9f6e6f7fb3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
1.1 KiB
1.1 KiB
Secrets Handling (Orchestrator additions)
Last updated: 2025-11-25
Principles
- Secrets are stored in Authority and referenced via
secretRef; services never persist raw secrets. - No secrets in logs, traces, metrics, crash dumps, or health endpoints.
- Offline/air-gap: secrets are delivered through sealed bundles and loaded at startup only.
Orchestrator-specific rules (DOCS-ORCH-34-002)
- Plugin steps receive secrets via
secretRef; workers fetch at step start and keep in-memory only for the step scope. - Secrets are not written to the run ledger, artifacts, or NDJSON exports; only
secretRefidentifiers may appear. - Network egress is deny-by-default; allowlists must reference
secretRef-protected credentials when needed. - Cancellation and retries must not log or surface secret material; redaction applies to all error paths.
Audit checklist
- Every plugin configuration uses
secretRef, not inline values. - Logs/traces verified to contain no secret payloads (redaction tests).
- Run ledger verified to store hashes/refs only.
- Secret refresh/rotation tested (Authority + worker reload).