Expand description
hackamore control plane: short-lived policy-bound token minting, the credential vault,
and the audit sink. The data plane ([gateway]) holds an Arc<ControlPlane> and
consults it on every request; the policy engine ([policy]) never touches any of
this — it stays pure. There is no agent registry: a token is a policy binding.
Re-exports§
pub use audit::AuditSink;pub use audit::FileAudit;pub use audit::InMemoryAudit;pub use audit::TracingAudit;pub use credentials::CredentialStore;pub use credentials::InMemoryCredentials;pub use credentials::Secret;pub use providers::CachingCredentials;pub use providers::CredentialProvider;pub use providers::EksGetTokenProvider;pub use providers::GitHubAppProvider;pub use providers::MintedSecret;pub use providers::pkcs8_from_pem;pub use providers::spawn_refresher;pub use tenants::Tenants;pub use tokens::SigV4Mint;pub use tokens::Tokens;
Modules§
- audit
- The audit sink. Every decision hackamore makes — allow or deny — is recorded. The
trait lets the data plane stay oblivious to where records go; v1 ships an in-memory
sink (used by tests and introspection) and a
tracingsink for operations. - credentials
- The credential vault: resolves a logical credential id (named by the policy engine
via a
CredentialRef) into a real upstream secret. Secrets live only here and in the data plane’s outbound request; the agent never sees them. - providers
- Minting, rotating credential providers.
- tenants
- Multi-tenant mint authorization. When one hackamore serves more than one trust domain, a tenant authenticates to the mint endpoint and may only mint tokens scoped to the targets it owns. Without this, any caller could submit a policy naming another tenant’s target and launder its credential.
- tokens
- Short-lived launch tokens. The orchestrator mints a token bound to a submitted
Policywith a TTL; the consumer presents it to the proxy, which resolves it back to that policy. The token is an opaque capability honored only by hackamore — it is useless against the real upstream — and is revocable at any time. There is no agent identity: the token is the policy binding.
Structs§
- Control
Plane - The assembled control plane. Each capability is an independent component; the credential store and audit sink are trait objects so they can be swapped without touching the data plane.
Functions§
- now_ms
- Wall-clock time in Unix epoch milliseconds. The control-plane core takes time as a parameter for testability; this is the production source the binary passes in.