generated from coulomb/repo-seed
feat(WARDEN-WP-0014): T1 — structured handoff fields in routing catalog
Adds optional assist-layer fields (auth_method, path_template, fetch_command, exec_capable, policy_ref) to RouteEntry, parsed and secret-screened in catalog.py. Handoff fields are templates/pointers only — _assert_no_secret_material rejects known token prefixes and high-entropy runs, and exec_capable requires a fetch_command. The openbao-api-key entry is populated as the reference example (covers the coulomb_social npm shape). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -50,14 +50,22 @@ entries:
|
||||
|
||||
- id: openbao-api-key
|
||||
title: API key, DB credential, or dynamic lease
|
||||
need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential]
|
||||
need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential, npm, npm_auth_token, registry]
|
||||
owner_repo: railiance-platform
|
||||
subsystem: OpenBao
|
||||
warden_executes: false
|
||||
wiki_ref: wiki/CredentialRouting.md#routing-table
|
||||
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
||||
reviewed: "2026-06-18"
|
||||
reviewed: "2026-06-27"
|
||||
status: active
|
||||
# Structured handoff (WP-0014) — reference example. Templates only, no values.
|
||||
# ops-warden does not own this secret; it advises and (exec_capable) proxies the
|
||||
# fetch *as the caller* via `warden access`, never holding or persisting the value.
|
||||
auth_method: "key-cape OIDC → bao login -method=oidc role=<domain>"
|
||||
path_template: "platform/workloads/<domain>/<workload>/<bundle>"
|
||||
fetch_command: "bao kv get -field=<FIELD> <path_template>"
|
||||
policy_ref: "flex-auth check secret.read:<domain>"
|
||||
exec_capable: true
|
||||
|
||||
- id: flex-auth-policy-check
|
||||
title: Authorization decision — may this actor perform this action
|
||||
|
||||
Reference in New Issue
Block a user