cellos-supervisor 0.5.1

CellOS execution-cell runner — boots cells in Firecracker microVMs or gVisor, enforces narrow typed authority, emits signed CloudEvents.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

//! Library surface for [`cellos-supervisor`] internals that need to be
//! reachable from integration tests.
//!
//! The crate is primarily a binary (`src/main.rs`) — the bulk of the
//! supervisor lives in modules private to that binary. This `lib.rs` exposes
//! only the pieces that integration tests under `tests/` need to consume,
//! starting with [`resolver_refresh`] (SEC-21 host-controlled DNS resolver
//! refresh + drift event emission).
//!
//! Adding new public modules here is allowed; do not blanket re-export
//! supervisor internals — keep the surface narrow so the binary remains the
//! source of truth for composition.

pub mod destruction_evidence;
pub mod dns_proxy;
pub mod ebpf_flow;
pub mod event_signing;
pub mod linux_cgroup;
pub mod nft_counters;
pub mod per_flow;
pub mod resolver_refresh;
pub mod sni_proxy;
pub mod spec_input;
pub mod trust_keyset_load;

// F1a — Path B host-side probes (`HostProbe` / `ProbeContext` / `emit_reading`)
// and F3b — host-side telemetry receiver (vsock listener + host-stamping +
// agent-silenced detection) both live in the sibling crate
// `cellos-host-telemetry` per ADR-0006 §5.4. Re-exported here as
// `host_telemetry` so supervisor-internal call sites (and integration tests)
// reach a single stable name; F4b's per-cell wiring will land on this alias.
pub use cellos_host_telemetry as host_telemetry;
// E7 will add `#[cfg(target_os = "linux")] pub mod per_flow;` here when nflog
// listener lands (separate slot, anticipated by windows-build hygiene).

/// D7 (security) — minimal test-visible surface for the per-event signing
/// config so an integration test can pin its zeroize posture. The real
/// definition lives in `src/event_signing.rs` (`SigningConfig`, private to
/// the module); this module re-publishes a struct-shape mirror that
/// integration tests can reference without widening the binary's public
/// surface.
///
/// **Not for production callers.** The supervisor uses its own (private)
/// `event_signing::SigningConfig` directly. This mirror exists only so
/// `tests/signing_config_zeroize.rs` can compile-time-assert that the
/// `key_bytes` field is `Zeroizing<Vec<u8>>` and the struct derives
/// `ZeroizeOnDrop`.
///
/// **Honest scope.** This mirror's *posture* (zeroize-on-drop + `key_bytes`
/// wrapped in `Zeroizing<Vec<u8>>`) matches the canonical struct in
/// `event_signing.rs`. The fields here are a STRUCTURAL APPROXIMATION,
/// not a name-for-name copy: the canonical struct carries an
/// `algorithm: Algorithm` field whose enum type is private to
/// `event_signing.rs` and therefore unreachable from this lib surface;
/// and this mirror additionally carries a pre-built
/// `signing_key: ed25519_dalek::SigningKey` for test ergonomics, which
/// the canonical struct does not. The load-bearing compile-time check
/// is that BOTH this mirror and the canonical struct derive
/// `ZeroizeOnDrop` and wrap key material in `Zeroizing`. The drift
/// reminder lives in `tests/event_signing_posture_drift.rs`.
#[doc(hidden)]
pub mod event_signing_posture {
    /// Structural-approximation mirror of `event_signing::SigningConfig`
    /// for the purpose of pinning the zeroize posture in an integration
    /// test. The posture invariants (`ZeroizeOnDrop` + `Zeroizing<Vec<u8>>`
    /// on `key_bytes`) match canonical; field set is approximate (see
    /// module-level doc comment).
    #[derive(zeroize::ZeroizeOnDrop)]
    pub struct SigningConfig {
        #[zeroize(skip)]
        pub kid: String,
        pub key_bytes: zeroize::Zeroizing<Vec<u8>>,
        pub signing_key: ed25519_dalek::SigningKey,
    }
}

// A2-02 / ADR-0007 — doc-hidden mirror of `composition::resolve_caller_identity`
// (private to the binary). Mirrors the FC-32 `__fcXX` shim pattern so an
// integration test can pin the `CELLOS_CALLER_IDENTITY` -> trim -> `"default"`
// fallback contract. Not for production callers.
#[doc(hidden)]
pub mod __a2_02 {
    pub fn resolve_caller_identity() -> String {
        std::env::var("CELLOS_CALLER_IDENTITY")
            .ok()
            .map(|v| v.trim().to_string())
            .filter(|v| !v.is_empty())
            .unwrap_or_else(|| "default".to_string())
    }
}