Struct Secret 

pub struct Secret<T: SecretValue> { /* private fields */ }

A secret value identified by a URN.

Before bind is called the secret is unbound; accessing its value returns an UnboundError. All default display paths ( Display, Debug, serde serialization) emit the masked value, which is safe to include in logs.

Masked value format

• Unbound: urn:secrets-rs:env:KEY [UNBOUND]
• Bound: urn:secrets-rs:env:KEY [string:12]

Implementations

impl<T: SecretValue> Secret<T>

pub fn new(urn_str: &str) -> Result<Self, UrnParseError>

Creates an unbound secret from a URN string.

pub fn urn(&self) -> &Urn

Returns the URN that identifies this secret.

The URN is available regardless of whether the secret has been bound. It contains only the source identifier and secret name — never the secret value — so it is safe to log, store, or compare.

The primary use case is constructing a second unbound secret with the same identity, for example to hand the same logical secret to two independent subsystems that each bind it separately:

let original: Secret<String> =
    Secret::new("urn:secrets-rs:env:API_KEY").unwrap();

// Create a second unbound secret with the same URN.
let copy: Secret<String> =
    Secret::new(&original.urn().to_string()).unwrap();

pub fn value(&self) -> Result<&T, UnboundError>

Returns the secret value, or an UnboundError if not yet bound.

pub fn masked_value(&self) -> String

Returns the masked value string — safe to log or serialize by default.

pub fn bind(&mut self, registry: &SourceRegistry) -> Result<(), BindError>

Fetches the secret from the appropriate source in registry and stores it. Returns BindError if the source is not registered or the lookup fails.

Trait Implementations

impl<T: SecretValue> Debug for Secret<T>

Always displays the masked value — the real value is never revealed via Debug.

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de, T: SecretValue> Deserialize<'de> for Secret<T>

Deserializes a Secret<T> from a URN string, producing an unbound secret.

The input must be a valid urn:secrets-rs:<source_id>:<name> string. Any other value is rejected with a descriptive error. The resulting secret must be bound via bind_all before its value can be accessed.

fn deserialize<D: Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error>

Deserialize this value from the given Serde deserializer.

impl<T: SecretValue> Display for Secret<T>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<T: SecretValue> Serialize for Secret<T>

fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error>

Serialize this value into the given Serde serializer.