Crate kovra_native_macos

Expand description

kovra-native-macos — the macOS Touch ID Confirmer (spec §8, §14.1; L8 [host]).

This crate is the native half of the confirmation broker: it renders the core-authored ConfirmRequest in a macOS LocalAuthentication dialog and returns ConfirmOutcome::Approved / ConfirmOutcome::Denied / ConfirmOutcome::TimedOut. It is a third Confirmer implementation beside kovra_core::CliApproveConfirmer and kovra_core::FileConfirmer.

Design constraints (immutable — see CLAUDE.md, spec §2):

I16 — the prompt is authoritative from the core. The native dialog only renders what the core put in ConfirmRequest (resolved argv, coordinate, sensitivity, environment, origin). It never fabricates its own prompt, and any requester-supplied free text is shown clearly segregated as untrusted. See render::prompt_text.
No self-approve (§8.2). Approval is performed by a human at the Touch ID sensor — a channel outside the model’s process. The agent only triggers the prompt; it cannot satisfy it.
Timeout ⇒ deny (§8). Anything that is not an explicit biometric success is a denial. A timeout is reported distinctly for audit but never delivers.
No secret value is ever rendered, logged, or returned (I7/I12). Only the coordinate address and the resolved command appear in the dialog.

§`core` does not depend on this crate

Trait injection points into core: native-macos depends on kovra-core, never the reverse (spec §17). The CLI selects a Confirmer at the edge.

§Cross-platform

The real LocalAuthentication binding lives under cfg(target_os = "macos"). On every other target the crate compiles to a no-op stub whose Biometric::prompt reports “unavailable” (denies) and whose biometrics_available returns false, so the CLI auto-falls-back to the file broker and the whole workspace builds on Linux CI.

§`[host]` validation

The real Touch ID path (LAContext) is not exercised by automated tests — it requires real hardware and a real human finger. It is validated by a human on an M4 (see the crate’s README / KOV-15 checklist). Automated tests here use a deterministic mock Biometric and assert the OS-independent contract (rendering, timeout⇒deny, no-self-approve, no leak).

Re-exports§

pub use formatter::DiskutilFormatter;

Modules§

formatter: macOS removable-media Formatter (KOV-40, [host]). Shells out to diskutil to probe and erase a USB device. This is the native half — the security-load-bearing safety rails and the broker gate live in kovra_core::format_removable; this crate only reports what the OS sees and performs the erase once the core has authorized it.
render: I16 prompt rendering — the authoritative dialog text, built only from the core-authored ConfirmRequest (spec §8.3).

Structs§

BiometricConfirmer: A Confirmer that resolves a request through an attended biometric prompt.
NativeBiometric: The native Biometric for this host.

Functions§

biometrics_available: Whether an attended biometric prompt can actually be shown on this host right now: macOS with biometrics present and enrolled. On non-macOS, or when no hardware is present / the user is not enrolled, this is false and the caller should fall back to kovra_core::FileConfirmer.