Skip to main content

Crate devboy_storage

Crate devboy_storage 

Source
Expand description

Secure credential storage with multiple backends.

This crate provides credential storage with support for:

  • OS Keychain: macOS Keychain, Windows Credential Manager, Linux Secret Service
  • Environment Variables: For CI/CD and containerized environments
  • Chain Store: Composable fallback between multiple backends

§Credential Resolution Order

When using ChainStore::default_chain(), credentials are resolved in this order:

  1. Environment variables (highest priority, for CI/CD)
    • DEVBOY_{PROVIDER}_TOKEN (e.g., DEVBOY_GITHUB_TOKEN)
    • {PROVIDER}_TOKEN (fallback, e.g., GITHUB_TOKEN)
  2. OS Keychain (for local development)

§Example

use devboy_storage::{ChainStore, CredentialStore};

// Use the default chain (env vars -> keychain)
let store = ChainStore::default_chain();

// This will check DEVBOY_GITHUB_TOKEN, then GITHUB_TOKEN,
// then keychain for "github.token"
let token = store.get("github.token")?;

// Or use keychain directly for local development
use devboy_storage::KeychainStore;
let keychain = KeychainStore::new();
keychain.store("gitlab.token", "glpat-xxx")?;

Re-exports§

pub use cache::CachedStore;
pub use ci::CI_HEURISTIC_VARS;
pub use ci::CiActivation;
pub use ci::CiDetection;
pub use ci::CiPolicy;
pub use ci::DEVBOY_CI_ENV;
pub use ci::detect_ci_mode;
pub use expiry::ExpiryWarning;
pub use expiry::ExpiryWarningKind;
pub use expiry::WARNING_WINDOW_DAYS;
pub use expiry::check_rotation_reminders;
pub use index::ApproveOnUse;
pub use index::Gate;
pub use index::GlobalIndex;
pub use index::IndexEntry;
pub use index::IndexError;
pub use index::RotationMethod;
pub use manifest::MANIFEST_RELATIVE_PATH;
pub use manifest::ManifestError;
pub use manifest::OverrideEntry;
pub use manifest::PathRole;
pub use manifest::ProjectManifest;
pub use merge::MergeError;
pub use merge::MergeOutput;
pub use merge::MergeWarning;
pub use merge::MergeWarningKind;
pub use merge::OverrideField;
pub use merge::ResolvedSecret;
pub use merge::SecretOrigin;
pub use merge::merge_manifest;
pub use pattern_resolution::InheritanceWarning;
pub use pattern_resolution::InheritanceWarningKind;
pub use pattern_resolution::apply_pattern_inheritance;
pub use router_cache::AdaptiveCache;
pub use router_cache::CacheClock;
pub use router_cache::DEFAULT_BASE_TTL;
pub use router_cache::ManualClock;
pub use router_cache::SystemClock;
pub use router_config::DefaultRoute;
pub use router_config::RouteRule;
pub use router_config::RouterConfig;
pub use router_config::RouterConfigError;
pub use router_config::SOURCES_FILENAME;
pub use router_config::SecretOverride;
pub use router_config::SourceAccess;
pub use router_config::SourceDefinition;
pub use router_credentials::CredentialGraphError;
pub use router_credentials::SOURCE_CREDENTIALS_PREFIX;
pub use router_credentials::validate_source_credentials;
pub use router_resolve::PathResolver;
pub use router_resolve::ResolveError;
pub use router_resolve::RouteDecision;
pub use secret_path::PathError;
pub use secret_path::SecretPath;
pub use source::Capabilities;
pub use source::CredentialRef;
pub use source::GetOutcome;
pub use source::RemoteRef;
pub use source::SecretSource;
pub use source::SourceError;
pub use source::SourceStatus;
pub use validation::FormatCheck;
pub use validation::FormatRuleSource;
pub use validation::validate_format;

Modules§

cache
In-memory TTL cache layer on top of a CredentialStore.
ci
Explicit CI-mode detection per ADR-021 §8 (“CI mode (explicit, not heuristic)”).
expiry
Expiry + rotation reminders per ADR-020 §3.
index
Global secret-metadata index per ADR-020 §3.
manifest
Per-project secret manifest per ADR-020 §4.
merge
Manifest-with-global-index merge per ADR-020 §4.
pattern_resolution
Pattern-id inheritance per ADR-020 §3 + ADR-023 §3.6.
plugin_client
Lifetime-managing client for subprocess SecretSource plugins per ADR-021 §10 (subprocess plugin lifetime contract).
plugin_manifest
Sidecar manifest + plugin discovery for SecretSource plugins per ADR-021 §10.
plugin_protocol
JSON-RPC over stdio wire protocol for SecretSource plugins per ADR-021 §10 (subprocess plugin extension).
router_cache
In-memory cache for the source router per ADR-021 §7.
router_config
Router configuration loader per ADR-021 §2.
router_credentials
Source-credential recursion check per ADR-021 §4.
router_resolve
Path resolution algorithm per ADR-021 §2.
secret_path
Secret path validation per ADR-020 §2.
source
SecretSource trait + supporting types per ADR-021 §1.
validation
Format validation per ADR-021 §6 (the “validation framework” umbrella) and ADR-020 §3 (format_regex / pattern_id metadata fields).

Structs§

ChainStore
Composable credential store that chains multiple backends.
EnvVarStore
Environment-variable-backed credential store.
KeychainStore
Credential store using the OS keychain.
MemoryStore
In-memory credential store for testing.

Traits§

CredentialStore
Credential storage trait.

Functions§

build_default_store
Build the default credential chain, optionally wrapping the whole thing in a TTL cache. Call this from host binaries (CLI, MCP server entrypoint) so the cache configuration stays consistent.
email_key
Standard credential key for a provider’s email (used by Jira).
token_key
Standard credential key for a provider’s API token.
wrap_with_cache
Build a store on top of a user-provided backend (mainly useful for CI variants or custom test harnesses). Same cache semantics as build_default_store.