Expand description
Library surface for [cellos-supervisor] internals that need to be
reachable from integration tests.
The crate is primarily a binary (src/main.rs) — the bulk of the
supervisor lives in modules private to that binary. This lib.rs exposes
only the pieces that integration tests under tests/ need to consume,
starting with resolver_refresh (SEC-21 host-controlled DNS resolver
refresh + drift event emission).
Adding new public modules here is allowed; do not blanket re-export supervisor internals — keep the surface narrow so the binary remains the source of truth for composition.
Re-exports§
pub use cellos_host_telemetry as host_telemetry;
Modules§
- destruction_
evidence - F5 destruction-evidence aggregator (D5 integration).
- dns_
proxy - SEAM-1 / L2-04 DNS proxy — forward-only UDP proxy that enforces
dnsAuthority.hostnameAllowlistat the DNS protocol layer and emits one per-query CloudEvent for every observed query. - ebpf_
flow - E7-4 — eBPF host-side flow monitor (aya loader + ring-buffer drainer).
- event_
signing EventSinkwrapper that signs each emitted CloudEvent (I5).- linux_
cgroup - Helpers that translate
spec.run.limitsinto cgroup v2 controller-file payloads. - nft_
counters - Pure-data parsing + classification of
nft list ruleset --jsonoutput for FC-38 Phase 1 per-flownetwork_flow_decisionevents. - per_
flow - Real-time per-flow
network_flow_decisionevents via nflog. - resolver_
refresh - SEC-21 host-controlled resolver refresh + DNS authority drift detection.
- sni_
proxy - SEC-22 Phase 2 SNI-aware egress proxy.
- spec_
input - Cell spec path reading (
O_NOFOLLOWon Unix) and NATS subject template resolution. - trust_
keyset_ load - SEC-25 Phase 2 — supervisor-side wiring of
CELLOS_TRUST_VERIFY_KEYS_PATHandCELLOS_TRUST_KEYSET_PATH.