Expand description
Global secret-metadata index per ADR-020 §3.
The global index lives at <config-dir>/secrets/index.toml and
holds metadata, never values: human description, retrieval URL,
format regex, expiry/rotation hints, optional pattern reference.
It is the canonical, cross-project source of truth for everything
about a secret except the value itself.
§File layout
[secret."team/gitlab/token-deploy"]
description = "Deploy token for the team GitLab"
retrieval_url = "https://gitlab.example.internal/-/profile/personal_access_tokens"
format_regex = "^glpat-[A-Za-z0-9_-]{20,}$"
default_gate = "auto" # auto | confirm | touchid
expires_at = "2026-08-01" # ISO 8601 date, optional
last_rotated_at = "2026-05-02" # ISO 8601 date, optional
rotate_every_days = 90 # advisory, drives doctor warnings
rotation_method = "manual" # manual | provider-ui | provider-api
required_scopes = ["api", "read_repository"]
pattern_id = "gitlab-pat" # devboy-secret-patterns id
env_var = "GITLAB_TOKEN_DEPLOY" # env-store override (ADR-021 §8)
cache_ttl_seconds_max = 60 # bound on adaptive TTL (ADR-021 §7)§Path semantics
Keys are typed as SecretPath. Loading rejects any non-conforming
key with IndexError::Path — a typo in a path turns into a hard
load-time failure, not a silent miss at lookup time.
Structs§
- Global
Index - In-memory representation of the global index.
- Index
Entry - Metadata for a single secret stored in the global index.
Enums§
- Approve
OnUse - How the secret is rotated.
- Gate
- User-controllable interaction gate for a secret.
- Index
Error - Failure modes when loading or operating on a
GlobalIndex. - Rotation
Method - ADR-023 §3.5 — provider-driven rotation is deferred).
Constants§
- INDEX_
FILENAME - Filename of the global metadata index inside
SECRETS_SUBDIR. - SECRETS_
SUBDIR - Subdirectory under the user’s config directory that holds the secret-framework configuration files (this index, the source router config, the local vault file).