vault

Documentation

Overview

Package vault is the local-only secrets vault that backs Gemba Remote M3 (gm-o9t8.3.7). It stores per-workspace secrets at rest using an envelope-encryption scheme: a 256-bit key-encryption key (KEK) wraps a per-workspace data-encryption key (DEK), and the DEK encrypts each secret value via AES-256-GCM. Plaintext is never persisted and is zeroized after the caller's copy is returned.

The API is intentionally small and synchronous. A future KMS-backed backend will satisfy the same interface; this v1 is bolt-on-disk only.

Index

• Variables
• func WithSystemActor(ctx context.Context) context.Context
• type Auditor
• type Options
• type Vault
  • func New(opts Options) (Vault, error)

Variables

var ErrNotFound = errors.New("vault: key not found")

ErrNotFound is returned from Get when the (wsid, key) tuple has no stored value.

Functions

func WithSystemActor

func WithSystemActor(ctx context.Context) context.Context

WithSystemActor flags ctx as a system-internal call. Audit hooks suppress Get notifications when ctx carries this marker. Put and Delete always emit (they always represent operator-visible writes).

Types

type Auditor

type Auditor func(action, wsid, key string)

Auditor is the injection seam the real audit log binds onto. The function is invoked for Put, Delete, and user-initiated Get calls (system gets pass actor="system" and are skipped). A nil Auditor on Options is fine — vault.New replaces it with a no-op.

type Options

type Options struct {
	// Path is the on-disk path the bolt database lives at. The parent
	// directory is created with 0700 if missing.
	Path string

	// KEK is the 32-byte master key used to wrap per-workspace DEKs.
	// When nil, New reads GEMBA_VAULT_KEY as a 64-char hex string.
	KEK []byte

	// Auditor receives action/wsid/key tuples for non-system mutations
	// and reads. Optional; nil → noop.
	Auditor Auditor
}

Options configures vault construction. Path is required for production use (an in-memory option may follow later); KEK may be nil, in which case New reads the hex-encoded master key from GEMBA_VAULT_KEY. If neither is provided, New returns an error so the operator can choose the ephemeral-key path explicitly at the call site.

type Vault

type Vault interface {
	Put(ctx context.Context, wsid, key string, value []byte) error
	Get(ctx context.Context, wsid, key string) ([]byte, error)
	Delete(ctx context.Context, wsid, key string) error
	List(ctx context.Context, wsid string) ([]string, error)
	Inject(ctx context.Context, wsid string) (map[string]string, error)
}

Vault is the API contract locked in decision gm-o9t8.3.7. Implementations must be safe for concurrent use.

func New

func New(opts Options) (Vault, error)

New constructs a vault using the supplied options. The bolt file is created with 0600 permissions if it does not already exist. The caller is responsible for the lifecycle of the returned Vault — callers that need to close the underlying bolt handle should type- assert to io.Closer.