repocfg: add optional security: config section #54
Labels
No labels
burndown-2026-06
sunday-sprint
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/cli-guard#54
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Context
The ward security-doctor / protected-binary work (coilyco-flight-deck/ward#4) needs a declarative place for a consumer to name the host tools an agent must not invoke directly (gcloud, clusterctl) plus sudo and hook policy. That policy is generic — it belongs in the framework, parsed and validated once, enforced by consumers.
Change
Add an optional
security:section to the per-repo config parsed byrepocfg:Field names are snake_case to match the existing
commands:scheme (allow_metacharacters,audit.egress).repocfgparses and validates (basename-only names,deny-directmode, no duplicates) and enforces nothing on its own. Existingcommands:behavior is unchanged; a config with nosecurity:block yields a zeroSecurity.Acceptance
repocfg.Configcarries aSecurityfield, zero-valued when absent.