Expand description
kovra-wrapper — the kovra run engine (spec §5, invariants I7/I15/I16).
A thin face over kovra-core: it resolves an .env.refs (L4), applies the
core policy decision for injection (I3/I15), enforces the executor
allowlist (I15) and the attended confirmation (I3) for high/prod
values, injects the resolved values into a child process without ever
touching disk (I7), and optionally masks injected values in the child’s
output (§5.1 margin defense — a net, never a boundary).
All policy lives in core; this crate orchestrates and launches. OS-facing
work (spawning the child) is behind the ProcessRunner trait so the whole
pipeline is tested with deterministic mocks. The kovra CLI (L7) wires this
engine to the run subcommand.
Re-exports§
pub use allowlist::Allowlist;pub use caller::observe_parent;pub use error::WrapperError;pub use runner::Command;pub use runner::MockRunner;pub use runner::Output;pub use runner::ProcessRunner;pub use runner::RecordedRun;pub use runner::SystemRunner;pub use sanitize::MASK;pub use sanitize::mask_secrets;pub use wrapper::Wrapper;
Modules§
- allowlist
- The executor allowlist (spec §5.1, invariant I15).
- caller
- Observe the requesting process — the parent that launched this kovra
process — to populate
kovra_core::ConfirmRequest::requesting_process(I16, §8.3). - error
- Wrapper errors. No variant ever carries a secret value (I12).
- runner
- The process runner — the seam that actually launches the child (or mocks it).
- sanitize
- Output sanitization — the margin defense of §5.1.
- wrapper
- The Wrapper (spec §5) —
kovra run’s engine.