2 releases
| 0.1.1 | Apr 25, 2026 |
|---|---|
| 0.1.0 | Apr 25, 2026 |
#1726 in Authentication
43KB
789 lines
Application secret resolution for Styrene extensions.
Provides a simple resolve(key) API that checks multiple sources
in priority order:
- Project-local store —
.styrene/secrets.db(walks up from cwd). Requires thefile-storefeature. - User-global store —
~/.styrene/secrets.db. Requires thefile-storefeature. - Environment variable —
STYRENE_SECRET_{KEY}(key uppercased, dots and dashes become underscores). Always available. Emits a warning on stderr when used, nudging toward the encrypted store.
The encrypted store is unlocked via OS keychain (with keychain feature)
or the STYRENE_SECRETS_PASSPHRASE env var. Keychain is preferred —
it provides zero-interaction encrypted secrets.
Secret values are secrecy::SecretBox-wrapped, zeroized on drop,
and redacted in Debug output.
Feature flags
| Feature | What it enables |
|---|---|
| (default) | Env var resolution only, MockStore for testing |
file-store |
Encrypted SQLite store, manual passphrase |
keychain |
file-store + OS keychain manages the passphrase |
Extension usage
[features]
omegon-secrets = ["dep:styrene-secrets"]
[dependencies]
styrene-secrets = { version = "0.1", optional = true, features = ["keychain"] }
Testing
Use testing::MockStore in extension tests:
use styrene_secrets::testing::MockStore;
use styrene_secrets::value::ExposeSecret;
let store = MockStore::new(&[("forge.github.token", "ghp_test")]);
let token = store.get("forge.github.token").unwrap();
assert_eq!(token.expose_secret().as_slice(), b"ghp_test");
Dependencies
~0.2–4MB
~81K SLoC