Module cache 

Per-invocation in-process secret cache.

ProcessCache holds Arc<SecretString> values keyed by a (scheme, identity) tuple. The Arc is the only handle the cache retains; on eviction, the listener explicitly drops the Arc, and the inner SecretString’s Drop impl zeroizes the heap buffer once the last holder (the cache, or a borrowed clone) goes away.

Cache construction requires a crate::hardening::HardeningToken. Without it the type is unconstructible. The CLI binary obtains the token at startup via crate::hardening::install; library consumers wanting caching must do the same. This is the architectural lever that makes PR_SET_DUMPABLE=0, RLIMIT_CORE=0, and env-injection refusal non-bypassable preconditions for any cached secret.

What this cache is and is not

• It is a per-invocation memoization layer. Lifetime = process lifetime. No on-disk persistence, no daemon, no IPC.
• It eliminates the duplicate-URL footgun within a single batch (hasp get URL URL URL triggers one backend fetch).
• It is not a defense against /proc/<pid>/mem inspection by a same-uid attacker. The hardening token’s underlying mitigations are the only such defense, and they are best-effort.

Cross-invocation persistence (Approach A in RESEARCH-op-caching.md) lives behind the cache-persistent Cargo feature and is opt-in by binary builders only.

Structs

CacheKey

Cache key. scheme is the URL scheme and is intentionally scheme-namespaced so the same URL string handled by two different backends cannot alias.

ProcessCache

In-process moka-backed cache of Arc<SecretString>.

Enums

CachePolicy

Per-invocation in-process cache policy.