9f6e6f7fb3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
21 lines
1.1 KiB
Markdown
21 lines
1.1 KiB
Markdown
# Secrets Handling (Orchestrator additions)
|
|
|
|
Last updated: 2025-11-25
|
|
|
|
## Principles
|
|
- Secrets are stored in Authority and referenced via `secretRef`; services never persist raw secrets.
|
|
- No secrets in logs, traces, metrics, crash dumps, or health endpoints.
|
|
- Offline/air-gap: secrets are delivered through sealed bundles and loaded at startup only.
|
|
|
|
## Orchestrator-specific rules (DOCS-ORCH-34-002)
|
|
- Plugin steps receive secrets via `secretRef`; workers fetch at step start and keep in-memory only for the step scope.
|
|
- Secrets are not written to the run ledger, artifacts, or NDJSON exports; only `secretRef` identifiers may appear.
|
|
- Network egress is deny-by-default; allowlists must reference `secretRef`-protected credentials when needed.
|
|
- Cancellation and retries must not log or surface secret material; redaction applies to all error paths.
|
|
|
|
## Audit checklist
|
|
- [ ] Every plugin configuration uses `secretRef`, not inline values.
|
|
- [ ] Logs/traces verified to contain no secret payloads (redaction tests).
|
|
- [ ] Run ledger verified to store hashes/refs only.
|
|
- [ ] Secret refresh/rotation tested (Authority + worker reload).
|