Documentation
¶
Overview ¶
Package vault resolves secret references from external vault providers. Config fields like "1pw://DevVault/GitHub PAT/token" are transparently resolved to their plaintext values at startup, avoiding the need for pre-populated environment variables.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsSecretRef ¶
IsSecretRef reports whether s looks like a vault secret reference. Currently recognizes "1pw://" (1Password).
Types ¶
type Config ¶
type Config struct {
Provider string `mapstructure:"provider"`
Account string `mapstructure:"account"`
}
Config holds the vault configuration from .humanconfig.
func ReadConfig ¶
ReadConfig reads the vault section from .humanconfig in dir. Returns nil if no vault section is present or the file is missing.
type OnePassword ¶
type OnePassword struct {
// Account is the 1Password account name (shown top-left in the desktop app sidebar).
Account string
// IntegrationName identifies this integration to 1Password.
IntegrationName string
// IntegrationVersion identifies the version to 1Password.
IntegrationVersion string
// contains filtered or unexported fields
}
OnePassword resolves 1pw:// secret references using the 1Password Go SDK. It lazily initializes the SDK client on first use via the desktop app integration, which triggers biometric/master password authentication.
func NewOnePassword ¶
func NewOnePassword(account string) *OnePassword
NewOnePassword creates a 1Password provider using the SDK. The account parameter is the 1Password account name used for desktop app integration (biometric/master password authentication).
func (*OnePassword) CanResolve ¶
func (o *OnePassword) CanResolve(ref string) bool
CanResolve reports whether ref is a 1Password reference (1pw:// prefix).
type OpCLI ¶
type OpCLI struct {
// Binary is the op CLI binary name. Defaults to "op.exe" for WSL2.
Binary string
// contains filtered or unexported fields
}
OpCLI resolves 1pw:// secret references by shelling out to the 1Password CLI. This is the fallback for WSL2 where the Go SDK cannot reach the Windows 1Password desktop app.
func (*OpCLI) CanResolve ¶
CanResolve reports whether ref is a 1Password reference (1pw:// prefix).
type Resolver ¶
type Resolver struct {
// contains filtered or unexported fields
}
Resolver coordinates multiple SecretProviders. It is created once at daemon startup and shared across all config loading. Secrets are resolved on every call — no caching — so plaintext values do not persist in daemon memory.
func NewResolver ¶
func NewResolver(providers ...SecretProvider) *Resolver
NewResolver creates a Resolver with the given providers. Providers are tried in order; the first whose CanResolve returns true wins.
func NewResolverFromConfig ¶
NewResolverFromConfig creates a Resolver based on the vault configuration. Returns nil if cfg is nil or the provider is unrecognized (graceful no-op).
type SecretProvider ¶
type SecretProvider interface {
// Resolve returns the plaintext value for the given reference.
// The reference format is provider-specific (e.g. "1pw://vault/item/field").
Resolve(ref string) (string, error)
// CanResolve reports whether this provider handles the given reference.
CanResolve(ref string) bool
}
SecretProvider resolves a secret reference to its plaintext value. Implementations must be safe for concurrent use.
Source Files