Expand description
@secret:<path> alias detection + resolver trait per
ADR-020 §5.
ADR-020 introduces an alias form so config files, command-line argv, and HTTP request templates can reference a secret by its ADR-020 path without ever storing the value alongside the reference. The TOML on disk holds the alias verbatim:
[gitlab]
token = "@secret:team/gitlab/token-deploy"This module is the core half of alias resolution:
parse_alias/is_alias/ALIAS_PREFIX— string-level detection. Whole-string match per ADR-020 §5; partial occurrences are not aliases.SecretResolver— abstract trait the config loader takes so it doesn’t need to know whether the secret lives in the OS keychain, a Vault server, or the local-vault daemon.devboy-storageprovides a concrete impl wired into the P5 router; tests can pass aMemoryResolver.
Splitting detection (here) from resolution (storage) avoids a
circular dependency between devboy-core and devboy-storage.
The config loader stays free of credential-store / router
knowledge — it just calls resolver.resolve(path)? whenever
it sees an alias.
§Round-trip preservation
Aliases are plain strings. Serde does not magic-convert them
at deserialize time; the config struct sees String /
Option<String> and the alias stays put. Resolution happens
at use-site, never at load-site, so re-serializing the config
puts the alias back on disk unchanged. The
roundtrip_preserves_alias test pins this contract.
Enums§
- Alias
Resolver Error - Failure modes for
SecretResolver::resolve.
Constants§
- ALIAS_
PREFIX - Reserved prefix that flags an
@secret:<path>alias. Per ADR-020 §5: chosen so it cannot be accidentally interpreted by a shell expansion or a templating engine.
Traits§
- Secret
Resolver - Resolves an
@secret:<path>alias to its current value.
Functions§
- is_
alias trueiffsis an@secret:<path>alias with a non-empty path. Whole-string match; partial occurrences inside a longer value are not aliases per ADR-020 §5.- parse_
alias - Extract the path portion of an
@secret:<path>alias. ReturnsSome(path)only when: