Enum SecretRecord 

pub enum SecretRecord {
    Literal {
        value: SecretValue,
        sensitivity: Sensitivity,
        revealable: bool,
        environment: String,
        component: String,
        key: String,
        description: Option<String>,
        created: String,
        updated: String,
    },
    Reference {
        reference: String,
        sensitivity: Sensitivity,
        revealable: bool,
        environment: String,
        component: String,
        key: String,
        description: Option<String>,
        created: String,
        updated: String,
    },
    Keypair {
        algorithm: KeyAlgorithm,
        private: Option<SecretValue>,
        public: String,
        sensitivity: Sensitivity,
        revealable: bool,
        environment: String,
        component: String,
        key: String,
        description: Option<String>,
        created: String,
        updated: String,
    },
    Totp {
        seed: SecretValue,
        algorithm: TotpAlgorithm,
        digits: u8,
        period: u8,
        sensitivity: Sensitivity,
        revealable: bool,
        environment: String,
        component: String,
        key: String,
        description: Option<String>,
        created: String,
        updated: String,
    },
}

A single secret record, in one of four modalities. Internally tagged by mode to mirror the spec §10.1 on-the-wire shape.

Debug is safe: the only secret-bearing fields are value (literal), private (keypair), and seed (totp) — all SecretValues whose own Debug is redacted (I12). The public half of a keypair and the TOTP parameters (algorithm/digits/period) are not secrets.

Variants

Literal

The value lives (encrypted) in the vault.

Fields

value: SecretValue

The secret value.

sensitivity: Sensitivity

Sensitivity level (spec §3.1).

revealable: bool

Whether the secret is opted into reveal (the §3.1 “revealable” flag).

Sourced into crate::AccessRequest::revealable so the policy funnel (I11) reads it from the stored secret, never from caller intent. Defaults to false so pre-L9 vaults (and any record that never opted in) are non-revealable — the safe default.

environment: String

Environment segment, e.g. prod.

component: String

Component segment.

key: String

Key segment.

description: Option<String>

Optional human description.

created: String

Creation timestamp (RFC 3339; a Clock trait arrives in a later layer).

updated: String

Last-update timestamp.

Reference

The vault holds only a pointer to an external secret manager.

Fields

reference: String

Provider URI, e.g. azure-kv://corp-kv/db-url.

sensitivity: Sensitivity

Sensitivity level.

revealable: bool

Whether the secret is opted into reveal (see the Literal variant).

environment: String

Environment segment.

component: String

Component segment.

key: String

Key segment.

description: Option<String>

Optional human description.

created: String

Creation timestamp.

updated: String

Last-update timestamp.

Keypair

An asymmetric keypair (KOV-12). The private half (when present) is a sealed SecretValue custodied exactly like a literal — never exported, used only through operations (sign / decrypt / ssh-add), mirroring injection. The public half is not a secret and is shown freely. A private: None record is a public-only entry: a peer’s/recipient’s public key for encrypt/verify.

Fields

algorithm: KeyAlgorithm

The key algorithm (ed25519 or RSA).

private: Option<SecretValue>

The OpenSSH-format private key, sealed. None for a public-only entry. Born non-revealable by default (I11), like a high secret.

public: String

The OpenSSH-format public key (ssh-ed25519 … / ssh-rsa …). Public material — safe to serialize and display.

sensitivity: Sensitivity

Sensitivity level. A keypair with a private half is born high when its environment is prod (I5), like any other secret; a public-only entry is typically low (it holds no secret).

revealable: bool

Whether the secret is opted into reveal (see the Literal variant). A keypair’s private half is never returned to a model regardless; this only governs whether the CLI/UI may show it (I11).

environment: String

Environment segment.

component: String

Component segment.

key: String

Key segment.

description: Option<String>

Optional human description.

created: String

Creation timestamp.

updated: String

Last-update timestamp.

Totp

A TOTP enrollment (KOV-11). The seed (the shared secret) is a sealed SecretValue custodied exactly like a literal — never exported, used only through deriving a short-lived RFC-6238 code (kovra code), mirroring how a keypair’s private half is used only through sign/decrypt. The seed is never returned to a model (I11/I14) regardless of the revealable flag; only the derived code is produced, on demand.

Fields

seed: SecretValue

The base32-decoded shared-secret seed, sealed. Born non-revealable by default (I11), like a high secret.

algorithm: TotpAlgorithm

The HMAC hash algorithm (SHA1 default). Not a secret.

digits: u8

Code length in digits (typically 6). Not a secret.

period: u8

Time step in seconds (typically 30). Not a secret.

sensitivity: Sensitivity

Sensitivity level. A TOTP enrollment is born high when its environment is prod (I5), like any other secret.

revealable: bool

Whether the secret is opted into reveal (see the Literal variant). A TOTP seed is never returned to a model regardless; this only governs whether the CLI/UI may show it (I11) — and even the CLI shows the derived code, never the seed.

environment: String

Environment segment.

component: String

Component segment.

key: String

Key segment.

description: Option<String>

Optional human description.

created: String

Creation timestamp.

updated: String

Last-update timestamp.

Implementations

impl SecretRecord

pub fn sensitivity(&self) -> Sensitivity

The secret’s sensitivity, regardless of modality.

pub fn revealable(&self) -> bool

Whether the secret is opted into reveal (the §3.1 “revealable” flag).

Faces that build a crate::AccessRequest read it from here so the I11 reveal gate is sourced from the stored record, never caller intent.

pub fn environment(&self) -> &str

The environment segment, regardless of modality.

pub fn component(&self) -> &str

The component segment, regardless of modality.

pub fn key(&self) -> &str

The key segment, regardless of modality.

pub fn canonical_path(&self) -> String

The canonical <env>/<component>/<key> path this record files under.

pub fn created(&self) -> &str

The RFC-3339 creation timestamp, regardless of modality.

pub fn updated(&self) -> &str

The RFC-3339 last-updated timestamp, regardless of modality.

pub fn reference(&self) -> Option<&str>

The external reference URI for a Reference record (e.g. azure-kv://vault/name), or None for any other modality. Carries an address, never a value.

Trait Implementations

impl Debug for SecretRecord

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for SecretRecord

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl PartialEq for SecretRecord

fn eq(&self, other: &SecretRecord) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for SecretRecord

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl StructuralPartialEq for SecretRecord