Liking cljdoc? Tell your friends :D

hive-system.secrets.protocols

Protocols for the secrets subsystem.

ISP boundary

ISecretBackend is the DIP seam between consumers (probe, hive-mcp, etc.) and concrete secret stores (GNU pass, Bitwarden CLI, 1Password, Vault, age-encrypted files, etc.).

New backends implement this protocol; consumers depend only on the protocol. No call site needs to change to swap or add backends.

Backend contract

A backend MUST:

  • Return Result<Secret> from fetch — never raw values, never plaintext bound in a map outside the Secret type.
  • Surface :line-only? and :timeout-ms opts (may ignore others).
  • Report available? cheaply (no network round-trip if avoidable).
  • Use a stable, namespaced backend-id keyword (e.g. :pass, :bw, :op, :vault, :age).
Protocols for the secrets subsystem.

## ISP boundary

`ISecretBackend` is the DIP seam between consumers (probe, hive-mcp,
etc.) and concrete secret stores (GNU pass, Bitwarden CLI, 1Password,
Vault, age-encrypted files, etc.).

New backends implement this protocol; consumers depend only on the
protocol. No call site needs to change to swap or add backends.

## Backend contract

A backend MUST:
- Return `Result<Secret>` from `fetch` — never raw values, never
  plaintext bound in a map outside the Secret type.
- Surface `:line-only?` and `:timeout-ms` opts (may ignore others).
- Report `available?` cheaply (no network round-trip if avoidable).
- Use a stable, namespaced `backend-id` keyword (e.g. `:pass`,
  `:bw`, `:op`, `:vault`, `:age`).
raw docstring

ISecretBackendclj/sprotocol

A pluggable secret store. Implementations might wrap GNU pass, Bitwarden, 1Password, Vault, age-encrypted files, etc.

A pluggable secret store. Implementations might wrap GNU pass,
Bitwarden, 1Password, Vault, age-encrypted files, etc.

available?clj/s

(available? this)

Returns Result<bool> indicating whether the backend is usable right now. Should be cheap (no remote calls if possible).

Returns Result<bool> indicating whether the backend is usable
right now. Should be cheap (no remote calls if possible).

backend-idclj/s

(backend-id this)

Keyword identifying this backend (e.g. :pass, :bw, :op, :vault, :age). MUST be stable and unique within a process.

Keyword identifying this backend (e.g. :pass, :bw, :op, :vault, :age).
MUST be stable and unique within a process.

fetchclj/s

(fetch this key opts)

Resolve key to a Secret. Returns Result<Secret>.

opts (all optional): :line-only? — if true, return only the first non-empty line :timeout-ms — resolution timeout (default backend-specific)

Errors are namespaced under the backend (e.g. :pass/not-found, :bw/locked, :vault/permission-denied) — never leak the resolved value into the error payload.

Resolve `key` to a Secret. Returns Result<Secret>.

opts (all optional):
  :line-only?  — if true, return only the first non-empty line
  :timeout-ms  — resolution timeout (default backend-specific)

Errors are namespaced under the backend (e.g. :pass/not-found,
:bw/locked, :vault/permission-denied) — never leak the resolved
value into the error payload.
sourceraw docstring

cljdoc builds & hosts documentation for Clojure/Script libraries

Keyboard shortcuts
Ctrl+kJump to recent docs
Move to previous article
Move to next article
Ctrl+/Jump to the search field
× close