envseal 0.3.11

Write-only secret vault with process-level access control — post-agent secret management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323

//! High-level operations — the unified API for all envseal consumers.
//!
//! This module is the single facade that CLI, desktop UI, and MCP
//! consume. Operations split into two categories:
//! - **Passphrase-free**: work with filesystem only (list, check, status)
//! - **Vault-locked**: require an unlocked `Vault` (peek, rename, copy)
//!
//! # Submodules
//!
//! Domain-grouped submodules live alongside this file. Each is
//! re-exported here so the `envseal::ops::*` surface stays flat
//! and stable (LAW 2 — backwards-compatible).
//!
//! - [`admin`] — security tier presets, granular field setters,
//!   detection→policy overrides, and TOTP pairing. The "operator
//!   configures the vault" surface.
//! - [`governance`] — access-policy inspection/revocation and Git
//!   pre-commit hook installation. Vault-level *rules*, distinct
//!   from the "operator manipulates a secret" surface that lives
//!   directly in this file.

pub mod admin;
pub mod ctf;
pub mod dev_migration;
pub mod execution;
#[cfg(feature = "fido2")]
pub mod fido2_admin;
pub mod governance;
pub mod lifecycle;
pub mod queries;
pub use admin::*;
pub use ctf::*;
pub use dev_migration::*;
pub use execution::*;
#[cfg(feature = "fido2")]
pub use fido2_admin::{
    disable as fido2_disable, enroll as fido2_enroll, status as fido2_status, Fido2StatusReport,
};
pub use governance::*;
pub use lifecycle::*;
pub use queries::*;

use crate::error::Error;
use crate::vault::Vault;
use crate::{gui, secret_health, security_config};
use std::path::{Path, PathBuf};

// Read-only queries (vault_root, list_*, peek_*, check_*, env_dry_run,
// vault_status, audit_log + their data types) live in `ops::queries`.
// Secret mutations (store_*, revoke_*, copy_secret, rename_secret,
// emergency_revoke_all, rotate_secret, shred_file, import_env_file,
// request_secret_value_default + EmergencyRevokeResult / ImportResult)
// live in `ops::lifecycle`. Both are re-exported above for backwards
// compatibility — every `envseal::ops::<name>` path that worked before
// the split still resolves.

/// Return a health report for secrets in the default vault.
pub fn health_report(max_days: Option<u64>) -> Result<secret_health::HealthReport, Error> {
    let vault = Vault::open_default()?;
    secret_health::health_report(&vault, max_days)
}

// Policy display/revocation and Git hook helpers moved to `ops::governance`.
// Security/TOTP/policy-override administration moved to `ops::admin`.
// Public API preserved by the `pub use governance::*; pub use admin::*;` re-exports above.

// Process-spawning ops moved to `ops::execution`.
// Public API preserved by the `pub use execution::*;` re-export above.

// Re-export GUI threat-assessment types under `ops` so command files
// don't have to depend on the `guard` module directly. The
// `boundary_ops_only` test enforces that command files import only from
// `envseal::ops` / `envseal::error::Error`.
pub use crate::guard::{GuiSecurityReport, GuiThreatLevel, PhysicalPresence};

/// Aggregated diagnostics for `envseal doctor`.
///
/// Holds every probe envseal runs at startup (`guard::*` checks, GUI threat
/// assessment, vault root status). The CLI/desktop renders this; tests can
/// assert against it without parsing free-form text.
#[derive(Debug, Clone)]
pub struct DoctorReport {
    /// Whether `ptrace_scope` is permissive (Linux only). Unset off Linux.
    pub ptrace_scope_warning: Option<String>,
    /// Result of [`crate::guard::check_self_preload`] — `Ok(())` if clean,
    /// `Err(message)` if `LD_PRELOAD` / `LD_AUDIT` is set in our process env.
    pub self_preload: Result<(), String>,
    /// Full GUI security assessment.
    pub gui: crate::guard::GuiSecurityReport,
    /// Hostile/Degraded/Safe environment classification.
    pub environment: EnvThreatLabel,
    /// Vault root path and whether it exists / has been initialized.
    pub vault: VaultProbe,
    /// `OsCapabilities::detect()` snapshot.
    pub capabilities: crate::sandbox::OsCapabilities,
    /// Active hardware keystore backend (DPAPI / Secure Enclave / TPM 2.0
    /// / None) and its protection tier (1 = true hardware seal,
    /// 2 = OS-bound, 3 = passphrase-only).
    pub keystore: KeystoreProbe,
    /// Every detector signal that fired, in stable taxonomic form.
    /// One entry per signal — id, category, severity, label,
    /// detail, mitigation. Renderers can surface this for
    /// transparency and policy-override authoring; CI can
    /// machine-parse it to gate releases.
    pub signals: Vec<SignalProbe>,
}

/// Single signal as surfaced by [`doctor_report`]. Stripped down to
/// owned strings so the report can be serialized and round-tripped
/// without lifetime headaches.
#[derive(Debug, Clone)]
pub struct SignalProbe {
    /// Stable signal identifier (e.g. `gui.input_injector`).
    pub id: String,
    /// Category string (`input_injection`, `gui_presence`, …).
    pub category: String,
    /// Severity string (`info` / `warn` / `degraded` / `hostile` / `critical`).
    pub severity: String,
    /// Short human-readable label.
    pub label: String,
    /// Per-detection contextual detail.
    pub detail: String,
    /// One-line mitigation hint.
    pub mitigation: String,
}

/// Hardware-keystore status for `envseal doctor`.
#[derive(Debug, Clone)]
pub struct KeystoreProbe {
    /// Backend identifier as returned by [`crate::keychain::active_backend`].
    pub backend: crate::vault::hardware::Backend,
    /// Protection tier: 1 = hardware seal, 2 = OS-bound, 3 = none.
    pub tier: u8,
    /// Human-readable backend name for display.
    pub name: &'static str,
}

/// Tagged version of [`crate::guard::EnvironmentThreatLevel`] suitable for
/// caller pattern-matching without re-importing the guard enum.
#[derive(Debug, Clone)]
pub enum EnvThreatLabel {
    /// No hostile or degraded vars present.
    Safe,
    /// Suspicious vars (e.g. `LD_LIBRARY_PATH`) — not blocking by default.
    Degraded(String),
    /// Active injection vars (`LD_PRELOAD` etc.) — blocking by tier policy.
    Hostile(String),
}

/// Vault-root probe surfaced by [`doctor_report`].
#[derive(Debug, Clone)]
pub struct VaultProbe {
    /// Root directory (`~/.config/envseal` etc.).
    pub root: PathBuf,
    /// Whether the directory exists.
    pub exists: bool,
    /// Whether the master key file exists inside it.
    pub master_key_present: bool,
}

/// Run every doctor probe and assemble the report.
///
/// Cheap and side-effect-free at the OS level: probes `/proc`, env vars, and
/// the vault directory; never opens the vault.
///
/// # Errors
/// Returns `Error::StorageIo` if `vault_root` resolution fails.
pub fn doctor_report() -> Result<DoctorReport, Error> {
    let root = vault_root()?;
    let exists = root.exists();
    let master_key_present = exists && root.join("master.key").exists();

    let environment = match crate::guard::assess_environment() {
        crate::guard::EnvironmentThreatLevel::Safe => EnvThreatLabel::Safe,
        crate::guard::EnvironmentThreatLevel::Degraded(s) => EnvThreatLabel::Degraded(s),
        crate::guard::EnvironmentThreatLevel::Hostile(s) => EnvThreatLabel::Hostile(s),
    };

    let backend = crate::keychain::active_backend();
    let keystore = KeystoreProbe {
        backend,
        tier: backend.tier(),
        name: backend.name(),
    };

    // doctor is an ambient host scan — it has no target binary or
    // operation context, so per-operation detectors stay quiet.
    let doctor_ctx = crate::guard::DetectorContext::ambient();
    let signals = crate::guard::assess_all_signals(&doctor_ctx)
        .into_iter()
        .map(|s| SignalProbe {
            id: s.id.as_str().to_string(),
            category: s.category.as_str().to_string(),
            severity: s.severity.as_str().to_string(),
            label: s.label.to_string(),
            detail: s.detail,
            mitigation: s.mitigation.to_string(),
        })
        .collect();

    Ok(DoctorReport {
        ptrace_scope_warning: crate::guard::check_ptrace_scope(),
        self_preload: crate::guard::check_self_preload().map_err(|e| e.to_string()),
        gui: crate::guard::assess_gui_security(),
        environment,
        vault: VaultProbe {
            root,
            exists,
            master_key_present,
        },
        capabilities: crate::sandbox::OsCapabilities::detect(),
        keystore,
        signals,
    })
}

/// Verify a GUI dialog binary by name (`zenity`, `kdialog`).
///
/// Re-exported so CLI command files don't need to import the `guard` module.
///
/// # Errors
/// Returns whatever [`crate::guard::verify_gui_binary`] returns.
pub fn verify_gui_binary(name: &str) -> Result<PathBuf, Error> {
    crate::guard::verify_gui_binary(name)
}

// Import / shred / rotate moved to `ops::lifecycle`.

/// Validate that `path` (from untrusted MCP-style input) does not escape the process cwd.
///
/// Returns the resolved absolute path. Canonicalize failures use generic messages so
/// host `io::Error` strings are not surfaced to remote tool clients.
pub fn validate_path_within_cwd(
    path: &str,
    field: &str,
    max_path_len: usize,
) -> Result<PathBuf, String> {
    if path.contains('\0') {
        return Err(format!("{field} contains invalid characters"));
    }
    if path.len() > max_path_len {
        return Err(format!(
            "{field} exceeds maximum length of {max_path_len} bytes"
        ));
    }
    let p = Path::new(path);
    if p.components()
        .any(|c| matches!(c, std::path::Component::ParentDir))
    {
        return Err(format!("{field} must not escape the working directory"));
    }
    let cwd =
        std::env::current_dir().map_err(|_| "cannot determine working directory".to_string())?;
    let cwd = std::fs::canonicalize(&cwd).map_err(|_| {
        "cannot resolve working directory (symlink or permission error)".to_string()
    })?;
    let abs = if p.is_absolute() {
        p.to_path_buf()
    } else {
        cwd.join(p)
    };
    let resolved = if abs.exists() {
        std::fs::canonicalize(&abs)
            .map_err(|_| format!("failed to resolve {field} (path or permission error)"))?
    } else {
        // Walk up to the deepest existing ancestor, then re-append the missing suffix.
        // This is more robust than `canonicalize(parent)` because the *parent* may
        // not exist either (e.g. `/etc/passwd` on Windows where `/etc` is also absent).
        let mut anchor = abs.clone();
        let mut suffix: Vec<std::ffi::OsString> = Vec::new();
        while !anchor.exists() {
            let leaf = anchor
                .file_name()
                .ok_or_else(|| format!("{field} has no resolvable ancestor"))?
                .to_os_string();
            suffix.push(leaf);
            match anchor.parent() {
                Some(parent) => anchor = parent.to_path_buf(),
                None => return Err(format!("{field} has no resolvable ancestor")),
            }
        }
        let canonical_anchor = std::fs::canonicalize(&anchor)
            .map_err(|_| format!("failed to resolve {field} (path or permission error)"))?;
        let mut resolved = canonical_anchor;
        for piece in suffix.into_iter().rev() {
            resolved.push(piece);
        }
        resolved
    };
    if resolved != cwd && !resolved.starts_with(cwd.join("")) {
        return Err(format!("{field} must not escape the working directory"));
    }
    Ok(resolved)
}

/// Request a secret through GUI and store it in the default vault.
///
/// Returns any entropy warnings from the stored value so callers can
/// surface them to the user. The secret itself is never returned.
pub fn request_key(name: &str, description: &str) -> Result<Vec<crate::guard::Signal>, Error> {
    let vault = Vault::open_default()?;
    let config = security_config::load_config(vault.root(), vault.master_key_bytes())?;
    // SECURITY: prepend a source-authentication banner so the user
    // can distinguish AI-agent-initiated prompts from human-initiated
    // ones. Prevents social-engineering attacks where a compromised
    // agent requests a sensitive key with a misleading description.
    let agent_desc = format!(
        "[AGENT-INITIATED REQUEST]\n\n{description}\n\n---\nThis prompt was initiated by an automated agent. Verify the secret name ('{name}') before entering any credentials."
    );
    let secret = gui::request_secret_value(name, &agent_desc, &config)?;
    if secret.is_empty() {
        return Err(Error::CryptoFailure(
            "refusing to store an empty secret".to_string(),
        ));
    }
    store_secret(name, secret.as_bytes(), false)
}

// CTF operations moved to `ops::ctf`.
// Public API preserved by the `pub use ctf::*;` re-export above.

// Developer-migration ops moved to `ops::dev_migration`.
// Public API preserved by the `pub use dev_migration::*;` re-export above.