Module credentials 

The credential vault: resolves a logical credential id (named by the policy engine via a CredentialRef) into a real upstream secret. Secrets live only here and in the data plane’s outbound request; the agent never sees them.

Structs

InMemoryCredentials

A static, in-memory credential store seeded at startup. Adequate for v1, where the real upstream credential (e.g. a GitHub App installation token) is provisioned out of band and handed to hackamore.

Secret

A resolved credential value. A semantic type, deliberately not a String: its Debug is redacted so a secret can never leak into a log line, and the inner value is reachable only through the explicit Secret::expose call.

Traits

CredentialStore

Resolves credential ids to secrets. A trait so the in-memory store here can later be swapped for a GitHub App token minter, a KMS-backed vault, etc., with no change to the data plane.