Expand description
Observe the requesting process — the parent that launched this kovra
process — to populate kovra_core::ConfirmRequest::requesting_process (I16,
§8.3).
This is a trusted, observed fact: the parent pid comes from the kernel
(getppid), and the executable name is read from the OS by pid. It is never
sourced from untrusted requester input, so it cannot be spoofed by the agent
whose request triggered the prompt. The human approving at the Touch ID /
file-broker prompt therefore sees who is really asking (e.g.
node (pid 1234)) rather than always “kovra”.
Why this lives in the wrapper (not core): observing a process is OS work, and
core must stay free of process-observation logic (CLAUDE.md rule 4). Both
the CLI (kovra show, private-key ops) and the wrapper (kovra run) call
observe_parent; the CLI depends on kovra-wrapper, so it reuses this
helper rather than duplicating it.
Degradation: if the name cannot be read, we fall back to pid <N>. We never
include anything but a process identity (executable name/path + pid) — no
arguments, no environment — so this can never leak a secret value (I7/I12).
Functions§
- observe_
parent - A human-readable identity for the parent process of the current process.