Module inject 

Direct exec-replace injection — Command::status() with secrets in env.

This is the simplest execution mode: the prepared child takes over the current process slot (or runs as a sibling and is wait’d on) with the decrypted secret(s) injected via environment variables. No supervision, no leak detection — when raw speed and minimal overhead matter.

Also home of two security primitives that aren’t tied to a single execution mode but logically belong with the inject surface:

• validate_env_var_name — rejects env-var names that would weaponize the loader (LD_PRELOAD, DYLD_INSERT_LIBRARIES, …) or violate the POSIX IEEE Std 1003.1 name grammar.
• command_fingerprint — argv-binding fingerprint used to scope an approval to a specific invocation pattern (so an approval for wrangler deploy doesn’t auto-allow wrangler --shell evil.sh).

Structs

InjectExecOptions

Execution options for process launch behavior.

InjectRequest

A request to inject a single secret into a child process.

Functions

command_fingerprint

Argv-binding fingerprint for command-pattern-scoped approval.

execute

Execute an inject request: decrypt the secret, enforce policy, and exec the child process with the secret as an env var.

execute_multi

Inject multiple secrets into a single child process.

execute_multi_with_options

Inject multiple secrets with explicit execution options.

execute_with_options

Execute an inject request with explicit execution options.

validate_env_var_name

Validate an env-var name about to receive a decrypted secret.