Backend registry + uniform resolution for ISecretBackend implementations.
Consumers depend on this ns + protocols.clj. They never need to know
which concrete backend (pass, bw, op, vault, age) is in use.
At process boot, register the backends you need: (registry/register! (pass/make-pass-backend)) (registry/register! (bw/make-bw-backend {:session ...}))
At call sites, resolve via a SecretRef map: (registry/fetch {:backend :pass :key "vps/r1/root"}) (registry/fetch {:backend :pass :key "vps/r1/ip" :opts {:line-only? true}})
Returns Result<Secret>.
{:backend <keyword> ;; backend-id (e.g. :pass, :bw) :key <string> ;; opaque key passed to the backend :opts <map?>} ;; optional per-fetch opts
validate-ref checks structure WITHOUT touching the backend — pure,
safe to run during config loading.
Backend registry + uniform resolution for ISecretBackend implementations.
Consumers depend on this ns + protocols.clj. They never need to know
which concrete backend (`pass`, `bw`, `op`, `vault`, `age`) is in use.
## Workflow
1. At process boot, register the backends you need:
(registry/register! (pass/make-pass-backend))
(registry/register! (bw/make-bw-backend {:session ...}))
2. At call sites, resolve via a SecretRef map:
(registry/fetch {:backend :pass :key "vps/r1/root"})
(registry/fetch {:backend :pass :key "vps/r1/ip" :opts {:line-only? true}})
Returns Result<Secret>.
## SecretRef shape
{:backend <keyword> ;; backend-id (e.g. :pass, :bw)
:key <string> ;; opaque key passed to the backend
:opts <map?>} ;; optional per-fetch opts
## Validation
`validate-ref` checks structure WITHOUT touching the backend — pure,
safe to run during config loading.(backend id)Look up a registered backend by id. Returns Result<ISecretBackend>.
Look up a registered backend by id. Returns Result<ISecretBackend>.
(fetch ref)Resolve a SecretRef to a Secret. Returns Result<Secret>.
Validates the ref structure, looks up the backend, and dispatches. Any of these stages can short-circuit with an err result.
Resolve a SecretRef to a Secret. Returns Result<Secret>. Validates the ref structure, looks up the backend, and dispatches. Any of these stages can short-circuit with an err result.
(register! backend)Register a backend instance under its backend-id. Returns the backend (for fluent registration chains). Overwrites any existing registration with the same id.
Register a backend instance under its backend-id. Returns the backend (for fluent registration chains). Overwrites any existing registration with the same id.
(registered)Return a map of {backend-id → backend} for all currently registered backends. Snapshot — safe to inspect.
Return a map of {backend-id → backend} for all currently registered
backends. Snapshot — safe to inspect.(unregister! id)Remove a backend by id. Returns the previously-registered backend or nil. Useful for tests.
Remove a backend by id. Returns the previously-registered backend or nil. Useful for tests.
(validate-ref {:keys [backend key opts] :as ref})Pure: validate a SecretRef map without resolving anything. Returns (ok ref) or (err :secrets/invalid-ref ...).
Pure: validate a SecretRef map without resolving anything. Returns (ok ref) or (err :secrets/invalid-ref ...).
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |