zeph-vault 0.19.1

VaultProvider trait and backends (env, age) for Zeph secret management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

# zeph-vault

[![Crates.io](https://img.shields.io/crates/v/zeph-vault)](https://crates.io/crates/zeph-vault)
[![docs.rs](https://img.shields.io/docsrs/zeph-vault)](https://docs.rs/zeph-vault)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](../../LICENSE)
[![MSRV](https://img.shields.io/badge/MSRV-1.88-blue)](https://www.rust-lang.org)

`VaultProvider` trait and backends (env, age) for Zeph secret management.

## Overview

Provides a unified interface for resolving secrets needed by the agent (API keys, tokens) without embedding them in the config file. Two backends ship out of the box: an environment-variable backend for simple deployments and an age-encrypted file backend for production use. All secret values are held as `Zeroizing<String>` — they are zeroed in memory on drop and never implement `Clone`.

## Key types

| Type | Description |
|------|-------------|
| `VaultProvider` | Trait: `get(key) -> Option<Zeroizing<String>>`, `set(key, value)`, `delete(key)`, `list_keys()`, `save()` |
| `EnvVaultProvider` | Reads secrets from environment variables; writes are no-ops |
| `AgeVaultProvider` | Reads/writes an age-encrypted JSON file (`~/.config/zeph/vault.age`) |
| `AnyVaultProvider` | Enum dispatch over all provider variants |
| `VaultError` | Typed error enum (`Io`, `Decrypt`, `Encrypt`, `Parse`, `KeyNotFound`) |
| `MockVaultProvider` | In-memory provider for tests (feature-gated: `mock`) |

## Usage

```rust
use zeph_vault::{AgeVaultProvider, VaultProvider};

// Open (or create) the age-encrypted vault
let mut vault = AgeVaultProvider::open("~/.config/zeph/vault.age")?;

// Store a secret
vault.set("ZEPH_CLAUDE_API_KEY", "sk-ant-...".into());
vault.save().await?;

// Retrieve a secret — returned as Zeroizing<String>
if let Some(key) = vault.get("ZEPH_CLAUDE_API_KEY") {
    println!("Key length: {}", key.len());
    // key is zeroed when dropped
}
```

CLI usage:

```bash
zeph vault set ZEPH_CLAUDE_API_KEY sk-ant-...
zeph vault get ZEPH_CLAUDE_API_KEY
zeph vault list
zeph vault delete ZEPH_CLAUDE_API_KEY
```

## Configuration

```toml
[vault]
backend = "age"                           # "env" or "age"
path = "~/.config/zeph/vault.age"         # only used by "age" backend
```

The `env` backend resolves secrets directly from environment variables — no file needed. Use `age` for production deployments where secrets must be stored on disk.

> [!IMPORTANT]
> Age-encrypted vault files are created with `0o600` permissions. Ensure the key file (`~/.config/zeph/age_key`) is kept secure. Losing the key makes the vault unrecoverable.

## Features

| Feature | Description |
|---------|-------------|
| `mock` | Enables `MockVaultProvider` for downstream crate tests |

## Installation

```bash
cargo add zeph-vault
```

## Documentation

Full documentation: <https://bug-ops.github.io/zeph/>

## License

MIT