vault

package
v0.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 27, 2026 License: MIT Imports: 10 Imported by: 0

Documentation

Overview

Package vault resolves secret references from external vault providers. Config fields like "1pw://DevVault/GitHub PAT/token" are transparently resolved to their plaintext values at startup, avoiding the need for pre-populated environment variables.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsSecretRef 

func IsSecretRef(s string) bool

IsSecretRef reports whether s looks like a vault secret reference. Currently recognizes "1pw://" (1Password).

func ResolveField 

func ResolveField(r *Resolver, value string) (string, error)

ResolveField resolves a single config field value through the vault. If the resolver is nil, the original value is returned unchanged.

func WithResolver 

func WithResolver(ctx context.Context, r *Resolver) context.Context

WithResolver returns ctx augmented with the given vault Resolver. The daemon attaches its session-scoped resolver so per-request command execution reuses the same provider instance instead of creating a new one on every request.

Types

type Config 

type Config struct {
	Provider string `mapstructure:"provider"`
	Account  string `mapstructure:"account"`
}

Config holds the vault configuration from .humanconfig.

func ReadConfig 

func ReadConfig(dir string) (*Config, error)

ReadConfig reads the vault section from .humanconfig in dir. Returns (nil, nil) when the config file is absent or when the file is present but has no vault section. Returns a non-nil error when the config file itself fails to parse — the caller must decide whether to fail or continue without vault resolution.

type OnePassword 

type OnePassword struct {
	// Account is the 1Password account name (shown top-left in the desktop app sidebar).
	Account string
	// IntegrationName identifies this integration to 1Password.
	IntegrationName string
	// IntegrationVersion identifies the version to 1Password.
	IntegrationVersion string
	// contains filtered or unexported fields
}

OnePassword resolves 1pw:// secret references using the 1Password Go SDK. It lazily initializes the SDK client on first use via the desktop app integration, which triggers biometric/master password authentication.

func NewOnePassword 

func NewOnePassword(account string) *OnePassword

NewOnePassword creates a 1Password provider using the SDK. The account parameter is the 1Password account name used for desktop app integration (biometric/master password authentication).

func (*OnePassword) CanResolve 

func (o *OnePassword) CanResolve(ref string) bool

CanResolve reports whether ref is a 1Password reference (1pw:// prefix).

func (*OnePassword) Resolve 

func (o *OnePassword) Resolve(ref string) (string, error)

Resolve uses the 1Password SDK to retrieve the secret value for the given reference. It translates the 1pw:// prefix to op:// before calling the SDK.

type OpCLI 

type OpCLI struct {
	// Binary is the op CLI binary name. Defaults to "op.exe" for WSL2.
	Binary string
	// contains filtered or unexported fields
}

OpCLI resolves 1pw:// secret references by shelling out to the 1Password CLI. This is the fallback for WSL2 where the Go SDK cannot reach the Windows 1Password desktop app.

func NewOpCLI 

func NewOpCLI() *OpCLI

NewOpCLI creates a 1Password CLI provider for WSL2.

func (*OpCLI) CanResolve 

func (o *OpCLI) CanResolve(ref string) bool

CanResolve reports whether ref is a 1Password reference (1pw:// prefix).

func (*OpCLI) Resolve 

func (o *OpCLI) Resolve(ref string) (string, error)

Resolve shells out to op.exe to retrieve the secret value for the given reference. It translates the 1pw:// prefix to op:// before calling the CLI.

type Resolver 

type Resolver struct {
	// contains filtered or unexported fields
}

Resolver coordinates multiple SecretProviders. It is created once at daemon startup and injected into per-request command contexts via WithResolver so all requests share one provider instance (avoiding repeated op.exe subprocesses on WSL2). Secrets are resolved on every call — no caching — so plaintext values do not persist in daemon memory.

func NewResolver 

func NewResolver(providers ...SecretProvider) *Resolver

NewResolver creates a Resolver with the given providers. Providers are tried in order; the first whose CanResolve returns true wins.

func NewResolverFromConfig 

func NewResolverFromConfig(cfg *Config) *Resolver

NewResolverFromConfig creates a Resolver based on the vault configuration. Returns nil if cfg is nil or the provider is unrecognized (graceful no-op).

func ResolverFromContext 

func ResolverFromContext(ctx context.Context) *Resolver

ResolverFromContext returns the vault Resolver stored on ctx, or nil when none is present (direct CLI usage).

func (*Resolver) Resolve 

func (r *Resolver) Resolve(ref string) (string, error)

Resolve looks up a secret reference. If the value is not a vault reference (no provider claims it), the original value is returned unchanged.

type SecretProvider 

type SecretProvider interface {
	// Resolve returns the plaintext value for the given reference.
	// The reference format is provider-specific (e.g. "1pw://vault/item/field").
	Resolve(ref string) (string, error)

	// CanResolve reports whether this provider handles the given reference.
	CanResolve(ref string) bool
}

SecretProvider resolves a secret reference to its plaintext value. Implementations must be safe for concurrent use.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.