Crate zlayer_secrets

Expand description

ZLayer Secrets Management

Provides secure storage and retrieval of secrets for container workloads.

Secrets are organized hierarchically:

$S:secret-name - Deployment-level secret
$S:@service/secret-name - Service-specific secret
$secret://<env>/<KEY> - Environment-scoped secret (requires an EnvScopeProvider wired via SecretsResolver::with_env_resolver)
$secret://<env>/<KEY>/<field> - With JSON field extraction

Re-exports§

client_keys: Persistent storage for SDK / browser client public keys, used as recipients for sealed-box secret reads. Shares the secrets SQLite database with PersistentSecretsStore.
credentials: Credential store for API authentication.
git_credentials: Typed credential store for Git authentication (PAT or SSH key).
registry_credentials: Typed credential store for Docker/OCI registry authentication.
sealed: NaCl sealed-box wrapper for recipient-encrypted secret reads.

EncryptionKey: Encryption key with secure memory handling.
JwtSecretManager: Manages the API daemon’s JWT signing secret.
KeyManager: Manages encryption keys for secret storage.
PersistentSecretsStore: Persistent secrets store backed by SQLite with encryption.
RotationResult: Result of a secret rotation — records the version before and after the rotate call.
Secret: A secure secret wrapper that provides memory safety guarantees.
SecretMetadata: Metadata associated with a stored secret.
SecretRef: A reference to a secret, parsed from the $S: prefix syntax.
SecretsResolver: Resolver for secret references in configuration values.

ENV_JWT_SECRET: Environment variable name for the operator-supplied JWT secret.

EnvScopeProvider: Resolves an environment name-or-id to the scope string used by the underlying SecretsStore.
SecretsProvider: Read-only secrets provider trait.
SecretsStore: Read-write secrets store trait.