feat(WARDEN-WP-0019): route secret-exec lanes to secrets-engine (route-primary, proxy fallback)

secrets-engine (SECRETS-WP-0003) shipped a native secret-exec front door
(`secrets-engine route/exec`, decision e6381a56) and asked ops-warden to route to it.
Bernd's call: route-primary, proxy-fallback — surface the secrets-engine exec as the
primary path for owned lanes, keep `warden access --exec` as a transparent fallback.

T1 — RouteEntry gains exec_owner/exec_command/pointer_command (+ has_native_exec),
screened for secret material like the other handoff fields. whynot-design-npm-publish
points its native exec at secrets-engine. `warden access` renders Primary (secrets-engine
exec) + Fallback (warden proxy); route/access JSON gain the fields and a native-exec-aware
next_action. Tests added; 217 pass, lint clean.

T2 — credential-routing.md adds secrets-engine as the secret-exec owner (route primary,
proxy fallback); SCOPE adds secrets-engine to Related Repos and records the npm lane as
production-exercised (@whynot/design@0.4.0); playbook leads with secrets-engine exec and
fixes the fallback one-liner (--field NPM_AUTH_TOKEN, --no-policy) per whynot-design.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-29 17:41:49 +02:00
parent d003f0ca4d
commit bd335ec724
10 changed files with 223 additions and 17 deletions

View File

@@ -89,6 +89,12 @@ entries:
policy_ref: "flex-auth check secret.read:whynot-design"
exec_capable: true
lane: secret
# Owner-native exec front door (WP-0019, secrets-engine SECRETS-WP-0003, decision
# e6381a56): route-primary, proxy-fallback. The secrets-engine exec is the primary
# path; warden access --fetch/--exec remains a transparent fallback.
exec_owner: secrets-engine
exec_command: "secrets-engine exec --catalog whynot-design-npm-publish -- <cmd>"
pointer_command: "secrets-engine route whynot-design-npm-publish --json"
- id: flex-auth-policy-check
title: Authorization decision — may this actor perform this action