generated from coulomb/repo-seed
feat(WARDEN-WP-0019): route secret-exec lanes to secrets-engine (route-primary, proxy fallback)
secrets-engine (SECRETS-WP-0003) shipped a native secret-exec front door (`secrets-engine route/exec`, decision e6381a56) and asked ops-warden to route to it. Bernd's call: route-primary, proxy-fallback — surface the secrets-engine exec as the primary path for owned lanes, keep `warden access --exec` as a transparent fallback. T1 — RouteEntry gains exec_owner/exec_command/pointer_command (+ has_native_exec), screened for secret material like the other handoff fields. whynot-design-npm-publish points its native exec at secrets-engine. `warden access` renders Primary (secrets-engine exec) + Fallback (warden proxy); route/access JSON gain the fields and a native-exec-aware next_action. Tests added; 217 pass, lint clean. T2 — credential-routing.md adds secrets-engine as the secret-exec owner (route primary, proxy fallback); SCOPE adds secrets-engine to Related Repos and records the npm lane as production-exercised (@whynot/design@0.4.0); playbook leads with secrets-engine exec and fixes the fallback one-liner (--field NPM_AUTH_TOKEN, --no-policy) per whynot-design. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -38,13 +38,24 @@ this token** — it is the access front door: `warden access` proxies the read f
|
||||
Your token must carry the `whynot-design` group bound claim; a non-whynot identity is
|
||||
denied by policy (verified negative case).
|
||||
|
||||
2. **Fetch or run via the front door** — keyed by the stable catalog id, zero placeholders:
|
||||
2. **Run via the owner-native front door (primary).** secrets-engine owns the secret-exec
|
||||
for this lane (SECRETS-WP-0003, decision e6381a56); ops-warden routes to it:
|
||||
```bash
|
||||
warden access whynot-design-npm-publish --fetch # stream the token to you
|
||||
warden access whynot-design-npm-publish --exec -- npm publish # inject into the child only
|
||||
secrets-engine route whynot-design-npm-publish --json # pointer / readiness
|
||||
secrets-engine exec --catalog whynot-design-npm-publish -- npm publish
|
||||
```
|
||||
The value transits to you (or the child env) and never enters ops-warden's memory, disk,
|
||||
or audit log (metadata-only audit).
|
||||
|
||||
**ops-warden transparent fallback** — same lane via the `warden access` proxy (fetches as
|
||||
you, holds nothing). Field-verified flags (whynot-design, @whynot/design@0.4.0):
|
||||
```bash
|
||||
# --exec needs the env-var name; --no-policy is required while the gate is advisory
|
||||
# (policy.enabled=false), else the call exits 4.
|
||||
warden access whynot-design-npm-publish --no-policy --field NPM_AUTH_TOKEN \
|
||||
--exec -- npm publish
|
||||
warden access whynot-design-npm-publish --no-policy --field NPM_AUTH_TOKEN --fetch
|
||||
```
|
||||
On either path the value transits to you (or the child env) and never enters
|
||||
ops-warden's memory, disk, or audit log.
|
||||
|
||||
3. **Readiness gate (for automated callers).** Before attempting `--fetch`, check the flag:
|
||||
```bash
|
||||
|
||||
Reference in New Issue
Block a user