generated from coulomb/repo-seed
feat(WARDEN-WP-0019): route secret-exec lanes to secrets-engine (route-primary, proxy fallback)
secrets-engine (SECRETS-WP-0003) shipped a native secret-exec front door (`secrets-engine route/exec`, decision e6381a56) and asked ops-warden to route to it. Bernd's call: route-primary, proxy-fallback — surface the secrets-engine exec as the primary path for owned lanes, keep `warden access --exec` as a transparent fallback. T1 — RouteEntry gains exec_owner/exec_command/pointer_command (+ has_native_exec), screened for secret material like the other handoff fields. whynot-design-npm-publish points its native exec at secrets-engine. `warden access` renders Primary (secrets-engine exec) + Fallback (warden proxy); route/access JSON gain the fields and a native-exec-aware next_action. Tests added; 217 pass, lint clean. T2 — credential-routing.md adds secrets-engine as the secret-exec owner (route primary, proxy fallback); SCOPE adds secrets-engine to Related Repos and records the npm lane as production-exercised (@whynot/design@0.4.0); playbook leads with secrets-engine exec and fixes the fallback one-liner (--field NPM_AUTH_TOKEN, --no-policy) per whynot-design. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -77,6 +77,15 @@ def test_access_advisory_output(monkeypatch):
|
||||
assert "never holds" in r.stdout
|
||||
|
||||
|
||||
def test_access_native_exec_shows_primary_and_fallback(monkeypatch):
|
||||
"""A secrets-engine-owned lane leads with the native exec; proxy is the fallback."""
|
||||
monkeypatch.setenv("WARDEN_ROUTING_CATALOG", str(_repo_catalog()))
|
||||
r = runner.invoke(app, ["access", "whynot-design-npm-publish"])
|
||||
assert r.exit_code == 0
|
||||
assert "secrets-engine exec --catalog whynot-design-npm-publish" in r.stdout
|
||||
assert "Primary" in r.stdout and "Fallback" in r.stdout
|
||||
|
||||
|
||||
def test_access_route_only_lane_says_owner_vends(monkeypatch):
|
||||
"""A non-exec lane (host principal deploy) keeps the advise-only framing."""
|
||||
monkeypatch.setenv("WARDEN_ROUTING_CATALOG", str(_repo_catalog()))
|
||||
|
||||
Reference in New Issue
Block a user