Adds transparent, policy-gated, audited proxy of a non-SSH credential
through `warden access`, for exec_capable lanes. Three guardrails in code:
- G1 caller identity: runs the owner's tool with the caller's own env;
warden injects no token of its own (caller_auth_present check).
- G2 transit-only: --fetch inherits stdout (never PIPE) so the value
never enters warden's memory or any log; --exec injects into the child
env only. Audit (access-audit.log) is metadata-only.
- G3 policy gate: check_fetch_policy runs before any fetch; with
policy.enabled=false the proxy refuses unless --no-policy is given.
resolve_fetch_command refuses unresolved <…> placeholders rather than
guess owner-side names. New warden/proxy.py + policy.check_fetch_policy;
tests/test_proxy.py asserts all three guardrails. 168 passed, lint clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds `warden access <need> [--domain X] [--json]`: resolves a credential
need against the routing catalog and renders the structured handoff
(owner, auth method, path template, command skeleton, policy gate
status, proxy hint). SSH lane points at `warden sign`; routed lanes end
"warden advises, the owner vends". New pure warden/access.py module
(expand_handoff, policy_gate_status) reused by the T3 proxy lane. JSON
output is stable and secret-free. tests/test_access.py added.
157 passed, lint clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds optional assist-layer fields (auth_method, path_template,
fetch_command, exec_capable, policy_ref) to RouteEntry, parsed and
secret-screened in catalog.py. Handoff fields are templates/pointers
only — _assert_no_secret_material rejects known token prefixes and
high-entropy runs, and exec_capable requires a fetch_command. The
openbao-api-key entry is populated as the reference example (covers the
coulomb_social npm shape).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Extends the routing charter from a pointer-layer to an assist-layer:
a `warden access` front door that advises for any credential need and
proxies the OpenBao/key-cape lanes as a transparent, policy-gated,
audited conduit — never holding or persisting secret values.
Registered in State Hub (workstream 3c30b2ed); T1 in progress.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
