Expand description
@secret:<path> substitution wrapper for child-process argv per
ADR-020 §5.
ADR-020 §5 second bullet:
A wrapper rewrites
@secret:<path>occurrences in argv beforeexec. Because argv is visible to other processes throughps, the wrapper prefers passing the secret through stdin or a file descriptor when the target tool supports it (for example,gh auth login --with-token,git credential fill). Direct argv substitution is the fallback for tools that accept secrets only in argv, and is documented as such.
rewrite_argv is the planning function: it takes the raw
argv plus a SecretResolver, decides for each known tool
whether to redirect through stdin, and returns a RewritePlan
that captures:
- the final
argv(with aliases removed when they go through stdin, or with plaintext substituted when they go through argv), - an optional
stdin_payload(SecretString) the caller writes to the child’s stdin, - a per-substitution audit trail (
Substitution) so callers can log which paths were resolved through which strategy, - an
argv_visibleflag so the caller can warn when at least one secret will land inpsoutput.
apply_plan_to_command hands the plan to a
tokio::process::Command — sets stdio, then the caller
.spawn()s and writes the payload to the child’s stdin.
§Known-tool detection
The first version recognises two FD-friendly invocation patterns:
gh auth login --with-token <alias>—ghreads the token from stdin when--with-tokenis present.git credential fill|approve|reject— thegit credentialprotocol is stdin-only.
Adding more patterns (vault login -method=token, aws ssm put-parameter --value, …) is one entry per case in the
Known enum + a small predicate. Until they’re added, the
wrapper falls back to plaintext-in-argv with a structured
warning surface.
§What this module does not do
- Spawn the child. The caller decides how (
tokio::spawn, blocking, supervised), and only this module knows the stdio shape. - Resolve aliases against a router. The
SecretResolvertrait is the boundary; the storage-layer impl that walks the router/credential chain lands separately.
Structs§
- Rewrite
Plan - Outcome of
rewrite_argv. - Substitution
- Per-substitution audit entry. Surfaced through
RewritePlan::substitutionsso callers can log routing decisions without reaching into the secret values.
Enums§
- Argv
Rewrite Error - Failure modes for
rewrite_argv. - Substitution
Strategy - How the wrapper passed a secret to the child.
Functions§
- apply_
plan_ to_ command - Wire a
RewritePlaninto atokio::process::Command. - rewrite_
argv - Plan a substitution for the given child invocation.