Skip to main content

murk_cli/
types.rs

1use std::collections::{BTreeMap, HashMap};
2
3use serde::{Deserialize, Serialize};
4
5// -- Vault (on-disk format, v2) --
6// The entire .murk file is a single JSON document with per-value encryption.
7// Key names and schema are plaintext. Values are individually age-encrypted.
8
9#[derive(Debug, Clone, Serialize, Deserialize)]
10pub struct Vault {
11    pub version: String,
12    pub created: String,
13    pub vault_name: String,
14    /// Repository URL, auto-detected from git remote during init.
15    #[serde(default, skip_serializing_if = "String::is_empty")]
16    pub repo: String,
17    /// Public keys only — no names. Name mappings live in the encrypted meta blob.
18    pub recipients: Vec<String>,
19    /// Key metadata — public, readable without decryption.
20    pub schema: BTreeMap<String, SchemaEntry>,
21    /// Per-value encrypted secrets. Each value is a separate age ciphertext.
22    pub secrets: BTreeMap<String, SecretEntry>,
23    /// Encrypted metadata blob: recipient names and integrity MAC.
24    pub meta: String,
25}
26
27#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
28pub struct SchemaEntry {
29    pub description: String,
30    #[serde(skip_serializing_if = "Option::is_none")]
31    pub example: Option<String>,
32    #[serde(default, skip_serializing_if = "Vec::is_empty")]
33    pub tags: Vec<String>,
34}
35
36#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
37pub struct SecretEntry {
38    /// Shared value encrypted to all recipients.
39    pub shared: String,
40    /// Scoped overrides: pubkey → encrypted value (encrypted to that pubkey only).
41    #[serde(default, skip_serializing_if = "BTreeMap::is_empty")]
42    pub scoped: BTreeMap<String, String>,
43}
44
45// -- Meta (encrypted, stored in vault.meta) --
46// Contains metadata only visible to recipients.
47
48#[derive(Debug, Clone, Serialize, Deserialize)]
49pub struct Meta {
50    /// Maps pubkey → display name. The only place names are stored.
51    pub recipients: HashMap<String, String>,
52    /// Integrity MAC over secrets + schema.
53    pub mac: String,
54}
55
56// -- Murk (decrypted in-memory state) --
57// The working representation after decryption. Commands read/modify this,
58// then save_vault compares against the original to minimize re-encryption.
59
60#[derive(Debug, Clone)]
61pub struct Murk {
62    /// Decrypted shared values.
63    pub values: HashMap<String, String>,
64    /// Pubkey → display name (from meta).
65    pub recipients: HashMap<String, String>,
66    /// Scoped overrides: key → { pubkey → decrypted value }.
67    /// Only contains entries decryptable by the current identity.
68    pub scoped: HashMap<String, HashMap<String, String>>,
69}