Crate hasp 

Unified secrets library for Rust.

hasp provides a single Store type that dispatches get / put / list / delete / exists to multiple backends addressed by URL scheme:

• aws-sm://region/secret-name — AWS Secrets Manager (feature aws-sm)
• aws-ssm://region/parameter-name — AWS SSM Parameter Store (feature aws-ssm)
• env://VAR_NAME — environment variables (feature env)
• file:///path/to/secret — local files (feature file)
• gcp-sm://project/secret-id?version=3 — Google Cloud Secret Manager (feature gcp-sm)
• azure-kv://vault/secret-name?version=3 — Azure Key Vault (feature azure-kv)
• keyring://service/account — OS keyring (feature keyring)
• op://vault/item/field — 1Password CLI (feature op)
• vault://mount/path?field=key — HashiCorp Vault (feature vault)
• bw://item/field.path — Bitwarden CLI (feature bw)

Each backend is feature-gated so consumers pay only for the stores they use.

Example

use hasp::Store;

let store = Store::with_defaults();
let secret = store.get("env://HOME").unwrap();

The library boundary type for secret values is secrecy::SecretString. Backends wrap raw bytes at the earliest possible moment so Debug output never leaks secret values.

Structs

AuditEvent

A redacted audit event.

CacheKey

Cache key. scheme is the URL scheme and is intentionally scheme-namespaced so the same URL string handled by two different backends cannot alias.

CopyOptions

Options for Store::copy.

CopyOutcome

Outcome of a successful copy.

Entry

A named entry returned by Backend::list.

EnvBackend

Stdlib-only backend that reads secrets from environment variables.

FileSink

Append-only file sink, one JSON event per line.

HardeningToken

Zero-sized witness that hardening has been installed in this process.

MitigationOutcome

Outcome of a single mitigation attempt.

NoopSink

A sink that drops every event. Used to disable audit emission entirely without making the sink itself optional.

ProcessCache

In-process moka-backed cache of Arc<SecretString>.

ProxyConfig

Parsed HTTP CONNECT proxy configuration.

RetryBackend

Decorator backend that retries transient failures with exponential backoff.

StderrSink

Writes each event as one JSON line to stderr.

Store

Batteries-included secret store.

StoreBuilder

Fluent builder for a Store with optional proxy configuration.

SyslogSink

Forwards each event to the local syslog daemon via libc::syslog.

Enums

BackendFailureKind

Retry-policy classification for Error::Backend.

CacheEvent

Single-phase cache event classifier. Unlike Verb these events have no start/done split — a cache hit is observable in one phase. The label set is closed at the type level so audit consumers can switch on it without parsing.

CachePolicy

Per-invocation in-process cache policy.

DiffOutcome

Result of Store::compare.

Error

hasp library-surface errors. Stable across all backends; backend impls map their native error vocabulary into these variants.

HardenRefusal

Reasons to refuse to start. These represent active injection signals or privilege configurations a secret-handling CLI must not run under.

IfExists

What to do when the destination of a copy already holds a value.

Verb

The verb a Store operation belongs to. Closed set so audit event labels are statically known and cannot be widened by a caller.

Traits

AuditSink

A sink that consumes AuditEvents.

BackendTrait

Unified backend trait for secret stores.

ExposeSecret

Expose a reference to an inner secret

Functions

apply_mitigations

Apply platform process-hardening best-effort.

check_refusal_conditions

Refuse to start if any injection-style env var is set or the process is running setuid.

custom_backend

Wrap an externally-provided backend.

delete

Delete a secret using a default Store.

env

Create an environment-variable backend.

exists

Check whether a secret exists using a default Store.

get

Fetch a secret using a default Store.

harden_process

Combined entry point: refuse on injection signals, then apply best-effort mitigations. Returns Ok(outcomes) on success.

install_hardening

Install process-level hardening and return a HardeningToken.

list

List entries using a default Store.

put

Store a secret using a default Store.

scheme_from_url

Extract the scheme prefix from a URL string.

Type Aliases

Backend

SecretString

Secret string type.