Skip to main content

Wrapper

kovra_wrapper::wrapper

Struct Wrapper 

Source 
pub struct Wrapper<'a> {
Show 13 fields
    pub registry: &'a Registry,
    pub keyring: &'a dyn Keyring,
    pub env_source: &'a dyn EnvSource,
    pub provider: &'a dyn SecretProvider,
    pub confirmer: &'a dyn Confirmer,
    pub audit: &'a dyn AuditSink,
    pub clock: &'a dyn Clock,
    pub allowlist: &'a Allowlist,
    pub runner: &'a dyn ProcessRunner,
    pub confirm_timeout: Duration,
    pub sanitize_output: bool,
    pub stdio_passthrough: bool,
    pub requesting_process: Option<String>,

}
Expand description

The Wrapper bundles the core dependencies (all behind traits, so the whole thing is mock-testable) and the launch policy knobs.

Fields§

§registry: &'a Registry

The vault registry (L2) consulted during resolution.

§keyring: &'a dyn Keyring

The keyring providing the master key (L2).

§env_source: &'a dyn EnvSource

The execution environment source for ${env:} passthrough (L4).

§provider: &'a dyn SecretProvider

The provider used to materialize references (L4/L6).

§confirmer: &'a dyn Confirmer

The confirmation broker for high/prod injection (L3/L8).

§audit: &'a dyn AuditSink

The audit sink (L3).

§clock: &'a dyn Clock

The clock used to stamp audit events (L3).

§allowlist: &'a Allowlist

The executor allowlist gating high/prod injection (I15, §5.1).

§runner: &'a dyn ProcessRunner

The process runner that actually launches the child (or mocks it).

§confirm_timeout: Duration

How long to wait for an attended confirmation before failing safe to denial (§8).

§sanitize_output: bool

Whether to mask injected values in the child’s output before returning (margin defense, §5.1 — a net, never a boundary).

§stdio_passthrough: bool

Inherit the parent’s stdin/stdout/stderr into the child instead of capturing its output (KOV-65). Required to wrap interactive processes and stdio servers (e.g. an MCP server speaking JSON-RPC over stdin/stdout): without inherited stdin the child sees EOF and the handshake closes. In this mode the output is not captured, so masking (§5.1) does not apply — the secret is still injected via the environment only (I6/I7) and the high/prod gates (I3/I15) still run before the spawn. Default false keeps the capture-and-mask behaviour for ordinary kovra run.

§requesting_process: Option<String>

The trusted, observed requesting-process identity for the I16 prompt (§8.3). For kovra run this is the observed parent of the wrapper process (who launched the run — see crate::observe_parent); for the MCP/FFI face it is the client/agent identity threaded through the trusted PyO3 boundary. None (e.g. examples/tests) simply omits the line. Never sourced from untrusted requester text; carries no secret value (I7/I12).

Implementations§

Source§

impl Wrapper<'_>

Source

pub fn run( &self, refs: &EnvRefs, env: &str, project_override: Option<&str>, program: &Path, args: &[String], origin: Origin, ) -> Result<Output, WrapperError>

Resolve refs under env, gate/confirm, inject, and launch program args.... origin distinguishes an agent-initiated run from a human one (weighs into the prompt, §8.3). project_override wins over the .env.refs project = line.

Auto Trait Implementations§

§

impl<'a> !RefUnwindSafe for Wrapper<'a>

§

impl<'a> !Send for Wrapper<'a>

§

impl<'a> !Sync for Wrapper<'a>

§

impl<'a> !UnwindSafe for Wrapper<'a>

§

impl<'a> Freeze for Wrapper<'a>

§

impl<'a> Unpin for Wrapper<'a>

§

impl<'a> UnsafeUnpin for Wrapper<'a>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> Read<Exclusive, BecauseExclusive> for T
where T: ?Sized,

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V