sigillum_core/
traits.rs

1use secrecy::SecretString;
2
3use crate::VaultError;
4
5/// Core secret storage interface.
6///
7/// Provides two-tier secret management:
8/// - Tier 1: API keys stored in plaintext (no unlock required)
9/// - Tier 2: Secrets encrypted with AES-256-GCM (unlock required)
10pub trait SecretStore: Send + Sync {
11    // — Tier 1 (plaintext, no unlock) —
12
13    fn get_api_key(&self, key: &str) -> Option<SecretString>;
14    fn set_api_key(&self, key: &str, value: &str) -> Result<(), VaultError>;
15    fn delete_api_key(&self, key: &str) -> Result<(), VaultError>;
16    fn list_api_keys(&self) -> Vec<String>;
17
18    // — Tier 2 (encrypted, requires unlock) —
19
20    fn get_secret(&self, key: &str) -> Option<SecretString>;
21    fn set_secret(&self, key: &str, value: &str) -> Result<(), VaultError>;
22    fn delete_secret(&self, key: &str) -> Result<(), VaultError>;
23    fn list_secrets(&self) -> Vec<String>;
24
25    // — Common —
26
27    fn has_key(&self, key: &str) -> bool;
28    fn is_unlocked(&self) -> bool;
29}
30
31/// Vault lifecycle management (unlock, lock, initialize).
32///
33/// Separated from `SecretStore` because most consumers only need
34/// read/write access — only the unlock manager (CLI, daemon, FIDO2)
35/// needs lifecycle control.
36pub trait VaultLifecycle: SecretStore {
37    fn load_master_key(&self, key: [u8; 32]);
38    fn zeroize_master_key(&self);
39    fn initialize(&self, master_key: &[u8; 32]) -> Result<(), VaultError>;
40}
sigillum_core/traits.rs

sigillum_core/
traits.rs
