Skip to main content Crate greentic_secrets_lib Copy item path Source pub use env::EnvSecretsManager ;pub use greentic_secrets_core as core;pub use greentic_secrets_spec as spec;api_keys Helpers for store/distributor/billing API key references (opaque refs only; no secrets). env provider_secrets Helper utilities for events/messaging provider secrets. provision Discovery, provisioning, and promotion — the orchestration that turns a set
of pack-declared requirements into materialized secrets and ships them where
they’re needed. signing_keys Helpers for storing and retrieving signing key references (no signing logic). ApplyFailure Errors encountered while applying a seed entry. ApplyOptions Options for applying seeds. ApplyReport Summary report from seed application. BrokerStore Adapter that applies seeds against a broker-backed store. DevContext Minimal dev context used for resolving requirement keys into URIs. GeneratedSecretRequirement How a system-generated secret’s value is produced — a 1:1 model of a pack’s
secret-requirements.json generated block. GeneratedSecretScope The scope a generated secret is minted under, as declared by a pack. ManagedSecret A single secret the system manages, identified by its canonical runtime store
URI, tagged with how its value is obtained. NormalizedSeedEntry Normalized seed entry with bytes payload. PackSecretRequirement A secret a pack declares it needs — the shared output type every consumer’s
pack reader parses into, so the deployer, start, and setup agree on the
requirement model (including which secrets are system-generated). PromoteReport Outcome of a promote ProvisionReport Outcome of a provision SecretKey Canonical secret identifier used across manifests and bindings. SecretRef Reference into an environment’s secrets: secret://<env>/<path>. SecretRequirement Structured secret requirement used in capabilities, bindings, and deployment plans. SecretScope Canonical secret scope (environment, tenant, team). SecretSet The complete set of secrets a deployment scope needs — the single source of
truth consumed by both the local runtime (start) and cloud promotion
(deployer). It deliberately includes generated secrets so the deployer’s
cloud path can no longer miss them. SecretUri SeedDoc Seed document containing entries to apply into a store. SeedEntry Seed entry for a single secret URI. StoreSink Adapts any SecretsStoreSecretsSink SecretError Error conditions that can occur while interacting with a secrets provider. SecretFormat Supported secret content formats. SecretRefParseError Errors produced when parsing a SecretRef SecretSource Where a ManagedSecret SeedValue Seed value payloads. SECRET_SCHEME Scheme prefix for secret:// deployment references. SECRET_STORE_SCHEME Scheme prefix for runtime secret store URIs (secrets://). TEAM_PLACEHOLDER Placeholder segment used when a secret is not scoped to a specific team. SecretsManager Minimal secrets manager interface shared between hosts and providers. SecretsSink A destination secrets can be written to during promotion. SecretsStore apply_seed Apply all entries in a seed document to the provided store. canonical_secret_name Canonicalize a raw secret name into the store-safe slug used in the trailing
segment of every secrets://.../<name> URI. canonical_secret_store_key Derive the environment-variable lookup key for a 5-segment secrets:// store
URI. canonical_secret_uri Build a canonical secret store URI
(secrets://<env>/<tenant>/<team|_>/<category>/<name>), applying
normalize_team discover_secret_set Build the canonical SecretSetscope/category from a list of
parsed pack requirements. generate_secret_value Mint a value for a pack-declared generated secret, returning the value bytes
and the SecretFormat generated_scope_team The team a generated secret is minted under, given its declared scope and a
default team. is_default_team Returns true when team represents the canonical “no specific team” value. normalize_team Canonicalize a team value for secret scoping. promote Copy every value in set from source into sink. Entries with no value in
the source store are recorded in PromoteReport::missing provision Ensure every secret in set exists in store: mint the missing generated
ones, and record which operator-supplied ones are absent. resolve_uri Resolve a requirement into a concrete URI for dev flows. Result Result type returned by SecretsManager