Module secrets 

Secrets management for the toolkit.

Resolves secrets from multiple sources behind the SecretsProvider trait. The trait returns a SecretValue (toolkit-owned, feature-independent per Phase 83 review R6), never a raw String or Vec<u8>. SecretValue blocks Debug, Display, Clone, Serialize, Deserialize — trybuild compile-fail tests at tests/compile_fail/*.rs enforce these denials at compile time (review R5).

Resolution Strategy

Built-in providers (call them directly or chain them via SecretsProviderChain):

1. Org-level Secrets Manager (aws feature) — if PMCP_SECRETS_PATH contains /orgs/
2. Per-server Secrets Manager (aws feature) — if PMCP_SECRETS_PATH is set without /orgs/
3. SSM Parameter Store (aws feature) — if PMCP_SSM_PATH is set
4. Environment variables (EnvSecrets) — always available

Org-Level Secret Structure (pmcp.run)

For pmcp.run deployments, secrets are stored at the organization level to reduce costs. One secret per organization contains all server credentials:

{
  "london-tube": {
    "TFL_APP_KEY": "your-api-key"
  },
  "lichess": {
    "LICHESS_TOKEN": "your-token"
  }
}

Path format: pmcp/orgs/{org_id}/credentials

Structs

EnvSecrets

Environment variable secrets provider.

OrgSecretsManagerProvider

AWS Secrets Manager provider for org-level shared secrets.

SecretValue

Toolkit-owned secret newtype — NEVER returns raw bytes from SecretsProvider.

SecretsManagerSecrets

AWS Secrets Manager provider for per-server secrets.

SecretsProviderChain

Chain multiple providers, trying each in order until one succeeds.

SsmSecrets

AWS SSM Parameter Store provider.

Constants

SECRETS_MANAGER_PATH_VAR

Environment variable that specifies the Secrets Manager path

SERVER_ID_VAR

Environment variable for server ID (used for org-level secrets extraction)

SSM_PATH_VAR

Environment variable that specifies the SSM Parameter Store path

Traits

SecretsProvider

Trait for secrets providers.

Functions

create_secrets_provider

Construct a SecretsProvider chain based on the current environment.