Module pullconfig 

Pull configuration — parsing .tsafe.yml / .tsafe.json repo manifests.

A pull config file declares one or more PullSources (Azure Key Vault, HashiCorp Vault, 1Password) that tsafe pull reads secrets from. The file is searched upward from the current directory via find_config.

ADR-012 fields

Every source entry may declare two optional fields defined by ADR-012:

• name: a label used by --source <label> filtering. Sources without a name field are always included in unfiltered runs but cannot be selected with --source.
• ns: a namespace prefix applied to every key fetched from this source. A key named DB_PASSWORD from a source with ns: prod is stored as prod.DB_PASSWORD. The separator is ., matching the vault’s existing namespace convention.

HCP Vault auth fields (task E2.4)

The hcp source variant supports two authentication methods via the auth sub-key:

# Token auth (legacy default — reads VAULT_TOKEN env var at runtime):
pulls:
  - source: hcp
    auth:
      method: token

# AppRole auth (machine identity):
pulls:
  - source: hcp
    auth:
      method: approle
      role_id: my-role
      secret_id: ${VAULT_SECRET_ID}   # env var expansion supported

Namespace support (HCP Vault Enterprise):

pulls:
  - source: hcp
    vault_url: https://vault.example.com:8200
    vault_namespace: team-alpha

Structs

PullConfig

Top-level pull configuration parsed from .tsafe.yml or .tsafe.json.

Enums

PullSource

A single pull source definition.

VaultAuthConfig

Authentication method declared in the pull manifest for a HashiCorp Vault source.

Functions

expand_env_var_str

Expand a single ${VAR_NAME} placeholder in s.

find_config

Search upward from start for .tsafe.yml / .tsafe.json.

load

Parse a pull configuration file (YAML or JSON).