Expand description
The Wrapper (spec §5) — kovra run’s engine.
Ties the layers together for a single launch:
- Resolve the
.env.refs(L4) into concrete values — the resolver does not confirm or gate; that is this module’s job. - Compute the two independent injection gates (KOV-25): the
allowlist set (I15 —
highorprod, viakovra_core::inject_requires_allowlist) and the confirm set (I3 —highonly, viakovra_core::inject_requires_confirmation, orthogonal to environment). - If any var is allowlist-gated, enforce the executor allowlist (I15): the resolved program must be a reviewed, allowlisted executable, else injection is refused before anything launches.
- If any var is confirm-gated (
high), confirm through the broker (I3) with an authoritativeConfirmRequestwhoseresolved_commandis the exactargv(I16). Denied / timed-out ⇒ refuse; the child never launches. A deliberately-downgradedprodsecret is allowlist-gated but not confirm-gated — it injects without a prompt (KOV-25). - Inject the resolved values into the child process environment and launch it. Nothing is written to disk (I7).
- Optionally mask injected vault-backed secret values in the child’s
output (§5.1 margin defense — a net, never a boundary; plain literals and
${env:}passthrough are not masked).
inject-only is not gated for confirmation: injection is its only
delivery, and it is not high. dev/test throwaway (low/medium, non-prod)
values inject freely with no allowlist and no prompt (§5.1).
Structs§
- Wrapper
- The Wrapper bundles the core dependencies (all behind traits, so the whole thing is mock-testable) and the launch policy knobs.