{ "$defs": { "AgentConfig": { "description": "Top-level defaults for ``secretzero agent sync`` (CLI and API).", "properties": { "mode": { "$ref": "#/$defs/AgentMode", "default": "auto", "description": "Preferred workflow: auto (best effort), human (instructions only), or web (local form)" }, "web_port_min": { "default": 49152, "description": "Lower bound (inclusive) for the temporary localhost web UI", "maximum": 65535, "minimum": 1024, "title": "Web Port Min", "type": "integer" }, "web_port_max": { "default": 65535, "description": "Upper bound (inclusive) for the temporary localhost web UI", "maximum": 65535, "minimum": 1024, "title": "Web Port Max", "type": "integer" } }, "title": "AgentConfig", "type": "object" }, "AgentInstructionStep": { "description": "Single step in agent instruction workflow.", "properties": { "action": { "description": "Action to perform (CLI command, URL, or description)", "title": "Action", "type": "string" }, "description": { "description": "Human-readable context for the action", "title": "Description", "type": "string" }, "params": { "anyOf": [ { "additionalProperties": true, "type": "object" }, { "type": "null" } ], "default": null, "description": "Optional parameters for API calls", "title": "Params" }, "required": { "default": true, "description": "Whether this step is required or optional", "title": "Required", "type": "boolean" } }, "required": [ "action", "description" ], "title": "AgentInstructionStep", "type": "object" }, "AgentInstructions": { "description": "Instructions for agents to obtain a secret.", "properties": { "summary": { "description": "Brief overview of the acquisition process", "title": "Summary", "type": "string" }, "steps": { "description": "Step-by-step instructions", "items": { "$ref": "#/$defs/AgentInstructionStep" }, "title": "Steps", "type": "array" }, "prerequisites": { "anyOf": [ { "items": { "type": "string" }, "type": "array" }, { "type": "null" } ], "default": null, "description": "Requirements before starting", "title": "Prerequisites" }, "automation_hint": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Guidance on automation feasibility", "title": "Automation Hint" }, "estimated_time": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Expected time to complete", "title": "Estimated Time" }, "fallback": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "What to do if automation fails", "title": "Fallback" }, "required_tools": { "anyOf": [ { "items": { "type": "string" }, "type": "array" }, { "type": "null" } ], "default": null, "description": "CLI tools or dependencies needed", "title": "Required Tools" }, "documentation_url": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Link to official documentation", "title": "Documentation Url" } }, "required": [ "summary", "steps" ], "title": "AgentInstructions", "type": "object" }, "AgentMode": { "description": "How the unified ``agent sync`` workflow should obtain manual secrets.", "enum": [ "auto", "human", "web" ], "title": "AgentMode", "type": "string" }, "AnthropicConfig": { "description": "Configuration for the Anthropic (Claude) LLM provider.", "properties": { "api_key": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Anthropic API key (prefer ANTHROPIC_API_KEY env var)", "title": "Api Key" }, "model": { "default": "claude-3-5-sonnet-20241022", "description": "Anthropic model name", "title": "Model", "type": "string" }, "timeout": { "default": 120, "description": "Request timeout in seconds", "exclusiveMinimum": 0, "title": "Timeout", "type": "integer" }, "temperature": { "default": 0.7, "maximum": 1.0, "minimum": 0.0, "title": "Temperature", "type": "number" }, "max_tokens": { "default": 4096, "exclusiveMinimum": 0, "title": "Max Tokens", "type": "integer" } }, "title": "AnthropicConfig", "type": "object" }, "AppConfig": { "description": "Application config block: Secretfile root ``config`` key or ``~/.config/secretzero/config.yml``.\n\nSame shape as the mergeable app config (llm, discovery, output). Used for\ncentralized configuration resolution: defaults \u2190 config.yml \u2190 Secretfile.config.", "properties": { "llm": { "$ref": "#/$defs/LLMConfig" }, "discovery": { "$ref": "#/$defs/DiscoveryConfig" }, "output": { "$ref": "#/$defs/OutputConfig" } }, "title": "AppConfig", "type": "object" }, "AuthKind": { "description": "Authentication kind for providers.", "enum": [ "ambient", "token", "assume_role", "static", "default", "service_principal", "managed_identity", "cli", "profile" ], "title": "AuthKind", "type": "string" }, "AuthProfile": { "description": "Authentication profile configuration.", "properties": { "kind": { "$ref": "#/$defs/AuthKind" }, "config": { "additionalProperties": true, "title": "Config", "type": "object" } }, "required": [ "kind" ], "title": "AuthProfile", "type": "object" }, "AzureOpenAIConfig": { "description": "Configuration for Azure-hosted OpenAI models.", "properties": { "api_key": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Azure OpenAI API key (prefer AZURE_OPENAI_API_KEY env var)", "title": "Api Key" }, "endpoint": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Azure OpenAI endpoint URL (prefer AZURE_OPENAI_ENDPOINT env var)", "title": "Endpoint" }, "deployment": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Azure deployment name (prefer AZURE_OPENAI_DEPLOYMENT env var)", "title": "Deployment" }, "api_version": { "default": "2024-02-15-preview", "description": "Azure OpenAI API version", "title": "Api Version", "type": "string" }, "timeout": { "default": 120, "exclusiveMinimum": 0, "title": "Timeout", "type": "integer" }, "temperature": { "default": 0.7, "maximum": 1.0, "minimum": 0.0, "title": "Temperature", "type": "number" }, "max_tokens": { "default": 4096, "exclusiveMinimum": 0, "title": "Max Tokens", "type": "integer" } }, "title": "AzureOpenAIConfig", "type": "object" }, "DiscoveryConfig": { "description": "Settings that control the AI-powered secret discovery process.", "properties": { "allow_script_execution": { "default": false, "description": "Enable/disable external script execution during discovery", "title": "Allow Script Execution", "type": "boolean" }, "confidence_threshold": { "default": 0.6, "description": "Minimum confidence score to include a secret in the output", "maximum": 1.0, "minimum": 0.0, "title": "Confidence Threshold", "type": "number" }, "max_files": { "default": 1000, "description": "Maximum number of files to scan", "exclusiveMinimum": 0, "title": "Max Files", "type": "integer" }, "include_patterns": { "description": "Glob patterns for files to include in the scan", "items": { "type": "string" }, "title": "Include Patterns", "type": "array" }, "exclude_patterns": { "description": "Glob patterns for files to exclude from the scan", "items": { "type": "string" }, "title": "Exclude Patterns", "type": "array" }, "script_url": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "URL for an external secret-detection script (optional)", "title": "Script Url" } }, "title": "DiscoveryConfig", "type": "object" }, "EnvironmentProfile": { "description": "Named environment lane configuration.", "properties": { "var_files": { "description": "Default .szvar files for this lane (later entries win).", "items": { "type": "string" }, "title": "Var Files", "type": "array" }, "lockfile": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Default lockfile path for this lane.", "title": "Lockfile" }, "target_profile": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Optional target profile applied for this lane.", "title": "Target Profile" }, "labels": { "additionalProperties": true, "description": "Optional metadata labels for UI and automation.", "title": "Labels", "type": "object" } }, "title": "EnvironmentProfile", "type": "object" }, "EnvironmentsConfig": { "description": "Top-level environment lane map.", "properties": { "default": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Default lane name used when no explicit environment is selected.", "title": "Default" }, "profiles": { "additionalProperties": { "$ref": "#/$defs/EnvironmentProfile" }, "description": "Named environment profiles keyed by lane name.", "title": "Profiles", "type": "object" } }, "title": "EnvironmentsConfig", "type": "object" }, "GeneratorConfig": { "description": "Generator configuration for secret values.", "properties": { "kind": { "$ref": "#/$defs/GeneratorKind" }, "config": { "additionalProperties": true, "title": "Config", "type": "object" } }, "required": [ "kind" ], "title": "GeneratorConfig", "type": "object" }, "GeneratorKind": { "description": "Generator kind for secret values.\n\nThis enum is intentionally *open*: unknown string values passed by\nthird-party bundles are accepted at runtime via :meth:`_missing_`\ninstead of raising a ``ValueError``. Built-in kinds are enumerated\nbelow; bundle authors may declare any additional string as a kind.", "enum": [ "static", "azure_app_reg", "entra-agent-blueprint", "random_password", "random_string", "script", "api", "provider_backed", "github_pat" ], "title": "GeneratorKind", "type": "string" }, "LLMConfig": { "description": "Top-level LLM configuration for AI-powered features.", "properties": { "default_provider": { "default": "ollama", "description": "Default LLM provider: ollama, openai, anthropic, azure_openai", "title": "Default Provider", "type": "string" }, "providers": { "$ref": "#/$defs/LLMProviders" } }, "title": "LLMConfig", "type": "object" }, "LLMProviders": { "description": "Configures all available LLM provider backends.", "properties": { "ollama": { "$ref": "#/$defs/OllamaConfig" }, "openai": { "$ref": "#/$defs/OpenAIConfig" }, "anthropic": { "$ref": "#/$defs/AnthropicConfig" }, "azure_openai": { "$ref": "#/$defs/AzureOpenAIConfig" } }, "title": "LLMProviders", "type": "object" }, "Metadata": { "description": "Metadata about the secrets configuration.", "properties": { "project": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Project" }, "owner": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Owner" }, "environments": { "items": { "type": "string" }, "title": "Environments", "type": "array" }, "compliance": { "items": { "type": "string" }, "title": "Compliance", "type": "array" } }, "title": "Metadata", "type": "object" }, "OllamaConfig": { "description": "Configuration for a locally-hosted Ollama LLM server.", "properties": { "base_url": { "default": "http://localhost:11434", "description": "Base URL for the Ollama server", "title": "Base Url", "type": "string" }, "model": { "default": "llama3.2:3b", "description": "Default model name for general tasks", "title": "Model", "type": "string" }, "reasoning_model": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Model name for reasoning-intensive tasks (optional)", "title": "Reasoning Model" }, "timeout": { "default": 120, "description": "Request timeout in seconds", "exclusiveMinimum": 0, "title": "Timeout", "type": "integer" }, "temperature": { "default": 0.7, "description": "Generation temperature (0.0\u20131.0)", "maximum": 1.0, "minimum": 0.0, "title": "Temperature", "type": "number" }, "max_tokens": { "default": 4096, "description": "Maximum number of tokens to generate", "exclusiveMinimum": 0, "title": "Max Tokens", "type": "integer" } }, "title": "OllamaConfig", "type": "object" }, "OpenAIConfig": { "description": "Configuration for the OpenAI LLM provider.", "properties": { "api_key": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "OpenAI API key (prefer OPENAI_API_KEY env var)", "title": "Api Key" }, "model": { "default": "gpt-4o-mini", "description": "OpenAI model name", "title": "Model", "type": "string" }, "organization": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "OpenAI organisation ID (optional)", "title": "Organization" }, "timeout": { "default": 120, "description": "Request timeout in seconds", "exclusiveMinimum": 0, "title": "Timeout", "type": "integer" }, "temperature": { "default": 0.7, "maximum": 1.0, "minimum": 0.0, "title": "Temperature", "type": "number" }, "max_tokens": { "default": 4096, "exclusiveMinimum": 0, "title": "Max Tokens", "type": "integer" } }, "title": "OpenAIConfig", "type": "object" }, "OutputConfig": { "description": "Output formatting preferences.", "properties": { "format": { "default": "text", "description": "Default output format: text, json, yaml", "title": "Format", "type": "string" }, "verbosity": { "default": 1, "description": "Verbosity level (0 = quiet, 3 = very verbose)", "maximum": 3, "minimum": 0, "title": "Verbosity", "type": "integer" }, "color": { "default": true, "description": "Enable colour output", "title": "Color", "type": "boolean" } }, "title": "OutputConfig", "type": "object" }, "Provider": { "description": "Provider configuration for secret sources and targets.", "properties": { "kind": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Kind" }, "auth": { "anyOf": [ { "$ref": "#/$defs/ProviderAuth" }, { "type": "null" } ], "default": null }, "config": { "additionalProperties": true, "title": "Config", "type": "object" }, "fallback_generator": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Fallback Generator" } }, "title": "Provider", "type": "object" }, "ProviderAuth": { "description": "Provider authentication configuration.", "properties": { "kind": { "anyOf": [ { "$ref": "#/$defs/AuthKind" }, { "type": "null" } ], "default": null }, "config": { "additionalProperties": true, "title": "Config", "type": "object" }, "fallback_generator": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Fallback Generator" }, "profiles": { "additionalProperties": { "$ref": "#/$defs/AuthProfile" }, "title": "Profiles", "type": "object" } }, "title": "ProviderAuth", "type": "object" }, "Secret": { "description": "Secret definition.", "properties": { "name": { "title": "Name", "type": "string" }, "kind": { "title": "Kind", "type": "string" }, "vars": { "additionalProperties": true, "title": "Vars", "type": "object" }, "source": { "anyOf": [ { "$ref": "#/$defs/SecretSource" }, { "type": "null" } ], "default": null, "description": "Optional non-human source resolved before generator execution. When omitted, generation flow behaves as before." }, "config": { "additionalProperties": true, "title": "Config", "type": "object" }, "one_time": { "default": false, "title": "One Time", "type": "boolean" }, "rotation_period": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Rotation Period" }, "targets": { "items": { "$ref": "#/$defs/TargetConfig" }, "title": "Targets", "type": "array" }, "agent_instructions": { "anyOf": [ { "$ref": "#/$defs/AgentInstructions" }, { "type": "null" } ], "default": null, "description": "Instructions for agents to obtain this secret" }, "process_tags": { "description": "Optional labels that associate this secret with execution flows / processes (e.g. auth_flow, payment_gateway) for graph tooling and policy filtering.", "items": { "type": "string" }, "title": "Process Tags", "type": "array" } }, "required": [ "name", "kind" ], "title": "Secret", "type": "object" }, "SecretSource": { "description": "Optional non-human source for resolving a secret value.", "properties": { "kind": { "$ref": "#/$defs/SecretSourceKind" }, "required": { "default": true, "description": "If true, sync fails when the source cannot resolve. If false, generation flow is attempted as fallback.", "title": "Required", "type": "boolean" }, "config": { "additionalProperties": true, "description": "Source-specific configuration. file: {path, format? (dotenv|json|yaml|toml|tfvars), key?, encoding?}; env: {name, trim?}; secret_ref: {secret, field?}; provider_read: {provider, kind, read, field?, profile?, method?}.", "title": "Config", "type": "object" } }, "required": [ "kind" ], "title": "SecretSource", "type": "object" }, "SecretSourceKind": { "description": "Non-human source kinds for resolving secret values.", "enum": [ "file", "env", "secret_ref", "provider_read" ], "title": "SecretSourceKind", "type": "string" }, "TargetConfig": { "description": "Target storage configuration.", "properties": { "provider": { "title": "Provider", "type": "string" }, "kind": { "anyOf": [ { "$ref": "#/$defs/TargetKind" }, { "type": "string" } ], "title": "Kind" }, "config": { "additionalProperties": true, "title": "Config", "type": "object" }, "identity_policies": { "description": "Optional names of root `policies` entries with `kind: provider_identity` to enforce when this target participates in sync (in addition to policies that already apply via `providers:` overlap).", "items": { "type": "string" }, "title": "Identity Policies", "type": "array" } }, "required": [ "provider", "kind" ], "title": "TargetConfig", "type": "object" }, "TargetKind": { "description": "Target storage kind.\n\nThis enum is intentionally *open*: unknown string values passed by\nthird-party bundles are accepted at runtime via :meth:`_missing_`\ninstead of raising a ``ValueError``. Built-in kinds are enumerated\nbelow; bundle authors may declare any additional string as a kind.", "enum": [ "file", "template", "ssm_parameter", "secrets_manager", "vault_kv", "azure_keyvault", "kubernetes_secret", "github_secret", "gitlab_variable", "jenkins_credential" ], "title": "TargetKind", "type": "string" }, "TargetProfile": { "description": "Reusable target defaults/overrides applied by environment lane.", "properties": { "identity_policies": { "description": "Identity policies applied by default to lane targets.", "items": { "type": "string" }, "title": "Identity Policies", "type": "array" }, "provider_overrides": { "additionalProperties": { "additionalProperties": true, "type": "object" }, "description": "Provider alias keyed overrides merged into target config.", "title": "Provider Overrides", "type": "object" }, "target_overrides": { "additionalProperties": { "additionalProperties": true, "type": "object" }, "description": "Target kind keyed overrides merged into target config.", "title": "Target Overrides", "type": "object" } }, "title": "TargetProfile", "type": "object" }, "Template": { "description": "Secret template definition.", "properties": { "description": { "title": "Description", "type": "string" }, "fields": { "additionalProperties": { "$ref": "#/$defs/TemplateField" }, "title": "Fields", "type": "object" }, "targets": { "items": { "$ref": "#/$defs/TargetConfig" }, "title": "Targets", "type": "array" } }, "required": [ "description", "fields" ], "title": "Template", "type": "object" }, "TemplateField": { "description": "Template field definition.", "properties": { "description": { "title": "Description", "type": "string" }, "generator": { "$ref": "#/$defs/GeneratorConfig" }, "targets": { "items": { "$ref": "#/$defs/TargetConfig" }, "title": "Targets", "type": "array" } }, "required": [ "description", "generator" ], "title": "TemplateField", "type": "object" }, "PolicySeverity": { "description": "Policy violation severity.", "enum": [ "error", "warning", "info" ], "title": "PolicySeverity", "type": "string" }, "ProviderIdentityRule": { "additionalProperties": false, "description": "Single rule matched against :meth:`~secretzero.providers.base.BaseProvider.get_actor_info`.", "properties": { "field": { "description": "Dotted path into the actor dict (e.g. `account`, `arn`, `scopes`).", "title": "Field", "type": "string" }, "glob": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "``fnmatchcase`` pattern applied to the string form of a scalar field value.", "title": "Glob" }, "regex": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "``re.fullmatch`` pattern for a scalar field (mutually exclusive with glob).", "title": "Regex" }, "any_glob": { "anyOf": [ { "items": { "type": "string" }, "type": "array" }, { "type": "null" } ], "default": null, "description": "For list-valued fields: true if at least one element matches at least one pattern (``fnmatchcase``).", "title": "Any Glob" }, "all_glob": { "anyOf": [ { "items": { "type": "string" }, "type": "array" }, { "type": "null" } ], "default": null, "description": "For list-valued fields: true if every element matches at least one of these patterns.", "title": "All Glob" } }, "required": [ "field" ], "title": "ProviderIdentityRule", "type": "object" }, "ProviderIdentityPolicy": { "additionalProperties": false, "description": "Require provider authentication identity to match before sync proceeds.", "properties": { "kind": { "const": "provider_identity", "default": "provider_identity", "title": "Kind", "type": "string" }, "name": { "title": "Name", "type": "string" }, "description": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Description" }, "enabled": { "default": true, "title": "Enabled", "type": "boolean" }, "severity": { "$ref": "#/$defs/PolicySeverity", "default": "error" }, "providers": { "description": "Provider instance aliases (YAML keys under `providers:`) this policy applies to.", "items": { "type": "string" }, "minItems": 1, "title": "Providers", "type": "array" }, "match": { "default": "all", "description": "Whether every rule must pass (`all`) or at least one (`any`).", "enum": [ "all", "any" ], "title": "Match", "type": "string" }, "rules": { "description": "Rules evaluated against `get_actor_info()` for each listed provider.", "items": { "$ref": "#/$defs/ProviderIdentityRule" }, "minItems": 1, "title": "Rules", "type": "array" } }, "required": [ "name", "providers", "rules" ], "title": "ProviderIdentityPolicy", "type": "object" } }, "description": "Root configuration model for Secretfile.yml.", "properties": { "variables": { "additionalProperties": true, "title": "Variables", "type": "object" }, "metadata": { "anyOf": [ { "$ref": "#/$defs/Metadata" }, { "type": "null" } ], "default": null }, "environments": { "anyOf": [ { "$ref": "#/$defs/EnvironmentsConfig" }, { "type": "null" } ], "default": null, "description": "Optional multi-environment lane map with defaults for var files and lockfile." }, "target_profiles": { "additionalProperties": { "$ref": "#/$defs/TargetProfile" }, "description": "Reusable target defaults selected by environment profile.", "title": "Target Profiles", "type": "object" }, "providers": { "additionalProperties": { "$ref": "#/$defs/Provider" }, "title": "Providers", "type": "object" }, "secrets": { "items": { "$ref": "#/$defs/Secret" }, "title": "Secrets", "type": "array" }, "templates": { "additionalProperties": { "$ref": "#/$defs/Template" }, "title": "Templates", "type": "object" }, "policies": { "additionalProperties": true, "description": "Optional policy definitions. Supported `kind` values include `rotation`, `compliance`, `access`, and `provider_identity` (restrict sync to matching provider authentication; see schema $defs ProviderIdentityPolicy).", "title": "Policies", "type": "object" }, "labels": { "additionalProperties": true, "title": "Labels", "type": "object" }, "annotations": { "additionalProperties": true, "title": "Annotations", "type": "object" }, "config": { "anyOf": [ { "$ref": "#/$defs/AppConfig" }, { "type": "null" } ], "default": null, "description": "Optional centralized app config (LLM, discovery, output); overrides config.yml and defaults" }, "agent": { "anyOf": [ { "$ref": "#/$defs/AgentConfig" }, { "type": "null" } ], "default": null, "description": "Defaults for unified agent sync (CLI and API): mode and optional web UI port range" } }, "title": "Secretfile", "type": "object" }