Skip to main content

murk_cli/
types.rs

1use std::collections::{BTreeMap, HashMap};
2
3use serde::{Deserialize, Serialize};
4
5/// Current vault format version.
6pub const VAULT_VERSION: &str = "2.0";
7
8// -- Vault (on-disk format, v2) --
9// The entire .murk file is a single JSON document with per-value encryption.
10// Key names and schema are plaintext. Values are individually age-encrypted.
11
12#[derive(Debug, Clone, Serialize, Deserialize)]
13pub struct Vault {
14    pub version: String,
15    pub created: String,
16    pub vault_name: String,
17    /// Repository URL, auto-detected from git remote during init.
18    #[serde(default, skip_serializing_if = "String::is_empty")]
19    pub repo: String,
20    /// Public keys only — no names. Name mappings live in the encrypted meta blob.
21    pub recipients: Vec<String>,
22    /// Key metadata — public, readable without decryption.
23    pub schema: BTreeMap<String, SchemaEntry>,
24    /// Per-value encrypted secrets. Each value is a separate age ciphertext.
25    pub secrets: BTreeMap<String, SecretEntry>,
26    /// Encrypted metadata blob: recipient names and integrity MAC.
27    pub meta: String,
28}
29
30#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
31pub struct SchemaEntry {
32    pub description: String,
33    #[serde(skip_serializing_if = "Option::is_none")]
34    pub example: Option<String>,
35    #[serde(default, skip_serializing_if = "Vec::is_empty")]
36    pub tags: Vec<String>,
37}
38
39#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
40pub struct SecretEntry {
41    /// Shared value encrypted to all recipients.
42    pub shared: String,
43    /// Scoped overrides: pubkey → encrypted value (encrypted to that pubkey only).
44    #[serde(default, skip_serializing_if = "BTreeMap::is_empty")]
45    pub scoped: BTreeMap<String, String>,
46}
47
48// -- Meta (encrypted, stored in vault.meta) --
49// Contains metadata only visible to recipients.
50
51#[derive(Debug, Clone, Serialize, Deserialize)]
52pub struct Meta {
53    /// Maps pubkey → display name. The only place names are stored.
54    pub recipients: HashMap<String, String>,
55    /// Integrity MAC over secrets + schema.
56    pub mac: String,
57}
58
59// -- Murk (decrypted in-memory state) --
60// The working representation after decryption. Commands read/modify this,
61// then save_vault compares against the original to minimize re-encryption.
62
63#[derive(Debug, Clone)]
64pub struct Murk {
65    /// Decrypted shared values.
66    pub values: HashMap<String, String>,
67    /// Pubkey → display name (from meta).
68    pub recipients: HashMap<String, String>,
69    /// Scoped overrides: key → { pubkey → decrypted value }.
70    /// Only contains entries decryptable by the current identity.
71    pub scoped: HashMap<String, HashMap<String, String>>,
72}