SecretSpec
Current secret management forces applications to answer three questions at once:
- WHAT - Which secrets does the application need? (DATABASE_URL, API_KEY)
- HOW - What are the requirements? (required vs optional, defaults, validation, environment)
- WHERE - Where are these secrets stored? (environment variables, Vault, AWS Secrets Manager)
This coupling creates vendor lock-in, runtime failures, poor developer experience, and inconsistent practices.
SecretSpec solves this by separating secret declaration from secret provisioning. Your application declares what secrets it needs in secretspec.toml, but the actual secret values are retrieved at runtime from your chosen provider - never stored in configuration files.