Expand description
Lifetime-managing client for subprocess SecretSource
plugins per ADR-021 §10 (subprocess plugin lifetime
contract).
Builds on the wire-protocol types from plugin_protocol
and the manifest discovery from plugin_manifest: this
module owns the process. The host calls request(...)
whenever it needs to talk to the plugin; the client takes
care of:
- Lazy spawn — the binary doesn’t run until the first request reaches the client.
- Idle timeout — a spawn that hasn’t been used for
idle_timeoutis shut down on the next access (kept the simple way: lazy reaping, no background sweeper). - Graceful shutdown —
SIGTERM+grace_periodfollowed bySIGKILLif the child won’t exit.Dropcallsshutdown_blocking()so a leaked client doesn’t leave a zombie. - Restart cap — a sliding-window counter caps automatic
re-spawn after a crash. Beyond the cap the plugin is
marked disabled;
doctorreports the failure count and the user has to clear it. - Env restriction — the child inherits exactly the env
vars listed in
crate::plugin_manifest::PluginManifest::allowed_env_varsand nothing else.Command::env_clear()is the gate; the test crate’s env-leak fixture proves it.
§What this module does not do
Implement the SecretSource trait. The client returns
typed wire payloads; a thin adapter (added in P15.3 or by
the router) maps them to SecretSource::get/list/validate
results. Keeping the trait impl out of this module makes
the lifetime semantics testable without dragging in the
whole router.
Structs§
- Lifetime
Policy - Lifetime knobs. All durations have ADR-021 §10 defaults.
- Plugin
Client - Thread-safe handle to a subprocess plugin. Cheap to clone —
the actual state lives behind an
Arc<Mutex<…>>. - Plugin
Health - Lifetime view exposed to
doctor. Captures whether the plugin is alive, how many times it crashed in the rolling window, and whether the restart cap has tripped.