passthrough

Documentation

Overview

Package passthrough is the thin pass-through used to wrap any sub-CLI (aws, gh, kubectl, docker, tailscale, plus every package manager) as a

Index

• func Command(bin string, r *shell.Runner, w *audit.Writer, opts ...Option) *cli.Command
• type Option
  • func WithArgvRewriter(fn func(argv []string) []string) Option
  • func WithEgress(allowlist []string, mode egress.Mode) Option
  • func WithReadCache(classifier ReadCacheClassifier) Option
  • func WithScopeArgvHint(fn func(argv []string) string) Option
  • func WithSecretResolver(r mcporter.SecretResolver) Option
  • func WithSkipPolicy() Option
  • func WithVerbName(name string) Option
• type ReadCacheClassifier

Functions

func Command

func Command(bin string, r *shell.Runner, w *audit.Writer, opts ...Option) *cli.Command

Command returns the *cli.Command for `coily <bin>`. Every argument after the binary name is forwarded verbatim through the pass-through

Types

type Option

type Option func(*config)

Option configures a pass-through Command. Use the With* helpers below rather than setting fields directly.

func WithArgvRewriter

func WithArgvRewriter(fn func(argv []string) []string) Option

WithArgvRewriter installs a hook that may rewrite the argv passed to the underlying binary before exec. The original argv is still recorded in the

func WithEgress

func WithEgress(allowlist []string, mode egress.Mode) Option

WithEgress wires the per-invocation HTTP CONNECT proxy. The child runs with HTTPS_PROXY/HTTP_PROXY pointed at 127.0.0.1:NNNNN for the lifetime

func WithReadCache

func WithReadCache(classifier ReadCacheClassifier) Option

WithReadCache wires the pass-through into ghcache so reads matching the supplied classifier are served from cache without exec, and

func WithScopeArgvHint

func WithScopeArgvHint(fn func(argv []string) string) Option

WithScopeArgvHint installs a fallback --commit-scope resolver that runs only when the operator did not set --commit-scope (or COILY_COMMIT_SCOPE)

func WithSecretResolver

func WithSecretResolver(r mcporter.SecretResolver) Option

WithSecretResolver installs a mcporter-shaped pre-exec preflight: scan the mcporter config file for `${VAR}` references, resolve each via r,

func WithSkipPolicy

func WithSkipPolicy() Option

WithSkipPolicy disables the shell-metacharacter check for this binary. Use only for tools whose argv goes through execve straight to the

func WithVerbName

func WithVerbName(name string) Option

WithVerbName overrides the dotted verb name used for audit logging. The user-visible cli command name (and the binary actually executed)

type ReadCacheClassifier

type ReadCacheClassifier func(argv []string) (path string, maxAge time.Duration, ok bool)

ReadCacheClassifier inspects the post-WithArgvRewriter argv and returns the gh-api-style path the call would read, a per-call max-age