Struct SecretRef 

pub struct SecretRef {
    pub name: String,
    pub service: Option<String>,
    pub project: Option<String>,
    pub environment: Option<String>,
    pub field: Option<String>,
}

A reference to a secret, parsed from the $S: prefix syntax.

Formats

• $S:name - Deployment-level secret
• $S:name/field - Deployment-level secret with JSON field extraction
• $S:@service/name[/field] - Service-level secret
• $S::env/name[/field] - Environment-scoped secret (global environment)
• $S:project:env/name[/field] - Project-scoped environment secret

Environment-scope disambiguation

Environment-scoped references require a colon in the scope segment so they cannot be confused with the legacy deployment-level name/field form. The leading colon in $S::env/name marks “no project, scope is environment env”. The $S:project:env/name form is unambiguous because it already contains a colon.

Fields

name: String

The name of the secret.

service: Option<String>

Optional service name (for service-scoped secrets).

project: Option<String>

Optional project name (for project-scoped environment secrets).

environment: Option<String>

Optional environment name (for environment-scoped secrets).

field: Option<String>

Optional field to extract from a structured secret (e.g., JSON).

Implementations

impl SecretRef

pub const PREFIX: &'static str = "$S:"

The prefix used to identify secret references in configuration values.

pub fn is_secret_ref(value: &str) -> bool

Check if a string value is a secret reference.

pub fn parse(value: &str) -> Option<Self>

Parse a secret reference from a string.

Formats

• $S:name - Deployment-level secret
• $S:name/field - Deployment-level secret with JSON field extraction
• $S:@service/name[/field] - Service-level secret
• $S::env/name[/field] - Environment-scoped secret (global environment)
• $S:project:env/name[/field] - Project-scoped environment secret

Returns None if the string is not a valid secret reference.

pub fn to_scope(&self, deployment: &str) -> SecretScope

Convert this reference to a SecretScope for a given deployment.

Environment/project scopes are not representable by SecretScope (which only models deployment vs service); those references fall back to a deployment-level scope and must be resolved by a higher layer that understands environment and project scoping.

pub fn is_deployment_level(&self) -> bool

Check if this is a deployment-level secret reference.

pub fn is_service_level(&self) -> bool

Check if this is a service-level secret reference.

pub fn is_environment_level(&self) -> bool

Check if this reference is environment-scoped (with or without a project).

pub fn is_project_environment_level(&self) -> bool

Check if this reference is scoped to a project environment.

pub fn has_field(&self) -> bool

Check if this reference includes field extraction.

Trait Implementations

impl Clone for SecretRef

fn clone(&self) -> SecretRef

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for SecretRef

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for SecretRef

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Display for SecretRef

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq for SecretRef

fn eq(&self, other: &SecretRef) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for SecretRef

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl Eq for SecretRef

impl StructuralPartialEq for SecretRef