secrets_rs/lib.rs
1//! `secrets-rs` — safe secret retrieval for Rust applications.
2//!
3//! Secrets are identified by URN (`urn:secrets-rs:<source_id>:<name>`) and
4//! stored in [`Secret<T>`] structs. All default access paths (Display, Debug,
5//! serde serialization) emit a **masked value** that is safe to log. The real
6//! value must be requested explicitly via [`Secret::value`].
7//!
8//! # Built-in sources
9//!
10//! | Source | `source_id` | Backed by |
11//! |--------|-------------|-----------|
12//! | [`EnvSource`] | `"env"` (pre-registered) | `std::env::var` |
13//! | [`FileSource`] | e.g. `"file"` | `std::fs::read` (use [`FileSource::with_base`] for stable resolution in multi-threaded programs) |
14//!
15//! # Quick start
16//!
17//! ```rust
18//! use secrets_rs::{Secret, SourceRegistry, bind_all};
19//!
20//! #[derive(secrets_rs::Bindable)]
21//! struct Config {
22//! api_key: Secret<String>,
23//! }
24//!
25//! # unsafe { std::env::set_var("API_KEY", "s3cr3t") };
26//! let mut config = Config {
27//! api_key: Secret::new("urn:secrets-rs:env:API_KEY").unwrap(),
28//! };
29//!
30//! // EnvSource is registered under "env" by default.
31//! let registry = SourceRegistry::new();
32//! bind_all(&mut config, ®istry).unwrap();
33//!
34//! // Masked value — safe to log
35//! println!("{}", config.api_key);
36//!
37//! // Real value — explicit opt-in
38//! let key: &str = config.api_key.value().unwrap();
39//! # let _ = key;
40//! ```
41
42pub mod error;
43pub mod source;
44pub mod sources;
45pub mod urn;
46
47mod bindable;
48mod secret;
49
50pub use bindable::{Bindable, bind_all};
51pub use error::{BindError, SourceError, SourceRegisterError, UnboundError, UrnParseError};
52pub use secret::{Secret, SecretValue};
53pub use secrets_rs_macros::Bindable;
54pub use source::{Source, SourceRegistry};
55pub use sources::env::EnvSource;
56pub use sources::file::FileSource;
57pub use urn::Urn;