Skip to main content

Crate secretspec

Crate secretspec 

Source
Expand description

SecretSpec - A declarative secrets manager for development workflows

This library provides a type-safe, declarative way to manage secrets and environment variables across different environments and storage backends.

§Features

  • Declarative Configuration: Define secrets in secretspec.toml
  • Multiple Providers: Keyring, dotenv, environment variables, OnePassword, LastPass
  • Profile Support: Different configurations for development, staging, production
  • Type Safety: Optional compile-time code generation for strongly-typed access
  • Validation: Ensure all required secrets are present before running applications

§Example

// Generate typed structs from secretspec.toml
secretspec_derive::declare_secrets!("secretspec.toml");

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Load secrets and configure provider/profile
    let mut spec = Secrets::load()?;
    spec.set_provider("keyring");  // Can use provider name or URI like "dotenv:/path/to/.env"
    spec.set_profile("development");
     
    // Validate and get secrets
    let secrets = match spec.validate()? {
        Ok(validated) => validated,
        Err(errors) => return Err(format!("Missing secrets: {}", errors).into()),
    };

    // Access secrets (field names are lowercased)
    println!("Database: {}", secrets.resolved.secrets.get("DATABASE_URL").unwrap());

    // Access profile and provider information
    println!("Using profile: {}", secrets.resolved.profile);
    println!("Using provider: {}", secrets.resolved.provider);

    Ok(())
}

Modules§

cli
codegen
The shared codegen intermediate representation (IR).

Structs§

ResolutionReport
A complete, value-free snapshot of one resolution pass over a profile.
ResolveResponse
A complete value-carrying resolution result for one profile.
Resolved
Container for resolved secrets with their context.
ResolvedSecret
One resolved secret. Exactly one of value or path is set: path when the secret is materialized to a temp file (as_path), value otherwise.
SecretResolution
The resolution outcome for one declared secret. Never carries the value.
Secrets
The main entry point for the secretspec library
ValidatedSecrets
Container for validated secrets with metadata

Enums§

ResolutionStatus
How a single declared secret resolved.
ResolvedSource
Where a resolved value came from.
SecretSpecError
The main error type for secretspec operations

Constants§

RESOLUTION_REPORT_SCHEMA_VERSION
Version of the ResolutionReport wire format.
RESOLVE_SCHEMA_VERSION
Version of the ResolveResponse wire format.

Traits§

Provider
Trait defining the interface for secret storage providers.

Functions§

resolve_json
Resolve secrets from a JSON request string and return the JSON response envelope: {"ok": true, "response": <ResolveResponse | ResolutionReport>} or {"ok": false, "error": {"kind", "message"}}.

Type Aliases§

Result
A type alias for Result<T, SecretSpecError>