envseal 0.3.3

Write-only secret vault with process-level access control — post-agent secret management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

//! Execution modes — every path through which a decrypted secret reaches a child process.
//!
//! All modes share a single security control point: [`context::prepare_execution`].
//!
//! # Submodules
//!
//! - [`context`] — Shared preparation: the [`PreparedExecution`] struct and
//!   [`prepare_execution`] function that runs all security checks. Also
//!   exposes [`harden_child_process_inner`] for use in `pre_exec` closures.
//! - [`mod@inject`] — Direct exec-replace injection (single and multi-secret).
//! - [`mod@pipe`] — Stdin-pipe injection (secret never enters the child env).
//! - [`supervised`] — Fork+exec+monitor with real-time leak detection and
//!   sandbox application.
//! - `sandbox_helper` (Linux only) — Post-`unshare` setup of private
//!   mounts inside the new namespace, then `execve` of the target. Reached
//!   via the `__sandbox_helper` CLI mode for Lockdown-tier supervised runs.

pub mod context;
pub mod inject;
pub mod pipe;
#[cfg(target_os = "linux")]
pub mod sandbox_helper;
pub mod supervised;

pub use context::{harden_child_process_inner, prepare_execution, PreparedExecution};
pub use inject::{
    command_fingerprint, execute, execute_multi, execute_multi_with_options, execute_with_options,
    validate_env_var_name, InjectExecOptions, InjectRequest,
};
pub use pipe::{pipe, pipe_with_stdio_isolation};
pub use supervised::{
    print_dataflow_report, supervised_execute, DataflowEvent, DataflowEventKind, SupervisedResult,
};