Skip to main content

Module secrets

Module secrets 

Source
Expand description

gtc op secrets {list,put,get,rotate} (A3).

Operates on the env’s bound Secrets env-pack. The actual backend dispatch (AWS Secrets Manager, Azure Key Vault, dev-store, Vault, etc.) lives in greentic-secrets-lib; the env-pack registry (A9) is what binds a PackDescriptor to a concrete backend at runtime. A3 ships the command surface, enforces the env-must-have-secrets-pack precondition, and reports the resolved kind in every envelope.

put is live for the greentic.secrets.dev-store kind (the default binding op env init creates): it writes the value into the env’s local dev store at the same path the runtime reader (greentic-start SecretsClient::open(<env_dir>)) resolves, so a put is immediately visible to served revisions. All other kinds — and get/rotate against any live backend — return NotYetImplemented and point at the gating PR (A9 — env-pack registry + handler dispatch). list returns the namespace keys the env owns (always secret://<env>/...) — no actual material is fetched.

Structs§

SecretsGetPayload
SecretsListPayload
SecretsPutPayload
SecretsRotatePayload

Functions§

get
op secrets get. Reads a secret back for the dev-store and Vault backends (symmetric to put); other kinds return NotYetImplemented (A9). Reads are not audited (matching list). By default only presence + metadata is returned; reveal: true includes the decrypted value.
list
op secrets list. Returns the env’s secret-ref namespace plus the kind of the bound secrets env-pack. Phase A does not yet enumerate live backend-side keys (no handler dispatch); the operator gets the namespace plus backend identity, which is what wizards need to know to write into the right place.
put
rotate