Skip to main content

Module plugin_client

Module plugin_client 

Source
Expand description

Lifetime-managing client for subprocess SecretSource plugins per ADR-021 §10 (subprocess plugin lifetime contract).

Builds on the wire-protocol types from plugin_protocol and the manifest discovery from plugin_manifest: this module owns the process. The host calls request(...) whenever it needs to talk to the plugin; the client takes care of:

  • Lazy spawn — the binary doesn’t run until the first request reaches the client.
  • Idle timeout — a spawn that hasn’t been used for idle_timeout is shut down on the next access (kept the simple way: lazy reaping, no background sweeper).
  • Graceful shutdownSIGTERM + grace_period followed by SIGKILL if the child won’t exit. Drop calls shutdown_blocking() so a leaked client doesn’t leave a zombie.
  • Restart cap — a sliding-window counter caps automatic re-spawn after a crash. Beyond the cap the plugin is marked disabled; doctor reports the failure count and the user has to clear it.
  • Env restriction — the child inherits exactly the env vars listed in crate::plugin_manifest::PluginManifest::allowed_env_vars and nothing else. Command::env_clear() is the gate; the test crate’s env-leak fixture proves it.

§What this module does not do

Implement the SecretSource trait. The client returns typed wire payloads; a thin adapter (added in P15.3 or by the router) maps them to SecretSource::get/list/validate results. Keeping the trait impl out of this module makes the lifetime semantics testable without dragging in the whole router.

Structs§

LifetimePolicy
Lifetime knobs. All durations have ADR-021 §10 defaults.
PluginClient
Thread-safe handle to a subprocess plugin. Cheap to clone — the actual state lives behind an Arc<Mutex<…>>.
PluginHealth
Lifetime view exposed to doctor. Captures whether the plugin is alive, how many times it crashed in the rolling window, and whether the restart cap has tripped.

Enums§

PluginClientError
PluginState