generated from coulomb/repo-seed
feat(WARDEN-WP-0014): T1 — structured handoff fields in routing catalog
Adds optional assist-layer fields (auth_method, path_template, fetch_command, exec_capable, policy_ref) to RouteEntry, parsed and secret-screened in catalog.py. Handoff fields are templates/pointers only — _assert_no_secret_material rejects known token prefixes and high-entropy runs, and exec_capable requires a fetch_command. The openbao-api-key entry is populated as the reference example (covers the coulomb_social npm shape). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -87,19 +87,23 @@ an interactive tool and lower risk to defer.
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0014-T01
|
||||
status: progress
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "abb0e722-6524-4224-8638-6ee1573ed3e0"
|
||||
```
|
||||
|
||||
- [ ] Extend `registry/routing/catalog.yaml` entry schema with optional structured
|
||||
- [x] Extend `registry/routing/catalog.yaml` entry schema with optional structured
|
||||
handoff fields for non-SSH lanes: `auth_method`, `path_template`,
|
||||
`fetch_command`, `exec_capable` (bool), `policy_ref`.
|
||||
- [ ] Fields are **generated/structured pointers**, not prose restatements — each links
|
||||
to the owner's canon (`canon_ref`) for the authoritative procedure (no drift).
|
||||
- [ ] Populate for `openbao-api-key` (and the coulomb_social npm shape from this thread)
|
||||
as the reference example; leave `draft` entries `draft`.
|
||||
- [ ] Validation: schema check rejects a `fetch_command` that embeds a literal value.
|
||||
`fetch_command`, `exec_capable` (bool), `policy_ref`. (`RouteEntry` +
|
||||
`_parse_entry`; `has_handoff` helper.)
|
||||
- [x] Fields are **structured pointers/templates**, not prose restatements — each
|
||||
sits alongside the owner's `canon_ref` for the authoritative procedure (no drift).
|
||||
- [x] Populate for `openbao-api-key` (covers the coulomb_social npm shape: keyword
|
||||
`npm_auth_token` added) as the reference example; `draft` entries untouched.
|
||||
- [x] Validation: `_assert_no_secret_material` rejects known token prefixes and
|
||||
high-entropy runs in any handoff field; `exec_capable` requires `fetch_command`.
|
||||
Tests in `tests/test_routing.py` (handoff parse, real-catalog, secret-leak
|
||||
matrix, placeholder-accepted).
|
||||
|
||||
### T2 — `warden access` advisory surface
|
||||
|
||||
|
||||
Reference in New Issue
Block a user