cleanlib-cli 0.1.1

Terminal interface to CleanLibrary — query dependency verdicts and scan package manifests for ALLOW / DENY / WARN signals from the terminal or CI pipelines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

//! Bearer-token resolution — cycle-7 Cli6. Three-tier lookup per dispatch §2.5:
//!
//! 1. `CLEANLIB_ENRICH_BEARER` env var (highest priority; CI / scripted use).
//!    Also accepts `CLEANLIBRARY_API_KEY` for backwards-compat with the
//!    cycle-4 cleanlib-client config-loader env-var naming.
//! 2. `keyring-rs` entry `cleanstart.com/cleanlib-enrich` (interactive;
//!    one-time `cleanlib login` stores it; cross-platform Keychain /
//!    Secret Service / Credential Manager).
//! 3. `gcloud auth print-access-token` via `cleanlib-run-sa` impersonation
//!    fallback (CleanStart-internal customers with ADC + impersonation;
//!    env-var documents the gcloud token-print pattern — no SM fallback
//!    from end-user CLI).
//!
//! Per `feedback_never_inline_secrets`: bearer never logged; never in error
//! messages; redacted from `--verbose` output. The Result type uses an enum
//! describing the tier hit (or miss) so the caller can surface diagnostics
//! without ever printing the bearer itself.

pub mod bearer;

#[allow(unused_imports)]
pub use bearer::{resolve_bearer, BearerSource, KEYRING_SERVICE, KEYRING_USER};