thaloco/pyro-mcp
1
Fork 0
Code Pull requests Releases Packages Activity Actions
pyro-mcp/docs/roadmap/task-workspace-ga/2.9.0-secrets.md
Thales Maciel fc72fcd3a1 Add guest-only workspace secrets 
Add explicit workspace secrets across the CLI, SDK, and MCP, with create-time secret definitions and per-call secret-to-env mapping for exec, shell open, and service start. Persist only safe secret metadata in workspace records, materialize secret files under /run/pyro-secrets, and redact secret values from exec output, shell reads, service logs, and surfaced errors.

Fix the remaining real-guest shell gap by shipping bundled guest init alongside the guest agent and patching both into guest-backed workspace rootfs images before boot. The new init mounts devpts so PTY shells work on Firecracker guests, while reset continues to recreate the sandbox and re-materialize secrets from stored task-local secret material.

Validation: uv lock; UV_CACHE_DIR=.uv-cache make check; UV_CACHE_DIR=.uv-cache make dist-check; and a real guest-backed Firecracker smoke covering workspace create with secrets, secret-backed exec, shell, service, reset, and delete.
2026-03-12 15:43:34 -03:00

1.2 KiB
Raw Permalink Blame History

2.9.0 Secrets

Status: Done

Goal

Add explicit secrets so workspaces can handle private dependencies, authenticated startup, and secret-aware shell or exec flows without weakening the fail-closed sandbox model.

Public API Changes

  • workspace create gains secrets
  • workspace exec, workspace shell open, and workspace service start gain per-call secret-to-env mapping
  • SDK and MCP mirror the same model

Implementation Boundaries

  • Support literal secrets and host-file-backed secrets.
  • Materialize secrets outside /workspace.
  • Secret values never appear in status, logs, diffs, or exports.
  • Reset recreates secrets from persisted secret material, not from the original host source path.

Non-Goals

  • no post-create secret editing
  • no secret listing beyond safe metadata
  • no mount-based secret transport

Acceptance Scenarios

  • create a workspace with a literal secret and a file-backed secret
  • run exec and shell flows with mapped env vars
  • start a service that depends on a secret-backed readiness path
  • confirm redaction in command, shell, and service output

Required Repo Updates

  • docs for private dependency workflows
  • explicit redaction tests
  • real Firecracker smoke for secret-backed exec or service start