getnora-io
diff --git a/‎ROADMAP_SECRETS.md‎
Lines changed: 309 additions & 0 deletions b/‎ROADMAP_SECRETS.md‎
Lines changed: 309 additions & 0 deletions
@@ -0,0 +1,309 @@
+# NORA Secrets Management Roadmap
+
+## Overview
+
+Trait-based secrets architecture for secure credential management.
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                    SecretsProvider Trait                     │
+├─────────────────────────────────────────────────────────────┤
+│  get_secret(key) -> ProtectedString                         │
+│  get_secret_optional(key) -> Option<ProtectedString>        │
+│  provider_name() -> &'static str                            │
+└─────────────────────────────────────────────────────────────┘
+                              │
+         ┌────────────────────┼────────────────────┐
+         │                    │                    │
+         ▼                    ▼                    ▼
+   ┌──────────┐        ┌──────────┐        ┌──────────┐
+   │   ENV    │        │   AWS    │        │  Vault   │
+   │ Provider │        │ Secrets  │        │ Provider │
+   │  v0.3.0  │        │  v0.4.0  │        │  v0.5.0  │
+   └──────────┘        └──────────┘        └──────────┘
+```
+
+---
+
+## Phase 1: ENV Provider (v0.3.0) ✅ DONE
+
+### Features
+- [x] SecretsProvider trait
+- [x] EnvProvider implementation
+- [x] ProtectedString with zeroize
+- [x] Redacted Debug impl
+- [x] SecretsConfig in config.toml
+- [x] ENV overrides
+- [x] 16 unit tests
+
+### Files
+```
+nora-registry/src/secrets/
+├── mod.rs          # Trait + factory
+├── env.rs          # EnvProvider
+└── protected.rs    # ProtectedString, S3Credentials
+```
+
+### Config
+```toml
+[secrets]
+provider = "env"
+clear_env = false
+```
+
+### ENV Variables
+```bash
+NORA_SECRETS_PROVIDER=env
+NORA_SECRETS_CLEAR_ENV=false
+```
+
+---
+
+## Phase 2: AWS + K8s (v0.4.0)
+
+### AWS Secrets Manager
+
+```rust
+// src/secrets/aws.rs
+pub struct AwsSecretsProvider {
+    client: SecretsManagerClient,
+    secret_name: String,
+    region: String,
+}
+
+#[async_trait]
+impl SecretsProvider for AwsSecretsProvider {
+    async fn get_secret(&self, key: &str) -> Result<ProtectedString, SecretsError> {
+        let response = self.client
+            .get_secret_value()
+            .secret_id(&self.secret_name)
+            .send()
+            .await?;
+
+        let secrets: HashMap<String, String> =
+            serde_json::from_str(&response.secret_string.unwrap())?;
+
+        secrets.get(key)
+            .map(|v| ProtectedString::new(v.clone()))
+            .ok_or_else(|| SecretsError::NotFound(key.to_string()))
+    }
+}
+```
+
+### Config
+```toml
+[secrets]
+provider = "aws-secrets"
+
+[secrets.aws]
+secret_name = "nora/production"
+region = "us-east-1"
+```
+
+### Kubernetes Secrets
+
+```rust
+// src/secrets/k8s.rs
+pub struct K8sSecretsProvider {
+    mount_path: PathBuf,
+}
+
+#[async_trait]
+impl SecretsProvider for K8sSecretsProvider {
+    async fn get_secret(&self, key: &str) -> Result<ProtectedString, SecretsError> {
+        let path = self.mount_path.join(key);
+        let value = tokio::fs::read_to_string(&path)
+            .await
+            .map_err(|_| SecretsError::NotFound(key.to_string()))?;
+        Ok(ProtectedString::new(value.trim().to_string()))
+    }
+}
+```
+
+### Config
+```toml
+[secrets]
+provider = "k8s"
+
+[secrets.k8s]
+mount_path = "/var/run/secrets/nora"
+```
+
+### Kubernetes Deployment
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nora-secrets
+type: Opaque
+data:
+  AWS_ACCESS_KEY_ID: QUtJQS4uLg==
+  AWS_SECRET_ACCESS_KEY: d0phbHIuLi4=
+---
+apiVersion: apps/v1
+kind: Deployment
+spec:
+  template:
+    spec:
+      containers:
+      - name: nora
+        volumeMounts:
+        - name: secrets
+          mountPath: /var/run/secrets/nora
+          readOnly: true
+      volumes:
+      - name: secrets
+        secret:
+          secretName: nora-secrets
+```
+
+### Tasks
+- [ ] Add `aws-sdk-secretsmanager` dependency
+- [ ] Implement AwsSecretsProvider
+- [ ] Implement K8sSecretsProvider
+- [ ] Add auto-refresh for rotation
+- [ ] Integration tests with localstack
+- [ ] Update factory function
+- [ ] Documentation
+
+---
+
+## Phase 3: HashiCorp Vault (v0.5.0+)
+
+### Vault Provider
+
+```rust
+// src/secrets/vault.rs
+pub struct VaultProvider {
+    client: VaultClient,
+    mount_path: String,
+    secret_path: String,
+}
+
+#[async_trait]
+impl SecretsProvider for VaultProvider {
+    async fn get_secret(&self, key: &str) -> Result<ProtectedString, SecretsError> {
+        let secret: HashMap<String, String> = self.client
+            .kv2(&self.mount_path)
+            .read(&format!("{}/{}", self.secret_path, key))
+            .await?;
+
+        secret.get("value")
+            .map(|v| ProtectedString::new(v.clone()))
+            .ok_or_else(|| SecretsError::NotFound(key.to_string()))
+    }
+}
+```
+
+### Auth Methods
+
+**Kubernetes Auth:**
+```rust
+let jwt = tokio::fs::read_to_string(
+    "/var/run/secrets/kubernetes.io/serviceaccount/token"
+).await?;
+
+client.auth().kubernetes(&role, &jwt).await?;
+```
+
+**AppRole Auth:**
+```rust
+let role_id = env::var("VAULT_ROLE_ID")?;
+let secret_id = env::var("VAULT_SECRET_ID")?;
+
+client.auth().approle(&role_id, &secret_id).await?;
+```
+
+### Config
+```toml
+[secrets]
+provider = "vault"
+
+[secrets.vault]
+address = "https://vault.company.com"
+mount_path = "secret"
+secret_path = "nora/production"
+auth_method = "kubernetes"  # or "approle", "token"
+role = "nora-production"
+```
+
+### Tasks
+- [ ] Add `vaultrs` dependency
+- [ ] Implement VaultProvider
+- [ ] Kubernetes auth
+- [ ] AppRole auth
+- [ ] Token auth
+- [ ] Lease renewal
+- [ ] Integration tests
+- [ ] Documentation
+
+---
+
+## Security Checklist
+
+### Code
+- [x] Zeroize for all secrets (ProtectedString)
+- [x] Redacted Debug impl
+- [x] No secret logging
+- [x] Clear ENV after read option
+- [ ] TLS verification for Vault/AWS
+
+### Deployment
+- [x] .gitignore for secrets
+- [ ] Kubernetes Secrets encrypted at rest
+- [ ] AWS KMS for Secrets Manager
+- [ ] Least privilege IAM/RBAC
+- [ ] Audit logging
+
+---
+
+## Comparison
+
+| Provider | Complexity | Security | Use Case |
+|----------|------------|----------|----------|
+| ENV | Low | Medium | Dev, small prod |
+| AWS Secrets | Medium | High | AWS infrastructure |
+| K8s Secrets | Medium | Good | Kubernetes |
+| Vault | High | Maximum | Enterprise |
+
+---
+
+## NOT Implementing
+
+### Vault Sidecar Pattern
+- Too complex (90% teams do it wrong)
+- NORA uses native Vault client instead
+- Simpler deployment
+
+### Custom Secrets Manager (СЕВА)
+- Focus on NORA core first
+- May add later if demand exists
+
+---
+
+## Timeline
+
+| Phase | Version | ETA |
+|-------|---------|-----|
+| ENV Provider | v0.3.0 | ✅ Done |
+| AWS + K8s | v0.4.0 | 1-2 weeks |
+| Vault | v0.5.0 | 2-3 weeks |
+
+---
+
+## Expert Panel Recommendations
+
+**Linus Torvalds:**
+> "ENV variables — правильно. Это UNIX way. Но zeroize обязателен."
+
+**Werner Vogels (AWS):**
+> "AWS Secrets Manager интеграция критична для AWS workloads."
+
+**Kelsey Hightower:**
+> "K8s Secrets через volume mount — проще чем sidecar."
+
+**Mitchell Hashimoto:**
+> "Native Vault client лучше sidecar. Проще деплоить."
+
+**DHH:**
+> "95% пользователей используют ENV. Не делайте Vault обязательным."