Skip to main content

Module index

Module index 

Source
Expand description

Global secret-metadata index per ADR-020 §3.

The global index lives at <config-dir>/secrets/index.toml and holds metadata, never values: human description, retrieval URL, format regex, expiry/rotation hints, optional pattern reference. It is the canonical, cross-project source of truth for everything about a secret except the value itself.

§File layout

[secret."team/gitlab/token-deploy"]
description       = "Deploy token for the team GitLab"
retrieval_url     = "https://gitlab.example.internal/-/profile/personal_access_tokens"
format_regex      = "^glpat-[A-Za-z0-9_-]{20,}$"
default_gate      = "auto"            # auto | confirm | touchid
expires_at        = "2026-08-01"      # ISO 8601 date, optional
last_rotated_at   = "2026-05-02"      # ISO 8601 date, optional
rotate_every_days = 90                # advisory, drives doctor warnings
rotation_method   = "manual"          # manual | provider-ui | provider-api
required_scopes   = ["api", "read_repository"]
pattern_id        = "gitlab-pat"      # devboy-secret-patterns id
env_var           = "GITLAB_TOKEN_DEPLOY"  # env-store override (ADR-021 §8)
cache_ttl_seconds_max = 60            # bound on adaptive TTL (ADR-021 §7)

§Path semantics

Keys are typed as SecretPath. Loading rejects any non-conforming key with IndexError::Path — a typo in a path turns into a hard load-time failure, not a silent miss at lookup time.

Structs§

GlobalIndex
In-memory representation of the global index.
IndexEntry
Metadata for a single secret stored in the global index.

Enums§

ApproveOnUse
How the secret is rotated.
Gate
User-controllable interaction gate for a secret.
IndexError
Failure modes when loading or operating on a GlobalIndex.
RotationMethod
ADR-023 §3.5 — provider-driven rotation is deferred).

Constants§

INDEX_FILENAME
Filename of the global metadata index inside SECRETS_SUBDIR.
SECRETS_SUBDIR
Subdirectory under the user’s config directory that holds the secret-framework configuration files (this index, the source router config, the local vault file).