//! ops-exec — the trusted executor.
//!
//! One crate owns *running a typed step on a host* and *observing a host*,
//! across the tailnet, with a capability/trust model built in. It is the
//! primitive under the internal ops suite — **Sando** (server promotion),
//! **Bento** (app release), and **ops-agent** (the on-host half).
//!
//! ## Trust root (load-bearing)
//!
//! SSH keys + Tailscale/Headscale are the *only* trust roots. There is no PKI,
//! no token service, no secrets manager. Identity comes from the tailnet node
//! (`ops-agent` resolves a caller via the local Tailscale LocalAPI `whois`) and
//! from SSH keys (the [`SshExec`] transport authenticates exactly as today).
//! `ops-exec` only *maps* that identity to capabilities.
//!
//! ## Shape
//!
//! - [`Executor`] — the trait, scoped to one `(host, CapabilitySet)`.
//! - [`LocalExec`] / [`SshExec`] — the transports (this crate);
//!   `AgentRpc` (the `rpc` feature) talks to a remote [`ops-agent`](self).
//! - [`Step`] / [`Action`] — the typed step vocabulary the capability check
//!   gates on.
//! - [`CapabilitySet`] — the grant, enforced *twice* (caller-side here, and
//!   agent-side via [`CapabilitySet::intersect`]).
//! - [`remote`] — the low-level streaming command primitive ([`RemoteHost`])
//!   and the [`LogSink`] sink trait, re-exported by `ops-core`.

pub mod capability;
pub mod executor;
pub mod remote;
pub mod step;
pub mod transport;

#[cfg(any(feature = "rpc", feature = "agent"))]
pub mod wire;

#[cfg(feature = "rpc")]
pub mod rpc;

#[cfg(feature = "agent")]
pub mod agent;

pub use capability::{CapabilityDenied, CapabilitySet};
pub use executor::{EventStream, Executor, ObserveEvent, SyncOpts};
pub use remote::{LogSink, RemoteHost, RunOutput, SSH_FLAGS, sh_quote};
pub use step::{Action, ObserveKind, Step};
pub use transport::{LocalExec, SshExec};

#[cfg(feature = "rpc")]
pub use rpc::AgentRpc;