repocfg: add optional security: config section #54

Closed
opened 2026-06-03 21:48:31 +00:00 by coilysiren · 0 comments
Owner

Context

The ward security-doctor / protected-binary work (coilyco-flight-deck/ward#4) needs a declarative place for a consumer to name the host tools an agent must not invoke directly (gcloud, clusterctl) plus sudo and hook policy. That policy is generic — it belongs in the framework, parsed and validated once, enforced by consumers.

Change

Add an optional security: section to the per-repo config parsed by repocfg:

security:
  protected_binaries:
    - name: gcloud
      mode: deny-direct           # only mode in v1; empty defaults to it
      allowed_wrappers: [kap, ward]
      expected_real_paths: [/opt/homebrew/bin/gcloud, /usr/local/bin/gcloud]
      credential_env: [CLOUDSDK_CONFIG, GOOGLE_APPLICATION_CREDENTIALS]
  sudo:
    forbid_passwordless: true
  hooks:
    deny_bare_binaries: [gcloud]
    route_hints:
      gcloud: "Use kap for cloud operations."

Field names are snake_case to match the existing commands: scheme (allow_metacharacters, audit.egress). repocfg parses and validates (basename-only names, deny-direct mode, no duplicates) and enforces nothing on its own. Existing commands: behavior is unchanged; a config with no security: block yields a zero Security.

Acceptance

  • repocfg.Config carries a Security field, zero-valued when absent.
  • Old configs (commands-only) parse unchanged.
  • Path-shaped or duplicate protected names, and unknown modes, are rejected at load.
  • No consumer-specific defaults baked into the library.
## Context The ward security-doctor / protected-binary work ([coilyco-flight-deck/ward#4](https://forgejo.coilysiren.me/coilyco-flight-deck/ward/issues/4)) needs a declarative place for a consumer to name the host tools an agent must not invoke directly (gcloud, clusterctl) plus sudo and hook policy. That policy is generic — it belongs in the framework, parsed and validated once, enforced by consumers. ## Change Add an optional `security:` section to the per-repo config parsed by `repocfg`: ```yaml security: protected_binaries: - name: gcloud mode: deny-direct # only mode in v1; empty defaults to it allowed_wrappers: [kap, ward] expected_real_paths: [/opt/homebrew/bin/gcloud, /usr/local/bin/gcloud] credential_env: [CLOUDSDK_CONFIG, GOOGLE_APPLICATION_CREDENTIALS] sudo: forbid_passwordless: true hooks: deny_bare_binaries: [gcloud] route_hints: gcloud: "Use kap for cloud operations." ``` Field names are snake_case to match the existing `commands:` scheme (`allow_metacharacters`, `audit.egress`). `repocfg` parses and validates (basename-only names, `deny-direct` mode, no duplicates) and enforces nothing on its own. Existing `commands:` behavior is unchanged; a config with no `security:` block yields a zero `Security`. ## Acceptance - `repocfg.Config` carries a `Security` field, zero-valued when absent. - Old configs (commands-only) parse unchanged. - Path-shaped or duplicate protected names, and unknown modes, are rejected at load. - No consumer-specific defaults baked into the library.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/cli-guard#54
No description provided.