Release Notes
Added
-
ref: native secret references on secrets: a secret can name one
externally managed secret by its store's own coordinates, instead of
SecretSpec's{project}/{profile}/{key}naming:[profiles.production] DATABASE_URL = { description = "...", ref = { item = "db", field = "password" }, providers = ["prod_op"] }
itemis the store's own name for the secret (1Password item title, Vault
KV path, AWS secret name or ARN,.envkey, environment variable, ...);
optional keys refine it where the store supports them:field(1Password
field label, Vault KV field, AWS JSON key, keyring account),vaultand
section(1Password), andversion(Google Secret Manager). Every provider
resolves refs; coordinates a store has no equivalent for are rejected with a
clear error rather than guessed at.The coordinates supply naming only — which store resolves them follows the
same routing as every other secret (the secret'sproviderschain, the
--provider/SECRETSPEC_PROVIDERoverride, or the default provider). That
means refs compose withprovidersfallback chains, and an explicit
override redirects them like any secret, e.g. at a.envfixtures file
during tests. Writes are symmetric where the backend allows it:
secretspec setandcheckprompting write through the coordinates in
place (1Passwordop item edit, keyring, pass, dotenv, Bitwarden, Proton
Pass, LastPass); Vault, AWS, and GCSM refs are read-only. Secrets sharing
identical coordinates fetch once, and audit events record the coordinates in
a newreffield. Arefalso composes withgenerate: a missing
referenced secret is minted and written straight to its coordinates. -
Inline provider URIs in
providerschains: chain entries that are
already URIs (providers = ["onepassword://Production", "keyring"]) now
pass through without declaring a[providers]alias first.
Changed
- Faster multi-provider resolution:
check,run, and SDK resolution now
group secrets by store and fetch the groups concurrently instead of one
after another; within a group,refsecrets batch through the store's bulk
surface where it has one (AWSBatchGetSecretValue, the single Bitwarden,
Proton Pass, and 1Password listings) and otherwise resolve concurrently,
each unique coordinate fetched once. CLI authentication (1Password,
LastPass, Proton Pass) is probed once per account/session instead of once
per provider instance. - Provider trait speaks one address vocabulary (affects custom providers
built on the Rust library): each provider now compiles SecretSpec's
{project}/{profile}/{key}convention into its native coordinates via a
new requiredconvention_addressmethod, and reads resolve every address
through the same coordinate path arefuses. The convention-only
get_batchmethod is replaced byget_many, which takes addresses and so
batchesrefsecrets too. A provider declares therefcoordinates it
honors withsupported_coordsand the rest are rejected for it, and
allows_setis replaced bycheck_writable, which returns the reason a
write is refused rather than a barefalse. - Manifest validation runs on load: the semantic rules
secretspec.toml
documents (a required secret cannot carry adefault,generateneeds a
type,refcoordinates must be non-empty and non-whitespace) are now
enforced whenever the config is loaded. Configs that silently violated them
previously will now fail with a pointed error.
Fixed
- onepassword: URIs carrying an item path (e.g. the
onepassword://vault/Productionform some older docs showed) previously
discarded the path silently and targeted a vault literally namedvault.
Item paths — including pastedop://vault/item/fieldreferences — now fail
with an error spelling out the exactrefcoordinates to write instead. seton a read-onlyrefreported "Provider '' is read-only and
does not support setting values", which is untrue of Vault, AWS, and GCSM —
they write the conventional layout fine and refuse only refs. The store's own
reason is now shown (e.g. writing one Vault field would clobber the sibling
fields at the same KV path).
Install secretspec 0.14.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.14.0/secretspec-installer.sh | shDownload secretspec 0.14.0
| File | Platform | Checksum |
|---|---|---|
| secretspec-aarch64-apple-darwin.tar.xz | Apple Silicon macOS | checksum |
| secretspec-x86_64-apple-darwin.tar.xz | Intel macOS | checksum |
| secretspec-x86_64-pc-windows-msvc.zip | x64 Windows | checksum |
| secretspec-aarch64-unknown-linux-gnu.tar.xz | ARM64 Linux | checksum |
| secretspec-x86_64-unknown-linux-gnu.tar.xz | x64 Linux | checksum |