execverb: wildcard passthrough grant + aws-read gate (the aws CLI in KDL) #132

Closed
opened 2026-06-10 18:48:42 +00:00 by coilysiren · 0 comments
Owner

What

The aws CLI surface in KDL - two pieces landing together:

  • cli/awsgate - coily's sensitive-read gate extracted as a package: read-only classification by the CLI's naming convention (describe-/list-/get-*/ls/scan/query...), global-flag-aware positional extraction, ARN-crossing glob matcher, default deny set (secrets / credentials / tfstate / backups / admin+root role ARNs - all meaningful-name globs), allow-glob + one-shot env escapes. Fulfills the awsgate extraction ask.
  • execverb growth - can run "*" (the open-passthrough grant: the funnel shape for broad tools, must be the only grant) and gate <name> { pattern / allow / allow-env } (a registered preflight gate; unknown names fail closed at build). aws-read is the first registered gate, wired to awsgate.

The resulting policy artifact:

wrap ward ops aws {
    exec aws
    can run "*" {
        gate aws-read {
            allow-env "WARD_AWS_ALLOW_SENSITIVE_READ"
        }
    }
}

Engine tests prove this exact guardfile: open passthrough reaches the binary verbatim, a sensitive read (s3 ls s3://prod-secrets-bucket) is denied pre-exec naming the matched pattern, writes pass untouched, the env escape allows a deliberate read, and a typo'd gate name refuses to build.

Parity note vs coily

coily's gate writes paired accept/reject audit rows (ops.aws.read.allowed/denied) beside the passthrough row; here the verb.Wrap pipeline records the denial as the verb's own reject row. The explicit-allow accept row is a follow-up if the dual-row trail is wanted back.

Feeds the ward aws guardfile (ward adoption tracked in coilyco-flight-deck/ward#81); part of #123.

## What The aws CLI surface in KDL - two pieces landing together: * **`cli/awsgate`** - coily's sensitive-read gate extracted as a package: read-only classification by the CLI's naming convention (describe-*/list-*/get-*/ls/scan/query...), global-flag-aware positional extraction, ARN-crossing glob matcher, default deny set (secrets / credentials / tfstate / backups / admin+root role ARNs - all meaningful-name globs), allow-glob + one-shot env escapes. Fulfills the awsgate extraction ask. * **execverb growth** - `can run "*"` (the open-passthrough grant: the funnel shape for broad tools, must be the only grant) and `gate <name> { pattern / allow / allow-env }` (a registered preflight gate; unknown names fail closed at build). `aws-read` is the first registered gate, wired to awsgate. The resulting policy artifact: ```kdl wrap ward ops aws { exec aws can run "*" { gate aws-read { allow-env "WARD_AWS_ALLOW_SENSITIVE_READ" } } } ``` Engine tests prove this exact guardfile: open passthrough reaches the binary verbatim, a sensitive read (`s3 ls s3://prod-secrets-bucket`) is denied pre-exec naming the matched pattern, writes pass untouched, the env escape allows a deliberate read, and a typo'd gate name refuses to build. ## Parity note vs coily coily's gate writes paired accept/reject audit rows (ops.aws.read.allowed/denied) beside the passthrough row; here the verb.Wrap pipeline records the denial as the verb's own reject row. The explicit-allow accept row is a follow-up if the dual-row trail is wanted back. Feeds the ward aws guardfile (ward adoption tracked in https://forgejo.coilysiren.me/coilyco-flight-deck/ward/issues/81); part of https://forgejo.coilysiren.me/coilyco-flight-deck/cli-guard/issues/123.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/cli-guard#132
No description provided.