envseal 0.3.11

Write-only secret vault with process-level access control — post-agent secret management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

//! Whitelist policy management with integrity verification.
//!
//! Controls which binaries are authorized to receive which secrets.
//! Policies are stored in `~/.config/envseal/policy.toml` and HMAC-signed
//! to detect tampering.
//!
//! # Policy Structure
//!
//! ```toml
//! [[rules]]
//! binary = "/usr/bin/wrangler"
//! secret = "cloudflare-token"
//! scope = "key"
//! binary_hash = "a3f2..."   # SHA-256 of the binary at approval time
//! ```
//!
//! # Security
//!
//! - **Binary hash**: stored at approval time and verified on every
//!   injection. If the binary changes (update, replacement, poisoning),
//!   the user is re-prompted.
//! - **HMAC signing**: the policy file is signed with an HKDF-derived key.
//!   If an agent modifies `policy.toml` directly, the HMAC check fails.
//!
//! # Submodules
//!
//! - [`rules`] — Data model: [`Rule`], [`RuleScope`], [`Policy`], plus the
//!   binary-path resolver.
//! - [`hmac`] — HMAC computation, signature framing, and constant-time
//!   verification helpers used by [`Policy::save_signed`] /
//!   [`Policy::load_verified`].

pub mod hmac;
pub mod predicates;
pub mod rules;
#[cfg(windows)]
pub mod windows_acl;

pub use predicates::{NetworkRequirement, PolicyContext, Predicates};
pub use rules::{resolve_binary, sealed_path_for, Policy, Rule, RuleScope};