blobcache

Documentation

Overview

Package blobcache is a session-scoped cache of encrypted namespace blobs, so a warm `notenv run` needs no network round-trip.

It is the storage-side twin of the keyring master-key cache, and obeys the same invariant: the blob is only cached on a platform that also caches the key, with matching lifecycles. On Linux that means tmpfs (XDG_RUNTIME_DIR) paired with the kernel keyring, both RAM-backed and both gone on logout/reboot, so encrypted secrets never linger on persistent disk. Other platforms get a no-op cache until their key cache lands (macOS Keychain or Windows DPAPI).

Only ciphertext is ever cached, which is useless without the key.

Index

• func Clear() (int, error)
• type Cache
  • func New(ttl time.Duration) Cache

Functions

func Clear

func Clear() (int, error)

Clear removes every cached blob on this machine and returns the count. Works regardless of TTL/config (housekeeping / machine handoff).

Types

type Cache

type Cache interface {
	// Get returns the cached ciphertext for a blob, if present and fresh.
	Get(scope, namespace string) ([]byte, bool)
	// Put caches ciphertext best-effort.
	Put(scope, namespace string, ciphertext []byte) error
	// Drop invalidates a cached blob.
	Drop(scope, namespace string)
}

Cache stores encrypted blobs keyed by (scope, namespace), where scope is the storage base (config.CacheScope). Implementations must store only ciphertext and never on persistent disk.

func New

func New(ttl time.Duration) Cache

New returns this platform's cache. A non-positive ttl disables caching (every Get misses), as does the absence of a suitable RAM-backed store.