    return Ok(SecretValue::new(secret.as_bytes().to_vec()));
                }
            }
        }

        // Get from environment
        let env_var = self.key_to_env_var(key);
        let value = std::env::var(&env_var).map_err(|_| {
            SecretError::NotFound(format!("Environment variable {} not set", env_var))
        })?;

        let secret = SecretValue::from_string(value)
            .with_metadata("source", "environment")
            .with_metadata("env_var", &env_var);

        // Cache it
        {
            let mut cache = self.cache.write();
            cache.insert(key.clone(), SecretValue::new(secret.as_bytes().to_vec()));
        }

        Ok(secret)
    }

    async fn secret_exists(&self, key: &SecretKey) -> SecretResult<bool> {
        let env_var = self.key_to_env_var(key);
        Ok(std::env::var(&env_var).is_ok())
    }

    async fn list_secrets(&self, prefix: Option<&str>) -> SecretResult<Vec<SecretKey>> {
        let full_prefix = match prefix {
            Some(p) => format!(
                "{}{}",
                self.prefix,
                p.to_uppercase().replace(['/', '.'], "_")
            ),
            None => self.prefix.clone(),
        };

        let secrets: Vec<SecretKey> = std::env::vars()
            .filter_map(|(name, _)| {
                if name.starts_with(&full_prefix) {
                    let path = name
                        .strip_prefix(&self.prefix)?
                        .to_lowercase()
                        .replace('_', "/");
                    Some(SecretKey::new(path))
                } else {
                    None
                }
            })
            .collect();

        Ok(secrets)
    }

    fn store_name(&self) -> &str {
        "EnvVarSecretStore"
    }

    async fn health_check(&self) -> SecretResult<()> {
        // Environment variables are always available
        Ok(())
    }
}

// ============================================================================
// IN-MEMORY SECRET STORE (for testing)
// ============================================================================

/// In-memory secret store for testing.
pub struct InMemorySecretStore {
    secrets: RwLock<HashMap<SecretKey, Vec<u8>>>,
}

impl InMemorySecretStore {
    /// Create a new in-memory secret store.
    pub fn new() -> Self {
        Self {
            secrets: RwLock::new(HashMap::new()),
        }
    }

    /// Add a secret to the store.
    pub fn add_secret(&self, key: SecretKey, value: impl Into<Vec<u8>>) {
        self.secrets.write().insert(key, value.into());
    }

    /// Add a string secret to the store.
    pub fn add_string_secret(&self, key: SecretKey, value: impl Into<String>) {
        self.add_secret(key, value.into().into_bytes());
    }
}

impl Default for InMemorySecretStore {
    fn default() -> Self {
        Self::new()
    }
}

#[async_trait]
impl SecretStore for InMemorySecretStore {
    async fn get_secret(&self, key: &SecretKey) -> SecretResult<SecretValue> {
        let secrets = self.secrets.read();
        secrets
            .get(key)
            .map(|data| SecretValue::new(data.clone()).with_metadata("source", "in_memory"))
            .ok_or_else(|| SecretError::NotFound(key.to_string()))
    }

    async fn secret_exists(&self, key: &SecretKey) -> SecretResult<bool> {
        Ok(self.secrets.read().contains_key(key))
    }

    async fn list_secrets(&self, prefix: Option<&str>) -> SecretResult<Vec<SecretKey>> {
        let secrets = self.secrets.read();
        let keys: Vec<SecretKey> = secrets
            .keys()
            .filter(|k| match prefix {
                Some(p) => k.path().starts_with(p),
                None => true,
            })
            .cloned()
            .collect();
        Ok(keys)
    }

    fn store_name(&self) -> &str {
        "InMemorySecretStore"
    }

    async fn health_check(&self) -> SecretResult<()> {
        Ok(())
    }
}

// ============================================================================
// CHAINED SECRET STORE
// ============================================================================

/// A secret store that chains multiple stores, trying each in order.
///
/// Useful for fallback scenarios (e.g., try Vault, fall back to env vars).
pub struct ChainedSecretStore {
    stores: Vec<Arc<dyn SecretStore>>,
}

impl ChainedSecretStore {
    /// Create a new chained secret store.
    pub fn new() -> Self {
        Self { stores: Vec::new() }
    }

    /// Add a store to the chain.
    pub fn with_store(mut self, store: Arc<dyn SecretStore>) -> Self {
        self.stores.push(store);
        self
    }
}

impl Default for ChainedSecretStore {
    fn default() -> Self {
        Self::new()
    }
}

#[async_trait]
impl SecretStore for ChainedSecretStore {
    async fn get_secret(&self, key: &SecretKey) -> SecretResult<SecretValue> {
        let mut last_error = SecretError::NotFound(key.to_string());

        for store in &self.stores {
            match store.get_secret(key).await {
                Ok(secret) => return Ok(secret),
                Err(e) => {
                    last_error = e;
                    continue;
                }
            }
        }

        Err(last_error)
    }

    async fn secret_exists(&self, key: &SecretKey) -> SecretResult<bool> {
        for store in &self.stores {
            if store.secret_exists(key).await? {
                return Ok(true);
            }
        }
        Ok(false)
    }

    async fn list_secrets(&self, prefix: Option<&str>) -> SecretResult<Vec<SecretKey>> {
        let mut all_keys = Vec::new();
        for store in &self.stores {
            if let Ok(keys) = store.list_secrets(prefix).await {
                all_keys.extend(keys);
            }
        }
        // Deduplicate
        all_keys.sort_by(|a, b| a.path().cmp(b.path()));
        all_keys.dedup_by(|a, b| a.path() == b.path());
        Ok(all_keys)
    }

    fn store_name(&self) -> &str {
        "ChainedSecretStore"
    }

    async fn health_check(&self) -> SecretResult<()> {
        for store in &self.stores {
            if store.health_check().await.is_ok() {
                return Ok(());
            }
        }
        Err(SecretError::ConnectionError(
            "All stores in chain are unhealthy".to_string(),
        ))
    }
}

// ============================================================================
// CACHING SECRET STORE WRAPPER
// ============================================================================

/// A wrapper that adds caching to any secret store.
pub struct CachedSecretStore<S: SecretStore> {
    inner: S,
    cache: RwLock<HashMap<SecretKey, CachedEntry>>,
    ttl: Duration,
    max_entries: usize,
}

struct CachedEntry {
    value: SecretValue,
    cached_at: Instant,
}

impl<S: SecretStore> CachedSecretStore<S> {
    /// Create a new cached secret store.
    pub fn new(inner: S) -> Self {
        Self {
            inner,
            cache: RwLock::new(HashMap::new()),
            ttl: Duration::from_secs(300), // 5 minutes
            max_entries: 1000,
        }
    }

    /// Set the cache TTL.
    pub fn with_ttl(mut self, ttl: Duration) -> Self {
        self.ttl = ttl;
        self
    }

    /// Set the maximum cache entries.
    pub fn with_max_entries(mut self, max: usize) -> Self {
        self.max_entries = max;
        self
    }

    /// Clear the cache.
    pub fn clear_cache(&self) {
        self.cache.write().clear();
    }

    /// Invalidate a specific key.
    pub fn invalidate(&self, key: &SecretKey) {
        self.cache.write().remove(key);
    }
}

#[async_trait]
impl<S: SecretStore> SecretStore for CachedSecretStore<S> {
    async fn get_secret(&self, key: &SecretKey) -> SecretResult<SecretValue> {
        // Check cache
        {
            let cache = self.cache.read();
            if let Some(entry) = cache.get(key) {
                if entry.cached_at.elapsed() < self.ttl {
                    return Ok(SecretValue::new(entry.value.as_bytes().to_vec()));
                }
            }
        }

        // Fetch from inner store
        let secret = self.inner.get_secret(key).await?;

        // Cache it
        {
            let mut cache = self.cache.write();

            // Evict if at capacity
            if cache.len() >= self.max_entries {
                // Remove oldest entry
                if let Some(oldest_key) = cache
                    .iter()
                    .min_by_key(|(_, e)| e.cached_at)
                    .map(|(k, _)| k.clone())
                {
                    cache.remove(&oldest_key);
                }
            }

            cache.insert(
                key.clone(),
                CachedEntry {
                    value: SecretValue::new(secret.as_bytes().to_vec()),
                    cached_at: Instant::now(),
                },
            );
        }

        Ok(secret)
    }

    async fn secret_exists(&self, key: &SecretKey) -> SecretResult<bool> {
        // Check cache first
        {
            let cache = self.cache.read();
            if let Some(entry) = cache.get(key) {
                if entry.cached_at.elapsed() < self.ttl {
                    return Ok(true);
                }
            }
        }

        self.inner.secret_exists(key).await
    }

    async fn list_secrets(&self, prefix: Option<&str>) -> SecretResult<Vec<SecretKey>> {
        self.inner.list_secrets(prefix).await
    }

    fn store_name(&self) -> &str {
        self.inner.store_name()
    }

    async fn health_check(&self) -> SecretResult<()> {
        self.inner.health_check().await
    }
}

// ============================================================================
// KEY ROTATION MANAGER
// ============================================================================

/// Manages automatic key rotation for encryption keys.
pub struct KeyRotationManager {
    /// Secret store for retrieving keys.
    store: Arc<dyn SecretStore>,
    /// Current key version.
    current_version: RwLock<u64>,
    /// Rotation interval.
    rotation_interval: Duration,
    /// Last rotation time.
    last_rotation: RwLock<Instant>,
    /// Key prefix in the store.
    key_prefix: String,
}

impl KeyRotationManager {
    /// Create a new key rotation manager.
    pub fn new(store: Arc<dyn SecretStore>, key_prefix: impl Into<String>) -> Self {
        Self {
            store,
            current_version: RwLock::new(1),
            rotation_interval: Duration::from_secs(3600), // 1 hour default
            last_rotation: RwLock::new(Instant::now()),
            key_prefix: key_prefix.into(),
        }
    }

    /// Set the rotation interval.
    pub fn with_rotation_interval(mut self, interval: Duration) -> Self {
        self.rotation_interval = interval;
        self
    }

    /// Get the current encryption key.
    pub async fn get_current_key(&self) -> SecretResult<SecretValue> {
        let version = *self.current_version.read();
        let key_name = format!("{}/v{}", self.key_prefix, version);
        self.store.get_secret(&SecretKey::new(key_name)).await
    }

    /// Get a specific key version.
    pub async fn get_key_version(&self, version: u64) -> SecretResult<SecretValue> {
        let key_name = format!("{}/v{}", self.key_prefix, version);
        self.store.get_secret(&SecretKey::new(key_name)).await
    }

    /// Check if rotation is needed.
    pub fn needs_rotation(&self) -> bool {
        self.last_rotation.read().elapsed() >= self.rotation_interval
    }

    /// Rotate to a new key version.
    ///
    /// Note: The actual key must be pre-provisioned in the secret store.
    pub fn rotate(&self) {
        let mut version = self.current_version.write();
        *version += 1;
        *self.last_rotation.write() = Instant::now();
    }

    /// Get the current key version number.
    pub fn current_version(&self) -> u64 {
        *self.current_version.read()
    }
}

// ============================================================================
// TESTS
// ============================================================================

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_secret_key() {
        let key = SecretKey::new("database/password");
        assert_eq!(key.path(), "database/password");
        assert!(key.version().is_none());

        let versioned = SecretKey::with_version("api_key", "v2");
        assert_eq!(versioned.path(), "api_key");
        assert_eq!(versioned.version(), Some("v2"));
    }

    #[test]
    fn test_secret_value() {
        let secret = SecretValue::from_string("hunter2");
        assert_eq!(secret.as_str(), Some("hunter2"));
        assert!(!secret.is_expired());

        let expired = SecretValue::from_string("old").with_expiry(Duration::from_nanos(1));
        std::thread::sleep(Duration::from_millis(1));
        assert!(expired.is_expired());
    }

    #[test]
    fn test_env_var_key_conversion() {
        let store = EnvVarSecretStore::new("MYAPP_");
        let key = SecretKey::new("database/password");
        assert_eq!(store.key_to_env_var(&key), "MYAPP_DATABASE_PASSWORD");

        let key2 = SecretKey::new("api.key");
        assert_eq!(store.key_to_env_var(&key2), "MYAPP_API_KEY");
    }

    #[tokio::test]
    async fn test_in_memory_store() {
        let store = InMemorySecretStore::new();
        let key = SecretKey::new("test/secret");

        // Initially not found
        assert!(store.get_secret(&key).await.is_err());
        assert!(!store.secret_exists(&key).await.unwrap());

        // Add secret
        store.add_string_secret(key.clone(), "secret_value");

        // Now found
        let secret = store.get_secret(&key).await.unwrap();
        assert_eq!(secret.as_str(), Some("secret_value"));
        assert!(store.secret_exists(&key).await.unwrap());
    }

    #[tokio::test]
    async fn test_chained_store() {
        let store1 = Arc::new(InMemorySecretStore::new());
        let store2 = Arc::new(InMemorySecretStore::new());

        let key1 = SecretKey::new("key1");
        let key2 = SecretKey::new("key2");

        store1.add_string_secret(key1.clone(), "value1");
        store2.add_string_secret(key2.clone(), "value2");

        let chain = ChainedSecretStore::new()
            .with_store(store1)
            .with_store(store2);

        // Can find keys from both stores
        let secret1 = chain.get_secret(&key1).await.unwrap();
        assert_eq!(secret1.as_str(), Some("value1"));

        let secret2 = chain.get_secret(&key2).await.unwrap();
        assert_eq!(secret2.as_str(), Some("value2"));

        // Unknown key fails
        assert!(chain.get_secret(&SecretKey::new("unknown")).await.is_err());
    }

    #[tokio::test]
    async fn test_cached_store() {
        let inner = InMemorySecretStore::new();
        let key = SecretKey::new("cached_key");
        inner.add_string_secret(key.clone(), "cached_value");

        let cached = CachedSecretStore::new(inner)
            .with_ttl(Duration::from_secs(60))
            .with_max_entries(10);

        // First fetch populates cache
        let secret = cached.get_secret(&key).await.unwrap();
        assert_eq!(secret.as_str(), Some("cached_value"));

        // Second fetch uses cache
        let secret2 = cached.get_secret(&key).await.unwrap();
        assert_eq!(secret2.as_str(), Some("cached_value"));

        // Invalidate and re-fetch
        cached.invalidate(&key);
        let secret3 = cached.get_secret(&key).await.unwrap();
        assert_eq!(secret3.as_str(), Some("cached_value"));
    }

    #[tokio::test]
    async fn test_list_secrets() {
        let store = InMemorySecretStore::new();
        store.add_string_secret(SecretKey::new("db/host"), "localhost");
        store.add_string_secret(SecretKey::new("db/port"), "5432");
        store.add_string_secret(SecretKey::new("api/key"), "secret");

        let all = store.list_secrets(None).await.unwrap();
        assert_eq!(all.len(), 3);

        let db_only = store.list_secrets(Some("db/")).await.unwrap();
        assert_eq!(db_only.len(), 2);
    }
}