Expand description
kovra-core — vault, crypto, policy, model, resolver, AgentScope, and the
OS/cloud traits (Provider/Confirmer/Keyring/Biometric).
All policy and invariants (spec §2, §3) live here; the other faces (CLI, wrapper, Web UI, MCP) are thin adapters over this crate.
L1 provides the secret model, the coordinate URI parser, secret-bearing
value types, and AEAD encryption at rest. L2 adds storage on disk: the
partitioned per-secret vault store with atomic writes and a tolerant loader,
the ~/.vaults registry with project→global override, the truncated
fingerprint, the master key behind a Keyring trait, and the rebuildable
redb metadata index (ADR-0001).
L3 adds the invariant-enforcement core (OS-independent half of I1–I16):
AgentScope (I13), the sensitivity decision (policy::decide), the
confirmation broker (Confirmer/Biometric + CliApproveConfirmer, I16),
prod-born-high (I5), and the append-only audit log (§11, I12) — plus the
Clock trait. Every face consumes these decisions; none re-derives them.
Re-exports§
pub use audit::AUDIT_LOG;pub use audit::AuditAction;pub use audit::AuditEvent;pub use audit::AuditQuery;pub use audit::AuditSink;pub use audit::FileAuditSink;pub use audit::MockAuditSink;pub use audit::outcome_result;pub use audit::query_log;pub use audit::read_log;pub use audit::render_log;pub use clock::Clock;pub use clock::MockClock;pub use clock::SystemClock;pub use confirm::Biometric;pub use confirm::CliApproveConfirmer;pub use confirm::ConfirmOutcome;pub use confirm::ConfirmRequest;pub use confirm::Confirmer;pub use confirm::MockConfirmer;pub use confirm::Untrusted;pub use coordinate::Coordinate;pub use coordinate::EnvSegment;pub use coordinate::KeyHalf;pub use coordinate::Scope;pub use crypto::KEY_LEN;pub use crypto::NONCE_LEN;pub use crypto::SealedRecord;pub use crypto::open;pub use crypto::open_bytes;pub use crypto::seal;pub use crypto::seal_bytes;pub use doctor::Finding;pub use doctor::Report;pub use doctor::Severity;pub use doctor::check as doctor_check;pub use env_source::EnvSource;pub use env_source::MockEnvSource;pub use env_source::SystemEnvSource;pub use envrefs::EnvRefs;pub use envrefs::Source;pub use error::CoreError;pub use exchange::BINARY_NAME;pub use exchange::INSTALL_SCRIPT;pub use exchange::PACKAGE_FILE;pub use exchange::RECIPIENT_COORDINATE;pub use exchange::RECIPIENT_PUB;pub use exchange::UNPACK_SCRIPT;pub use exchange::VOLUME_LABEL;pub use exchange::mount_point;pub use exchange::render_install_script;pub use exchange::render_unpack_script;pub use exchange::write_bootstrap;pub use file_confirm::FileConfirmer;pub use file_confirm::PENDING_DIR;pub use file_confirm::PendingRequest;pub use fingerprint::FINGERPRINT_BYTES;pub use fingerprint::fingerprint;pub use formatter::DeviceInfo;pub use formatter::Formatter;pub use formatter::MockFormatter;pub use formatter::assert_eraseable_target;pub use formatter::eligible_targets;pub use formatter::format_removable;pub use formatter::wipe_headline;pub use hooks::HOOK_MARKER;pub use hooks::Scanner;pub use hooks::gitleaks_config;pub use hooks::hook_script;pub use index::INDEX_FILE;pub use index::Index;pub use index::IndexEntry;pub use index::RecordMode;pub use intake::INTAKE_DIR;pub use intake::IntakeBroker;pub use intake::PendingIntake;pub use keybackup::BackupKind;pub use keybackup::export_backup;pub use keybackup::import_backup;pub use keypair::EnvSshAgent;pub use keypair::GeneratedKeypair;pub use keypair::KeyAlgorithm;pub use keypair::MockSshAgent;pub use keypair::RSA_BITS;pub use keypair::SSH_AGENT_RSA_SHA2_256;pub use keypair::SSH_AGENT_RSA_SHA2_512;pub use keypair::SSH_SIG_NAMESPACE;pub use keypair::SshAgent;pub use keypair::decrypt;pub use keypair::encrypt_to;pub use keypair::generate;pub use keypair::public_algorithm;pub use keypair::public_from_private;pub use keypair::public_key_blob;pub use keypair::sign;pub use keypair::sign_ssh_agent;pub use keypair::verify;pub use keypair::write_string;pub use keyring::Argon2Keyring;pub use keyring::Keyring;pub use keyring::MasterKey;pub use keyring::MockKeyring;pub use keyring::OsKeyring;pub use package::AccessToken;pub use package::PACKAGE_MAGIC;pub use package::PACKAGE_SCHEMA_VERSION;pub use package::Package;pub use package::PackagePayload;pub use package::TokenConfirmer;pub use package::enforce_no_prod_unattended;pub use package::open_attended;pub use package::open_unattended;pub use package::seal as seal_package;pub use package::verify_token;pub use policy::AccessRequest;pub use policy::Decision;pub use policy::DenyReason;pub use policy::PROD;pub use policy::birth_sensitivity;pub use policy::decide;pub use policy::delete_requires_confirmation;pub use policy::downgrade_requires_confirmation;pub use policy::inject_requires_allowlist;pub use policy::inject_requires_confirmation;pub use policy::is_downgrade;pub use policy::prod_blocks_unattended;pub use policy::prod_forbids_fallback;pub use policy::prod_not_packageable;pub use provider::MockProvider;pub use provider::SchemeRouter;pub use provider::SecretProvider;pub use provider::UnsupportedProvider;pub use provider::reference_scheme;pub use record::SCHEMA_VERSION;pub use record::SecretRecord;pub use record::Vault;pub use registry::Registry;pub use registry::Resolution;pub use registry::VaultOrigin;pub use render::UNTRUSTED_LABEL;pub use render::prompt_text;pub use resolver::Resolved;pub use resolver::ResolvedVar;pub use resolver::resolve;pub use scaffold::Lang;pub use scaffold::Proposal;pub use scaffold::coordinate_for;pub use scaffold::detect_in_source;pub use scaffold::render_env_refs;pub use scaffold::scan_repo;pub use scope::AgentScope;pub use scope::Filter;pub use scope::Operation;pub use scope::Origin;pub use scope::Surface;pub use secret::SecretValue;pub use sensitivity::Sensitivity;pub use store::LoadOutcome;pub use store::Quarantined;pub use totp::DEFAULT_DIGITS;pub use totp::DEFAULT_PERIOD;pub use totp::ParsedEnrollment;pub use totp::TotpAlgorithm;pub use totp::TotpParams;pub use totp::code_at;pub use totp::decode_base32;pub use totp::parse_otpauth;pub use totp::parse_seed_input;pub use totp::returns_current;pub use totp::seconds_remaining;
Modules§
- audit
- The audit log (spec §11; invariant I12).
- clock
- Time behind a trait (CLAUDE.md rule 4: the clock is a trait).
- confirm
- The confirmation broker (spec §8, §8.3; invariant I16).
- coordinate
- The secret coordinate URI: a three-segment address (spec §1.2, §4.2).
- crypto
- AEAD encryption at rest (spec §10.1; ADR-0001).
- doctor
kovra doctor/lint— validate a project’s secret configuration (L12).- env_
source - The execution environment, behind a trait (spec §4.1 line type 3,
${env:NAME}). - envrefs
- The
.env.refsproject contract (spec §4.1/§4.2). - error
- Error types for
kovra-core. - exchange
- USB offline-exchange kit (KOV-41/42/43, §7.3) — the on-USB file/script
contract plus the pure builders that generate it. The OS-touching pieces
(formatting the stick, discovering its mount point) live at the CLI edge
behind the
Formattertrait; everything here is deterministic and unit-tested. - file_
confirm - File-backed confirmation broker (spec §8) — the cross-process half of the attended-approval flow.
- fingerprint
- Truncated value fingerprint (spec §10.4).
- formatter
- Removable-media formatter (KOV-40, USB offline-exchange epic §7.3) — the
destructive piece that wipes a USB stick so kovra can build a bootstrap
device (
kovra exchange init, KOV-41). The OS lives behind a mockableFormattertrait; the macOSdiskutilimplementation is[host](validated on hardware by the human, not by CI — CLAUDE.md rule 4). - hooks
- Pre-commit secret-scan hook generation (L12, KOV-19).
- index
- Embedded metadata index (ADR-0001 §A.4–6): a redb store treated as a rebuildable cache, never the source of truth.
- intake
- Intake broker (KOV-69a) — the inversion of the approval broker
(
crate::file_confirm). - keybackup
- Vault recovery backup & restore (KOV-34, spec §10.2).
- keypair
- Asymmetric keypair custody & operations (KOV-12, extends spec §1.3).
- keyring
- Master-key acquisition behind a mockable trait (spec §10.2, decision §19).
- package
- Encrypted package + access token — offline non-prod secret sharing (L7, KOV-21; spec §7, §17 L7; invariants I4a/I4b/I8/I12).
- policy
- The sensitivity/scope decision — the single funnel every face calls (spec §3, invariants I2/I3/I5/I11/I13/I14).
- provider
- External secret providers for reference secrets (spec §6).
- record
- Secret records and the vault format (spec §1.3, §10.1; ADR-0001).
- registry
- The central vault registry and override resolution (spec §1.1, §10.3).
- render
- I16 prompt rendering — the authoritative dialog text, built only from the
core-authored
ConfirmRequest(spec §8.3). - resolver
- The single-pass resolver (spec §4.3).
- scaffold
kovra scaffold— repo scan → proposed.env.refs(spec §13, L12).- scope
AgentScope— the capability that bounds an MCP session (spec §3.2, I13).- secret
- In-memory secret value: zeroized on drop, never printed.
- sensitivity
- Sensitivity levels governing interactive value delivery (spec §3.1).
- store
- Per-secret sealed-file store: the source of truth (ADR-0001 §A.1–3).
- totp
- TOTP seed custody & RFC-6238 code derivation (KOV-11, extends spec §1.3).