generated from coulomb/repo-seed
feat(WARDEN-WP-0019): route secret-exec lanes to secrets-engine (route-primary, proxy fallback)
secrets-engine (SECRETS-WP-0003) shipped a native secret-exec front door (`secrets-engine route/exec`, decision e6381a56) and asked ops-warden to route to it. Bernd's call: route-primary, proxy-fallback — surface the secrets-engine exec as the primary path for owned lanes, keep `warden access --exec` as a transparent fallback. T1 — RouteEntry gains exec_owner/exec_command/pointer_command (+ has_native_exec), screened for secret material like the other handoff fields. whynot-design-npm-publish points its native exec at secrets-engine. `warden access` renders Primary (secrets-engine exec) + Fallback (warden proxy); route/access JSON gain the fields and a native-exec-aware next_action. Tests added; 217 pass, lint clean. T2 — credential-routing.md adds secrets-engine as the secret-exec owner (route primary, proxy fallback); SCOPE adds secrets-engine to Related Repos and records the npm lane as production-exercised (@whynot/design@0.4.0); playbook leads with secrets-engine exec and fixes the fallback one-liner (--field NPM_AUTH_TOKEN, --no-policy) per whynot-design. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -99,6 +99,32 @@ def test_find_exact_id_wins_over_keyword_collision():
|
||||
assert catalog.find("whynot-design-npm-publish", limit=1)[0].id == "whynot-design-npm-publish"
|
||||
|
||||
|
||||
def test_native_exec_owner_on_npm_lane():
|
||||
"""secrets-engine is the owner-native exec front door for the npm lane (WP-0019)."""
|
||||
catalog = load_catalog(_repo_catalog())
|
||||
e = catalog.get("whynot-design-npm-publish")
|
||||
assert e.has_native_exec is True
|
||||
assert e.exec_owner == "secrets-engine"
|
||||
assert "secrets-engine exec --catalog whynot-design-npm-publish" in e.exec_command
|
||||
assert "secrets-engine route" in e.pointer_command
|
||||
# The proxy fallback is still available (exec_capable + resolvable).
|
||||
assert e.exec_capable is True and e.resolvable is True
|
||||
|
||||
|
||||
def test_lanes_without_native_exec():
|
||||
catalog = load_catalog(_repo_catalog())
|
||||
assert catalog.get("openbao-api-key").has_native_exec is False
|
||||
assert catalog.get("ssh-cert-host-access").has_native_exec is False
|
||||
|
||||
|
||||
def test_cli_show_native_exec_json(repo_catalog_env):
|
||||
result = runner.invoke(app, ["route", "show", "whynot-design-npm-publish", "--json"])
|
||||
data = json.loads(result.stdout)
|
||||
assert data["exec_owner"] == "secrets-engine"
|
||||
assert "secrets-engine exec" in data["exec_command"]
|
||||
assert "primary" in data["next_action"] and "secrets-engine" in data["next_action"]
|
||||
|
||||
|
||||
def test_no_double_source_rule_rejects_routed_steps(tmp_path):
|
||||
bad = dict(ROUTED_ENTRY)
|
||||
bad["steps"] = ["do a thing on OpenBao"] # non-SSH entry must not carry steps
|
||||
|
||||
Reference in New Issue
Block a user