Expand description
Secrets manager backed by an encrypted SecureStore vault.
The vault is stored at {credentials_dir}/secrets.json. Encryption uses
either a CSPRNG-generated key file ({credentials_dir}/secrets.key) or a
user-supplied password — never both.
§Storage layout
| Key pattern | Content |
|---|---|
cred:<name> | JSON-serialized SecretEntry metadata |
val:<name> | Primary secret value (or private key PEM / note) |
val:<name>:user | Username (for UsernamePassword kind) |
val:<name>:pub | Public key string (for SshKey kind) |
val:<name>:fields | JSON map of form-field key/value pairs |
val:<name>:card | JSON {cardholder,number,expiry,cvv} |
val:<name>:card_extra | JSON map of additional payment card fields |
<bare key> | Legacy / raw secrets (API keys, TOTP, etc.) |
Structs§
- Access
Context - Context supplied by the caller when requesting access to a
credential. The [
SecretsManager] evaluates this against the credential’sAccessPolicy. - Browser
Store - Container for all browser-style credentials. Stored as a single encrypted blob in the vault under key “browser_store”.
- Cookie
- An HTTP cookie with standard browser attributes.
- Secret
- Kept for backward compatibility with older code that references this type.
- Secret
Entry - Metadata envelope stored alongside the secret value(s) in the vault.
- Secrets
Manager - Secrets manager backed by an encrypted SecureStore vault.
- WebStorage
- Origin-scoped storage (like browser localStorage).
Enums§
- Access
Policy - Controls when the agent is allowed to read a credential.
- Credential
Value - The result of reading a credential — includes the metadata envelope plus the decrypted value(s).
- Secret
Kind - What kind of secret a credential entry holds.