Thales Maciel f57454bcb4 Add workspace-first roadmap milestones

Break the updated workspace vision into a checked-in roadmap from 2.4.0 through 3.1.0 so later implementation can be driven milestone by milestone.

Link the roadmap from the vision doc and keep each release slice scoped to one product capability, from the workspace contract pivot through shells, export/diff, services, snapshots, secrets, networking, and GA promotion.

This is a docs-only planning scaffold; runtime behavior stays unchanged in this commit.

2026-03-12 01:21:26 -03:00

1.2 KiB

Raw Blame History

`2.9.0` Secrets

Goal

Add explicit secrets so workspaces can handle private dependencies, authenticated startup, and secret-aware shell or exec flows without weakening the fail-closed sandbox model.

Public API Changes

workspace create gains secrets
workspace exec, workspace shell open, and workspace service start gain per-call secret-to-env mapping
SDK and MCP mirror the same model

Implementation Boundaries

Support literal secrets and host-file-backed secrets.
Materialize secrets outside /workspace.
Secret values never appear in status, logs, diffs, or exports.
Reset recreates secrets from persisted secret material, not from the original host source path.

Non-Goals

no post-create secret editing
no secret listing beyond safe metadata
no mount-based secret transport

Acceptance Scenarios

create a workspace with a literal secret and a file-backed secret
run exec and shell flows with mapped env vars
start a service that depends on a secret-backed readiness path
confirm redaction in command, shell, and service output

Required Repo Updates

docs for private dependency workflows
explicit redaction tests
real Firecracker smoke for secret-backed exec or service start

1.2 KiB Raw Blame History

2.9.0 Secrets