Module secrets 

Secret reference types shared across smolvm surfaces.

A SecretRef is a pointer to a secret. Refs travel across trust boundaries (HTTP request bodies, persisted VM records, .smolmachine pack manifests); resolved plaintext values do not.

This crate carries only the shape of a ref — the on-the-wire and on-disk representation plus trivial introspection. The validation policy (which source kinds are allowed at which trust boundary) lives in the host crate alongside the code that enforces it. See smolvm::secrets for ResolutionScope and validate_ref.

Structs

SecretRef

A reference to a secret. Exactly one of the three sources must be populated; validation is performed by the host crate’s validate_ref (policy lives where it’s enforced).

Enums

SecretSourceKind

Which source a SecretRef points at, independent of the data inside. Used by audit logging so the logger never sees the path or env-var name (which can themselves be revealing).