fusefs

package

v0.13.0 Latest Latest Go to latest Published: Mar 25, 2026 License: MIT Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/StephanSchmidt/human

Links

Open Source Insights

Documentation ¶

Index ¶

func IsEnvFile(name string) bool
func NewSecRoot(rootPath string, safeMode bool) (fs.InodeEmbedder, error)
func RedactEnv(content []byte) []byte
type FileKind
- func IsSensitiveFile(name string) FileKind
type MountHandle
- func Mount(sourceDir, mountPoint string, safeMode bool, logger zerolog.Logger) (*MountHandle, error)
- func (h *MountHandle) Tier() string
- func (h *MountHandle) Unmount() error
type SecNode

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func IsEnvFile ¶

func IsEnvFile(name string) bool

IsEnvFile returns true if the filename matches .env patterns: .env, .env.local, .env.production, .env.*, etc.

func NewSecRoot ¶

func NewSecRoot(rootPath string, safeMode bool) (fs.InodeEmbedder, error)

NewSecRoot creates a new SecNode-based loopback root for the given directory.

func RedactEnv ¶

func RedactEnv(content []byte) []byte

RedactEnv takes the raw content of an env-style KEY=VALUE file and returns a copy with secret values replaced by "***". Comments and blank lines are preserved. Safe keys and safe values are kept as-is.

Types ¶

type FileKind ¶

type FileKind int

FileKind classifies a file for the FUSE security filter.

const (
	FileKindNone   FileKind = iota // Not a sensitive file — passthrough.
	FileKindEnv                    // KEY=VALUE file (.env, .npmrc, .pypirc) — line-by-line redaction.
	FileKindJSON                   // JSON file (credentials.json, secrets.json) — JSON-aware redaction.
	FileKindYAML                   // YAML file (secrets.yaml) — YAML-aware redaction.
	FileKindOpaque                 // Binary/opaque (*.pem, *.key, *.p12, *.pfx) — always empty.
)

func IsSensitiveFile ¶

func IsSensitiveFile(name string) FileKind

IsSensitiveFile classifies a filename by its sensitivity.

type MountHandle ¶

type MountHandle struct {
	// contains filtered or unexported fields
}

MountHandle holds a running FUSE mount and allows unmounting.

func Mount ¶

func Mount(sourceDir, mountPoint string, safeMode bool, logger zerolog.Logger) (*MountHandle, error)

Mount creates a FUSE passthrough filesystem at mountPoint that mirrors sourceDir. Sensitive files are redacted or served empty depending on safeMode. When safeMode is true, all sensitive files return empty content (maximum paranoia). When safeMode is false, sensitive files are redacted with structure preserved.

func (*MountHandle) Tier ¶

func (h *MountHandle) Tier() string

Tier returns a human-readable description of the I/O strategy in use.

func (*MountHandle) Unmount ¶

func (h *MountHandle) Unmount() error

Unmount stops the FUSE server and removes the mountpoint directory.

type SecNode ¶

type SecNode struct {
	*fs.LoopbackNode
	// contains filtered or unexported fields
}

SecNode is a FUSE inode that mirrors a real file or directory. For non-sensitive files, it delegates to LoopbackNode (passthrough). For sensitive files, it serves empty or redacted content and blocks writes.

func (*SecNode) Getattr ¶

func (n *SecNode) Getattr(ctx context.Context, f fs.FileHandle, out *fuse.AttrOut) syscall.Errno

Getattr for sensitive files reports the redacted (or zero) size.

func (*SecNode) Open ¶

func (n *SecNode) Open(ctx context.Context, flags uint32) (fs.FileHandle, uint32, syscall.Errno)

Open intercepts sensitive files and returns a protected handle. All other files delegate to LoopbackNode.Open for passthrough I/O.

func (*SecNode) WrapChild ¶

func (n *SecNode) WrapChild(_ context.Context, ops fs.InodeEmbedder) fs.InodeEmbedder

WrapChild ensures every child inode created by Lookup/Create is a SecNode.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL