Skip to main content

tsafe_core/
lib.rs

1//! Core runtime for tsafe.
2//!
3//! `tsafe-core` owns encrypted vault storage, authority contracts, audit
4//! records, deny reasons, and Agent Authority Firewall data types. It is the
5//! shared layer used by safe command execution (`tsafe exec`) and by bound MCP
6//! server instances that run through a fixed profile, contract, and workdir.
7//!
8//! Current Agent Authority Firewall support is deliberately local and
9//! contract-first:
10//!
11//! - [`contracts`] parses named authority contracts, trust posture, allowed
12//!   targets, and no-secret diagnostic contract shapes.
13//! - [`authority`] defines model-safe decisions, refusal payloads, metadata,
14//!   and receipts for bound MCP command authority.
15//! - [`deny_reason`] carries stable denial categories for execution and
16//!   diagnostic surfaces.
17//!
18//! This crate does not expose an MCP server. Use `tsafe-cli` or `tsafe-mcp`
19//! when you need the `tsafe mcp serve --profile <profile> --contract <contract>
20//! --workdir <repo>` normal form.
21//!
22//! ## Algol-merged surface (Phase 1)
23//!
24//! Two algol-derived modules live alongside the existing surface:
25//!
26//! - [`attest_contract`] — per-run env-injection contract (`AttestContract`),
27//!   distinct from [`contracts::AuthorityContract`] (vault-policy semantics);
28//!   the two have zero field overlap and represent different abstractions.
29//! - [`run_evidence`] — typed-evidence artifact for an attested command run,
30//!   including parent-vs-child env diff with per-var SHA-256 hashes.
31//!
32//! See `ecosystem-catalog/docs/adr/draft-algol-into-tsafe-merge.md` for the
33//! merge rationale; modules carry full provenance + relicense notes at the
34//! top of each file.
35
36pub mod age_crypto;
37pub mod agent;
38pub mod attest_contract;
39pub mod audit;
40pub mod audit_explain;
41pub mod authority;
42pub mod baseline_contracts;
43pub mod compliance_narrative;
44pub mod contracts;
45pub mod crypto;
46pub mod deny_reason;
47pub mod env;
48pub mod errors;
49pub mod events;
50pub mod gen;
51pub mod health;
52pub mod keyring_store;
53pub mod lifecycle;
54pub mod migrate;
55pub mod namespace_bulk;
56pub mod profile;
57pub mod pullconfig;
58pub mod pushconfig;
59pub mod rbac;
60pub mod run_evidence;
61pub mod sign;
62pub mod snapshot;
63pub mod sync;
64pub mod team;
65pub mod tooling_inventory;
66pub mod totp;
67pub mod update;
68pub mod vault;