Expand description
gtc op secrets {list,put,get,rotate} (A3).
Operates on the env’s bound Secrets env-pack. The actual backend
dispatch (AWS Secrets Manager, Azure Key Vault, dev-store, Vault, etc.)
lives in greentic-secrets-lib; the env-pack registry (A9) is what binds
a PackDescriptor to a concrete backend at runtime. A3 ships the
command surface, enforces the env-must-have-secrets-pack precondition,
and reports the resolved kind in every envelope.
put is live for the greentic.secrets.dev-store kind (the default
binding op env init creates): it writes the value into the env’s local
dev store at the same path the runtime reader (greentic-start
SecretsClient::open(<env_dir>)) resolves, so a put is immediately
visible to served revisions. All other kinds — and get/rotate against any
live backend — return NotYetImplemented and point at the gating PR
(A9 — env-pack registry + handler dispatch).
list returns the namespace keys the env owns (always secret://<env>/...)
— no actual material is fetched.
Structs§
Functions§
- get
op secrets get. Reads a secret back for the dev-store and Vault backends (symmetric toput); other kinds returnNotYetImplemented(A9). Reads are not audited (matchinglist). By default only presence + metadata is returned;reveal: trueincludes the decrypted value.- list
op secrets list. Returns the env’s secret-ref namespace plus the kind of the bound secrets env-pack. Phase A does not yet enumerate live backend-side keys (no handler dispatch); the operator gets the namespace plus backend identity, which is what wizards need to know to write into the right place.- put
- rotate