feat(WARDEN-WP-0014): T4 — key-cape login orchestration lane

Adds a lane: secret|login field to RouteEntry. The login lane is an interactive auth bootstrap: it skips the caller-auth precheck (no token yet — that's the point) and the secret-read gate (it establishes the identity the gate needs), runs the owner's login command interactively as the caller via inherited stdio, and rejects --exec. The token stays in the caller's own store; warden never captures it (G2 holds). Audited as action: login. key-cape-oidc-login populated as the reference login entry. Advisory proxy hint updated now that T3 has shipped. 172 passed, lint clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 17:31:55 +02:00
parent 1a02ec6753
commit 1c3d1b4d52
6 changed files with 136 additions and 32 deletions
--- a/src/warden/routing/models.py
+++ b/src/warden/routing/models.py
@@ -36,6 +36,13 @@ class RouteEntry:
    fetch_command: Optional[str] = None      # command skeleton run *as the caller*
    exec_capable: bool = False               # may `warden access --fetch/--exec` proxy it
    policy_ref: Optional[str] = None         # flex-auth check the fetch path runs first
+    # Proxy lane semantics (WP-0014 T4):
+    #   "secret" — read a value (gated by flex-auth secret-read; caller must already
+    #              be authenticated; value transits via inherit-stdout or child env).
+    #   "login"  — interactive auth bootstrap (OIDC/MFA). No secret-read gate (you have
+    #              no identity yet), no caller-auth precheck (the point is to get one),
+    #              run interactively as the caller; warden never captures the token.
+    lane: str = "secret"

    @property
    def is_active(self) -> bool: