Adds transparent, policy-gated, audited proxy of a non-SSH credential
through `warden access`, for exec_capable lanes. Three guardrails in code:
- G1 caller identity: runs the owner's tool with the caller's own env;
warden injects no token of its own (caller_auth_present check).
- G2 transit-only: --fetch inherits stdout (never PIPE) so the value
never enters warden's memory or any log; --exec injects into the child
env only. Audit (access-audit.log) is metadata-only.
- G3 policy gate: check_fetch_policy runs before any fetch; with
policy.enabled=false the proxy refuses unless --no-policy is given.
resolve_fetch_command refuses unresolved <…> placeholders rather than
guess owner-side names. New warden/proxy.py + policy.check_fetch_policy;
tests/test_proxy.py asserts all three guardrails. 168 passed, lint clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
