Skip to main content

hardware_enclave/
process.rs

1// Copyright 2026 Jay Gowdy
2// SPDX-License-Identifier: MIT
3
4//! Process hardening, trusted binary discovery, and timeout utilities.
5//!
6//! Any binary that handles hardware-backed secret material should call
7//! [`harden_process`] as the **first line of `main()`** — before argument
8//! parsing, environment inspection, or decryption.
9//!
10//! [`find_trusted_binary`] locates sibling binaries (agent, bridge, etc.)
11//! in platform-appropriate install directories, deliberately excluding
12//! `PATH` and `~/.cargo/bin` to prevent attacker-controlled PATH entries
13//! from hijacking daemon launches.
14
15// Process hardening
16pub use crate::internal::core::process::harden_process;
17
18// Trusted binary discovery
19pub use crate::internal::core::bin_discovery::{
20    find_trusted_binary, find_trusted_binary_with_context, BinaryDiscoveryContext,
21};
22
23// Subprocess timeout utilities
24pub use crate::internal::core::timeout::{
25    run_status_with_timeout, run_with_timeout, wait_with_timeout, TimeoutResult,
26};