generated from coulomb/repo-seed
feat(WARDEN-WP-0019): route secret-exec lanes to secrets-engine (route-primary, proxy fallback)
secrets-engine (SECRETS-WP-0003) shipped a native secret-exec front door (`secrets-engine route/exec`, decision e6381a56) and asked ops-warden to route to it. Bernd's call: route-primary, proxy-fallback — surface the secrets-engine exec as the primary path for owned lanes, keep `warden access --exec` as a transparent fallback. T1 — RouteEntry gains exec_owner/exec_command/pointer_command (+ has_native_exec), screened for secret material like the other handoff fields. whynot-design-npm-publish points its native exec at secrets-engine. `warden access` renders Primary (secrets-engine exec) + Fallback (warden proxy); route/access JSON gain the fields and a native-exec-aware next_action. Tests added; 217 pass, lint clean. T2 — credential-routing.md adds secrets-engine as the secret-exec owner (route primary, proxy fallback); SCOPE adds secrets-engine to Related Repos and records the npm lane as production-exercised (@whynot/design@0.4.0); playbook leads with secrets-engine exec and fixes the fallback one-liner (--field NPM_AUTH_TOKEN, --no-policy) per whynot-design. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -40,12 +40,17 @@ Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run wa
|
||||
| I need… | Owner | ops-warden role |
|
||||
| --- | --- | --- |
|
||||
| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Issue** — `warden sign` |
|
||||
| API key, DB password, provider token | OpenBao (`railiance-platform`) | **Assist** — `warden access <need> --fetch/--exec` proxies as you; OpenBao keeps custody |
|
||||
| Provisioned secret-exec lane (e.g. npm publish) | **secrets-engine** | **Route** — primary is `secrets-engine exec --catalog <id> -- <cmd>`; `warden access <id> --exec` is the transparent fallback |
|
||||
| Generic API key / DB password / provider token | OpenBao (`railiance-platform`) | **Assist** — `warden access <need> --fetch/--exec` proxies as you; OpenBao keeps custody |
|
||||
| Login / OIDC / MFA | key-cape / Keycloak | **Assist** — `warden access <need> --fetch` runs the login as you |
|
||||
| Authorization decision | flex-auth | Route only |
|
||||
| activity-core → issue-core emission | activity-core + issue-core | Route — `warden route show activity-core-issue-sink` |
|
||||
| SSH tunnel | ops-bridge (+ `cert_command` from warden) | Route only |
|
||||
|
||||
For an owned lane, `warden route find <need> --json` / `warden access <id>` surface
|
||||
`exec_owner`, the `secrets-engine exec` command, and the `resolvable` flag. Run the
|
||||
secrets-engine command; ops-warden routes to it and requests/holds no token.
|
||||
|
||||
### Anti-patterns (do not do these)
|
||||
|
||||
- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
|
||||
|
||||
Reference in New Issue
Block a user