# kovra-core
The core of **kovra** — a local secrets manager for development that custodies
keys, passwords, and tokens and delivers them to processes without leaking
plaintext.
This crate holds the logic that everything else builds on:
- the encrypted **vault** (per-record sealing, fingerprints, the registry of
global and per-project vaults);
- the **sensitivity policy** (`low` / `medium` / `high` / `inject-only`) and the
rules that govern reveal, injection, allowlisting, and attended confirmation;
- the **provider** abstraction for resolving external references behind a
mockable trait;
- the security boundary the rest of the workspace is held to — secret-bearing
types are zeroized and never implement `Debug`/`Display` over their value.
OS-specific and cloud pieces (biometrics, keyring, cloud CLIs, the subprocess
runner, the clock) sit behind traits so the core is tested with deterministic
mocks. `kovra-core` never depends on the higher layers — the dependency arrow
always points inward.
Part of the kovra workspace: <https://github.com/kaeus-inc/kovra-core>.
Licensed under BUSL-1.1.