evault_core/traits/secret_store.rs
1//! [`SecretStore`] — opaque storage of secret variable values.
2//!
3//! Production implementations delegate to the operating system's keyring
4//! (`evault-store-keyring`). In headless environments without `DBus` / Secret
5//! Service, a fallback backed by an `age`-encrypted file may be used.
6
7use crate::crypto::SecretString;
8use crate::error::SecretError;
9use crate::model::VarId;
10
11/// Backend that holds **secret values** keyed by [`VarId`].
12///
13/// Values must never be returned through other channels (e.g. `Debug`) nor
14/// retained longer than the immediate caller needs. Implementations are
15/// expected to use the host OS's native secret storage; see the architecture
16/// notes in the workspace README.
17pub trait SecretStore: Send + Sync {
18 /// Store `value` for `id`, replacing any previous value.
19 ///
20 /// # Errors
21 /// Returns [`SecretError::Backend`] if the keyring rejected the write or
22 /// [`SecretError::Unavailable`] if the host platform offers no usable
23 /// secret storage and no fallback was configured.
24 fn put(&self, id: VarId, value: SecretString) -> Result<(), SecretError>;
25
26 /// Retrieve the secret value for `id`, or `Ok(None)` if absent.
27 ///
28 /// # Errors
29 /// Returns [`SecretError::Backend`] on backend failure.
30 fn get(&self, id: VarId) -> Result<Option<SecretString>, SecretError>;
31
32 /// Delete the secret value for `id`. No-op if absent.
33 ///
34 /// # Errors
35 /// Returns [`SecretError::Backend`] on backend failure.
36 fn delete(&self, id: VarId) -> Result<(), SecretError>;
37}