Struct ResolvedSecrets 

pub struct ResolvedSecrets {
    pub values: HashMap<String, String>,
    pub fingerprints: HashMap<String, String>,
}

Resolved secrets ready for injection

Fields

values: HashMap<String, String>

Secret name -> resolved value

fingerprints: HashMap<String, String>

Secret name -> HMAC fingerprint (for cache keys)

Implementations

impl ResolvedSecrets

pub fn new() -> Self

Create empty resolved secrets

pub async fn resolve<R: SecretResolver>( resolver: &R, secrets: &HashMap<String, SecretSpec>, salt_config: &SaltConfig, ) -> Result<Self, SecretError>

Resolve secrets using a resolver with salt configuration

Arguments

• resolver - The secret resolver to use
• secrets - Map of secret names to their configuration
• salt_config - Salt configuration for fingerprinting

Errors

Returns error if a secret cannot be resolved or if salt is missing when secrets have cache_key: true

pub fn from_batch(batch: BatchSecrets) -> Self

Create from a BatchSecrets instance.

This consumes the batch and converts it to the legacy format. Note that this exposes the secret values from the secure storage.

pub async fn resolve_batch<R: SecretResolver>( resolver: &R, secrets: &HashMap<String, SecretSpec>, salt_config: &SaltConfig, ) -> Result<Self, SecretError>

Resolve secrets using batch resolution with a resolver.

This is the preferred method for resolving multiple secrets efficiently. It uses the resolver’s batch resolution method which may use native batch APIs (e.g., AWS BatchGetSecretValue, 1Password Secrets.ResolveAll).

Arguments

• resolver - The secret resolver to use
• secrets - Map of secret names to their configuration
• salt_config - Salt configuration for fingerprinting

Errors

Returns error if a secret cannot be resolved or if salt is missing when secrets have cache_key: true

pub fn is_empty(&self) -> bool

Check if any secrets were resolved

pub fn get(&self, name: &str) -> Option<&str>

Get a resolved secret value by name

pub fn fingerprint_matches( &self, name: &str, cached_fingerprint: &str, salt_config: &SaltConfig, ) -> bool

Check if a cached fingerprint matches with salt rotation support

During salt rotation, this checks if the cached fingerprint matches using either the current or previous salt. This allows cache hits during the rotation window.

Arguments

• name - Secret name
• cached_fingerprint - Fingerprint from cache
• salt_config - Salt configuration with current and optional previous salt

Returns

true if the fingerprint matches with either salt, false otherwise

pub fn compute_fingerprints_for_validation( &self, name: &str, salt_config: &SaltConfig, ) -> (Option<String>, Option<String>)

Compute fingerprints using both current and previous salts

Returns a tuple of (current_fingerprint, previous_fingerprint) for cache validation. Either may be None if the corresponding salt is not configured.

Trait Implementations

impl Clone for ResolvedSecrets

fn clone(&self) -> ResolvedSecrets

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for ResolvedSecrets

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for ResolvedSecrets

fn default() -> ResolvedSecrets

Returns the “default value” for a type.