thaloco/pyro-mcp
1
Fork 0
Code Pull requests Releases Packages Activity Actions
pyro-mcp/docs/roadmap/task-workspace-ga/2.9.0-secrets.md
Thales Maciel fc72fcd3a1 Add guest-only workspace secrets 
Add explicit workspace secrets across the CLI, SDK, and MCP, with create-time secret definitions and per-call secret-to-env mapping for exec, shell open, and service start. Persist only safe secret metadata in workspace records, materialize secret files under /run/pyro-secrets, and redact secret values from exec output, shell reads, service logs, and surfaced errors.

Fix the remaining real-guest shell gap by shipping bundled guest init alongside the guest agent and patching both into guest-backed workspace rootfs images before boot. The new init mounts devpts so PTY shells work on Firecracker guests, while reset continues to recreate the sandbox and re-materialize secrets from stored task-local secret material.

Validation: uv lock; UV_CACHE_DIR=.uv-cache make check; UV_CACHE_DIR=.uv-cache make dist-check; and a real guest-backed Firecracker smoke covering workspace create with secrets, secret-backed exec, shell, service, reset, and delete.
2026-03-12 15:43:34 -03:00

43 lines
1.2 KiB
Markdown
Raw Blame History

# `2.9.0` Secrets
Status: Done
## Goal
Add explicit secrets so workspaces can handle private dependencies,
authenticated startup, and secret-aware shell or exec flows without weakening
the fail-closed sandbox model.
## Public API Changes
- `workspace create` gains secrets
- `workspace exec`, `workspace shell open`, and `workspace service start` gain
per-call secret-to-env mapping
- SDK and MCP mirror the same model
## Implementation Boundaries
- Support literal secrets and host-file-backed secrets.
- Materialize secrets outside `/workspace`.
- Secret values never appear in status, logs, diffs, or exports.
- Reset recreates secrets from persisted secret material, not from the original
host source path.
## Non-Goals
- no post-create secret editing
- no secret listing beyond safe metadata
- no mount-based secret transport
## Acceptance Scenarios
- create a workspace with a literal secret and a file-backed secret
- run exec and shell flows with mapped env vars
- start a service that depends on a secret-backed readiness path
- confirm redaction in command, shell, and service output
## Required Repo Updates
- docs for private dependency workflows
- explicit redaction tests
- real Firecracker smoke for secret-backed exec or service start
View git blame Copy permalink