Skip to main content

murk_cli/
types.rs

1use std::collections::{BTreeMap, HashMap};
2
3use serde::{Deserialize, Serialize};
4
5/// Current vault format version.
6pub const VAULT_VERSION: &str = "2.0";
7
8/// Default vault filename.
9pub const DEFAULT_VAULT_NAME: &str = ".murk";
10
11// -- Vault (on-disk format, v2) --
12// The entire .murk file is a single JSON document with per-value encryption.
13// Key names and schema are plaintext. Values are individually age-encrypted.
14
15#[derive(Debug, Clone, Serialize, Deserialize)]
16pub struct Vault {
17    pub version: String,
18    pub created: String,
19    pub vault_name: String,
20    /// Repository URL, auto-detected from git remote during init.
21    #[serde(default, skip_serializing_if = "String::is_empty")]
22    pub repo: String,
23    /// Public keys only — no names. Name mappings live in the encrypted meta blob.
24    pub recipients: Vec<String>,
25    /// Key metadata — public, readable without decryption.
26    pub schema: BTreeMap<String, SchemaEntry>,
27    /// Per-value encrypted secrets. Each value is a separate age ciphertext.
28    pub secrets: BTreeMap<String, SecretEntry>,
29    /// Encrypted metadata blob: recipient names and integrity MAC.
30    pub meta: String,
31}
32
33#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
34pub struct SchemaEntry {
35    pub description: String,
36    #[serde(skip_serializing_if = "Option::is_none")]
37    pub example: Option<String>,
38    #[serde(default, skip_serializing_if = "Vec::is_empty")]
39    pub tags: Vec<String>,
40}
41
42#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
43pub struct SecretEntry {
44    /// Shared value encrypted to all recipients.
45    pub shared: String,
46    /// Scoped overrides: pubkey → encrypted value (encrypted to that pubkey only).
47    #[serde(default, skip_serializing_if = "BTreeMap::is_empty")]
48    pub scoped: BTreeMap<String, String>,
49}
50
51// -- Meta (encrypted, stored in vault.meta) --
52// Contains metadata only visible to recipients.
53
54#[derive(Debug, Clone, Serialize, Deserialize)]
55pub struct Meta {
56    /// Maps pubkey → display name. The only place names are stored.
57    pub recipients: HashMap<String, String>,
58    /// Integrity MAC over secrets + schema.
59    pub mac: String,
60    /// BLAKE3 keyed MAC key (hex-encoded, 32 bytes). Generated at init, stored encrypted.
61    #[serde(default, skip_serializing_if = "Option::is_none")]
62    pub hmac_key: Option<String>,
63}
64
65// -- Murk (decrypted in-memory state) --
66// The working representation after decryption. Commands read/modify this,
67// then save_vault compares against the original to minimize re-encryption.
68
69#[derive(Debug, Clone)]
70pub struct Murk {
71    /// Decrypted shared values.
72    pub values: HashMap<String, String>,
73    /// Pubkey → display name (from meta).
74    pub recipients: HashMap<String, String>,
75    /// Scoped overrides: key → { pubkey → decrypted value }.
76    /// Only contains entries decryptable by the current identity.
77    pub scoped: HashMap<String, HashMap<String, String>>,
78}