rip allow-env env-var escape out of execverb/awsgate #144
Labels
No labels
burndown-2026-06
sunday-sprint
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/cli-guard#144
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What
Remove the
allow-envenv-var escape from the execverb/awsgate surface entirely.allow-envlet a guard be bypassed by setting an env var (e.g.WARD_AWS_ALLOW_SENSITIVE_READ=1). It was a crutch for the old blunt funnel gate, and it is foreign to the design: not AWS-native (neither IAM nor the CLI has "set an env var to bypass"), global and stateful (export once, every sensitive read passes silently for the session), and invisible at the call site.Precise per-operation
when/deny-whenguards don't need it: you name the exact resource to block, so legitimate calls already pass and there is nothing to "escape."Removed
execverb.WhenClause.AllowEnvfield + theallow-envqualifier inwhen/deny-when(now an unknown node, fails closed)execverb.GateSpec.AllowEnvfield + theallow-envnode ingate { ... }awsgate.Gate.AllowEnvfield + its env check inallowed()(allow globs remain the only escape)escapeHinthelper, env-escape error-message text, tests, and docsAPI break (v0.x, expected): consumers using these fields drop them. The shipped ward-aws guardfile already uses no env var.