generated from coulomb/repo-seed
secrets-engine (SECRETS-WP-0003) shipped a native secret-exec front door (`secrets-engine route/exec`, decision e6381a56) and asked ops-warden to route to it. Bernd's call: route-primary, proxy-fallback — surface the secrets-engine exec as the primary path for owned lanes, keep `warden access --exec` as a transparent fallback. T1 — RouteEntry gains exec_owner/exec_command/pointer_command (+ has_native_exec), screened for secret material like the other handoff fields. whynot-design-npm-publish points its native exec at secrets-engine. `warden access` renders Primary (secrets-engine exec) + Fallback (warden proxy); route/access JSON gain the fields and a native-exec-aware next_action. Tests added; 217 pass, lint clean. T2 — credential-routing.md adds secrets-engine as the secret-exec owner (route primary, proxy fallback); SCOPE adds secrets-engine to Related Repos and records the npm lane as production-exercised (@whynot/design@0.4.0); playbook leads with secrets-engine exec and fixes the fallback one-liner (--field NPM_AUTH_TOKEN, --no-policy) per whynot-design. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
87 lines
3.6 KiB
Markdown
87 lines
3.6 KiB
Markdown
---
|
|
id: WARDEN-WP-0019
|
|
type: workplan
|
|
title: "Route secret-exec lanes to secrets-engine (route-primary, proxy fallback)"
|
|
domain: infotech
|
|
repo: ops-warden
|
|
status: finished
|
|
owner: claude
|
|
topic_slug: custodian
|
|
planning_priority: high
|
|
planning_order: 19
|
|
created: "2026-06-29"
|
|
updated: "2026-06-29"
|
|
---
|
|
|
|
# WARDEN-WP-0019 — Route secret-exec lanes to secrets-engine
|
|
|
|
**Trigger:** secrets-engine (SECRETS-WP-0003, msg 765a03f0) shipped a native secret-exec
|
|
front door — `secrets-engine route <id> --json` and `secrets-engine exec --catalog <id> --
|
|
<cmd>` with canonical decision ids — and asked ops-warden to **route to it**. This is the
|
|
owner-native execution lane that ops-warden's `warden access --exec` proxy was filling as a
|
|
stopgap (WP-0014). whynot-design already published `@whynot/design@0.4.0` through the proxy
|
|
on this same lane, so both paths resolve today.
|
|
|
|
**Decision (Bernd, 2026-06-29): route-primary, proxy-fallback.** For lanes secrets-engine
|
|
owns, ops-warden surfaces `secrets-engine exec/route` as the **primary** path and keeps its
|
|
own `warden access --exec` as a documented **transparent fallback**. ops-warden stays the
|
|
discovery front door; secrets-engine is the exec owner. Boundary unchanged: ops-warden holds
|
|
or stores no token on either path.
|
|
|
|
**Out of scope:** ops-warden invoking `secrets-engine exec` itself (it routes/points, the
|
|
caller runs it); changing the proxy's security model; the production policy-gate flip.
|
|
|
|
---
|
|
|
|
## Tasks
|
|
|
|
### T1 — Catalog + CLI: surface the owner-native exec front door
|
|
|
|
```task
|
|
id: WARDEN-WP-0019-T01
|
|
status: done
|
|
priority: high
|
|
```
|
|
|
|
- [x] `RouteEntry` gains `exec_owner` / `exec_command` / `pointer_command` (pointers only,
|
|
screened by `_assert_no_secret_material`) and a `has_native_exec` property.
|
|
- [x] `whynot-design-npm-publish` entry: `exec_owner: secrets-engine`,
|
|
`exec_command: secrets-engine exec --catalog whynot-design-npm-publish -- <cmd>`,
|
|
`pointer_command: secrets-engine route whynot-design-npm-publish --json`. Keep the
|
|
existing `fetch_command`/`exec_capable` (the proxy fallback).
|
|
- [x] `warden access`: when `exec_owner` is set, render the secrets-engine exec as the
|
|
**primary** line and the `warden access --exec` proxy as the **fallback**; JSON gains
|
|
`exec_owner`/`exec_command`/`pointer_command`. `route find/show` JSON too.
|
|
- [x] Tests in `tests/test_routing.py` / `tests/test_access.py`.
|
|
|
|
### T2 — Agent rule, SCOPE, playbook
|
|
|
|
```task
|
|
id: WARDEN-WP-0019-T02
|
|
status: done
|
|
priority: medium
|
|
```
|
|
|
|
- [x] `.claude/rules/credential-routing.md`: add secrets-engine as the secret-exec owner;
|
|
for OpenBao-backed secret lanes the route is "secrets-engine `exec` (primary),
|
|
ops-warden `warden access --exec` (transparent fallback)".
|
|
- [x] SCOPE: add secrets-engine to Related Repos + the routing model; note the
|
|
whynot-design lane is **production-exercised** (real 0.4.0 publish), not just resolvable.
|
|
- [x] `wiki/playbooks/whynot-design-npm-publish.md`: lead with the secrets-engine exec
|
|
command; fix the fallback one-liner per whynot-design's field notes
|
|
(`--field NPM_AUTH_TOKEN`, and `--no-policy` while `policy.enabled=false`).
|
|
|
|
---
|
|
|
|
## Acceptance
|
|
|
|
- `warden access whynot-design-npm-publish` shows the secrets-engine exec as primary and the
|
|
warden proxy as fallback; `--json` carries `exec_owner`/`exec_command`.
|
|
- The credential-routing rule names secrets-engine as the secret-exec owner.
|
|
- No secret material anywhere; ops-warden holds no token on either path.
|
|
|
|
## See also
|
|
|
|
- secrets-engine SECRETS-WP-0003, decision e6381a56, `docs/whynot-design-real-publish-closeout.md`
|
|
- `WARDEN-WP-0014` (proxy), `WARDEN-WP-0017` (discoverability), `WARDEN-WP-0018` (lane activation)
|