max / makenotwork
| 1 | //! ops-exec — the trusted executor. |
| 2 | //! |
| 3 | //! One crate owns *running a typed step on a host* and *observing a host*, |
| 4 | //! across the tailnet, with a capability/trust model built in. It is the |
| 5 | //! primitive under the internal ops suite — **Sando** (server promotion), |
| 6 | //! **Bento** (app release), and **ops-agent** (the on-host half). |
| 7 | //! |
| 8 | //! ## Trust root (load-bearing) |
| 9 | //! |
| 10 | //! SSH keys + Tailscale/Headscale are the *only* trust roots. There is no PKI, |
| 11 | //! no token service, no secrets manager. Identity comes from the tailnet node |
| 12 | //! (`ops-agent` resolves a caller via the local Tailscale LocalAPI `whois`) and |
| 13 | //! from SSH keys (the [`SshExec`] transport authenticates exactly as today). |
| 14 | //! `ops-exec` only *maps* that identity to capabilities. |
| 15 | //! |
| 16 | //! ## Shape |
| 17 | //! |
| 18 | //! - [`Executor`] — the trait, scoped to one `(host, CapabilitySet)`. |
| 19 | //! - [`LocalExec`] / [`SshExec`] — the transports (this crate); |
| 20 | //! `AgentRpc` (the `rpc` feature) talks to a remote [`ops-agent`](self). |
| 21 | //! - [`Step`] / [`Action`] — the typed step vocabulary the capability check |
| 22 | //! gates on. |
| 23 | //! - [`CapabilitySet`] — the grant, enforced *twice* (caller-side here, and |
| 24 | //! agent-side via [`CapabilitySet::intersect`]). |
| 25 | //! - [`remote`] — the low-level streaming command primitive ([`RemoteHost`]) |
| 26 | //! and the [`LogSink`] sink trait, re-exported by `ops-core`. |
| 27 | |
| 28 | |
| 29 | |
| 30 | |
| 31 | |
| 32 | |
| 33 | |
| 34 | |
| 35 | |
| 36 | |
| 37 | |
| 38 | |
| 39 | |
| 40 | |
| 41 | |
| 42 | |
| 43 | pub use ; |
| 44 | pub use ; |
| 45 | pub use ; |
| 46 | pub use ; |
| 47 | pub use ; |
| 48 | |
| 49 | |
| 50 | pub use AgentRpc; |
| 51 |