1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
//! Extension discovery, dispatch, and guardrails for the qli CLI.
//!
//! [`discovery`] walks XDG + PATH and builds the group/extension table.
//! [`dispatch::run`] wraps the child spawn in the guard sequence: banner →
//! [`guard::check_requires_env`] → [`guard::run_confirm`] → secrets →
//! [`audit`] start → spawn → audit finish/interrupted. Manifests
//! ([`manifest`]) describe each group; secret resolution is pluggable via
//! [`secrets::SecretsResolver`].
//!
//! ## Diagnostic policy (fail fast, fail loud)
//!
//! Every error has one obvious surface — never silently swallowed. Four
//! tiers, picked by *user impact*, not by *code locality*:
//!
//! 1. **Process-fatal** — bubbled up as `anyhow::Error` from `main`, printed
//! `error: {msg}` (exit 1). For startup failures and unrecoverable binary
//! conditions.
//! 2. **Dispatch-fatal** — typed [`dispatch::DispatchError`] variants that
//! abort one dispatched extension with full context. Surfaced through
//! `anyhow` so the user sees `error: failed to run X: Y`.
//! 3. **Must-see warning** — `eprintln!("warning: ...")`. Never goes through
//! `tracing` (which `-q` can silence). Used when behavior visibly
//! degrades: discovery skipped a group, a signal handler couldn't
//! install, an audit-finish write failed.
//! 4. **Trace** — `tracing` info/debug/trace. Routine progress only;
//! silenceable. Use it when a later operation will fail loudly with full
//! context if this trace event mattered.
//!
//! Rule of thumb: if you write `.ok()` on a `Result` whose failure changes
//! user-visible behavior, you've picked the wrong tier — promote to 3 or 2.
//! Validation belongs at the **earliest boundary** (parse-time over
//! exec-time) so the error points at the source, not the symptom.
pub use ;
pub use ;
pub use ;
pub use ;
pub use ;
pub use ;