generated from coulomb/repo-seed
feat(WARDEN-WP-0019): route secret-exec lanes to secrets-engine (route-primary, proxy fallback)
secrets-engine (SECRETS-WP-0003) shipped a native secret-exec front door (`secrets-engine route/exec`, decision e6381a56) and asked ops-warden to route to it. Bernd's call: route-primary, proxy-fallback — surface the secrets-engine exec as the primary path for owned lanes, keep `warden access --exec` as a transparent fallback. T1 — RouteEntry gains exec_owner/exec_command/pointer_command (+ has_native_exec), screened for secret material like the other handoff fields. whynot-design-npm-publish points its native exec at secrets-engine. `warden access` renders Primary (secrets-engine exec) + Fallback (warden proxy); route/access JSON gain the fields and a native-exec-aware next_action. Tests added; 217 pass, lint clean. T2 — credential-routing.md adds secrets-engine as the secret-exec owner (route primary, proxy fallback); SCOPE adds secrets-engine to Related Repos and records the npm lane as production-exercised (@whynot/design@0.4.0); playbook leads with secrets-engine exec and fixes the fallback one-liner (--field NPM_AUTH_TOKEN, --no-policy) per whynot-design. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
86
workplans/WARDEN-WP-0019-route-to-secrets-engine.md
Normal file
86
workplans/WARDEN-WP-0019-route-to-secrets-engine.md
Normal file
@@ -0,0 +1,86 @@
|
||||
---
|
||||
id: WARDEN-WP-0019
|
||||
type: workplan
|
||||
title: "Route secret-exec lanes to secrets-engine (route-primary, proxy fallback)"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: finished
|
||||
owner: claude
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 19
|
||||
created: "2026-06-29"
|
||||
updated: "2026-06-29"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0019 — Route secret-exec lanes to secrets-engine
|
||||
|
||||
**Trigger:** secrets-engine (SECRETS-WP-0003, msg 765a03f0) shipped a native secret-exec
|
||||
front door — `secrets-engine route <id> --json` and `secrets-engine exec --catalog <id> --
|
||||
<cmd>` with canonical decision ids — and asked ops-warden to **route to it**. This is the
|
||||
owner-native execution lane that ops-warden's `warden access --exec` proxy was filling as a
|
||||
stopgap (WP-0014). whynot-design already published `@whynot/design@0.4.0` through the proxy
|
||||
on this same lane, so both paths resolve today.
|
||||
|
||||
**Decision (Bernd, 2026-06-29): route-primary, proxy-fallback.** For lanes secrets-engine
|
||||
owns, ops-warden surfaces `secrets-engine exec/route` as the **primary** path and keeps its
|
||||
own `warden access --exec` as a documented **transparent fallback**. ops-warden stays the
|
||||
discovery front door; secrets-engine is the exec owner. Boundary unchanged: ops-warden holds
|
||||
or stores no token on either path.
|
||||
|
||||
**Out of scope:** ops-warden invoking `secrets-engine exec` itself (it routes/points, the
|
||||
caller runs it); changing the proxy's security model; the production policy-gate flip.
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — Catalog + CLI: surface the owner-native exec front door
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0019-T01
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [x] `RouteEntry` gains `exec_owner` / `exec_command` / `pointer_command` (pointers only,
|
||||
screened by `_assert_no_secret_material`) and a `has_native_exec` property.
|
||||
- [x] `whynot-design-npm-publish` entry: `exec_owner: secrets-engine`,
|
||||
`exec_command: secrets-engine exec --catalog whynot-design-npm-publish -- <cmd>`,
|
||||
`pointer_command: secrets-engine route whynot-design-npm-publish --json`. Keep the
|
||||
existing `fetch_command`/`exec_capable` (the proxy fallback).
|
||||
- [x] `warden access`: when `exec_owner` is set, render the secrets-engine exec as the
|
||||
**primary** line and the `warden access --exec` proxy as the **fallback**; JSON gains
|
||||
`exec_owner`/`exec_command`/`pointer_command`. `route find/show` JSON too.
|
||||
- [x] Tests in `tests/test_routing.py` / `tests/test_access.py`.
|
||||
|
||||
### T2 — Agent rule, SCOPE, playbook
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0019-T02
|
||||
status: done
|
||||
priority: medium
|
||||
```
|
||||
|
||||
- [x] `.claude/rules/credential-routing.md`: add secrets-engine as the secret-exec owner;
|
||||
for OpenBao-backed secret lanes the route is "secrets-engine `exec` (primary),
|
||||
ops-warden `warden access --exec` (transparent fallback)".
|
||||
- [x] SCOPE: add secrets-engine to Related Repos + the routing model; note the
|
||||
whynot-design lane is **production-exercised** (real 0.4.0 publish), not just resolvable.
|
||||
- [x] `wiki/playbooks/whynot-design-npm-publish.md`: lead with the secrets-engine exec
|
||||
command; fix the fallback one-liner per whynot-design's field notes
|
||||
(`--field NPM_AUTH_TOKEN`, and `--no-policy` while `policy.enabled=false`).
|
||||
|
||||
---
|
||||
|
||||
## Acceptance
|
||||
|
||||
- `warden access whynot-design-npm-publish` shows the secrets-engine exec as primary and the
|
||||
warden proxy as fallback; `--json` carries `exec_owner`/`exec_command`.
|
||||
- The credential-routing rule names secrets-engine as the secret-exec owner.
|
||||
- No secret material anywhere; ops-warden holds no token on either path.
|
||||
|
||||
## See also
|
||||
|
||||
- secrets-engine SECRETS-WP-0003, decision e6381a56, `docs/whynot-design-real-publish-closeout.md`
|
||||
- `WARDEN-WP-0014` (proxy), `WARDEN-WP-0017` (discoverability), `WARDEN-WP-0018` (lane activation)
|
||||
Reference in New Issue
Block a user