# `2.9.0` Secrets

## Goal

Add explicit secrets so workspaces can handle private dependencies,
authenticated startup, and secret-aware shell or exec flows without weakening
the fail-closed sandbox model.

## Public API Changes

- `workspace create` gains secrets
- `workspace exec`, `workspace shell open`, and `workspace service start` gain
  per-call secret-to-env mapping
- SDK and MCP mirror the same model

## Implementation Boundaries

- Support literal secrets and host-file-backed secrets.
- Materialize secrets outside `/workspace`.
- Secret values never appear in status, logs, diffs, or exports.
- Reset recreates secrets from persisted secret material, not from the original
  host source path.

## Non-Goals

- no post-create secret editing
- no secret listing beyond safe metadata
- no mount-based secret transport

## Acceptance Scenarios

- create a workspace with a literal secret and a file-backed secret
- run exec and shell flows with mapped env vars
- start a service that depends on a secret-backed readiness path
- confirm redaction in command, shell, and service output

## Required Repo Updates

- docs for private dependency workflows
- explicit redaction tests
- real Firecracker smoke for secret-backed exec or service start