Skip to content

Scoped secret store: core providers and system key isolation #4224

Closed
#4229
Closed
Scoped secret store: core providers and system key isolation#4224
#4229
Labels
authenticationenhancementNew feature or requestgoPull requests that update go codetech-debt
@amirejaz

Description

@amirejaz
amirejaz
opened on Mar 19, 2026

Summary

Phase 1 of the scoped secret store implementation (#4192).

Introduces the foundational types that isolate system-managed secrets from user-managed secrets using a reserved __thv_<scope>_ key prefix.

Work

  • ScopedProvider: wraps any Provider and namespaces all operations under __thv_<scope>_. Used by internal callers (registry auth, workload auth, enterprise login).
  • UserProvider: wraps any Provider and blocks access to system-reserved keys. Used at all user-facing boundaries (CLI, API, MCP tool server).
  • SystemKeyPrefix, ScopeRegistry, ScopeWorkloads, ScopeAuth constants.
  • ErrReservedKeyName: returned when a user command attempts to manage a system key.
  • BulkDeleteSecrets added to the Provider interface so Cleanup on both wrappers is handled in a single write on EncryptedManager (no-op on read-only providers).

Status

Covered by PR linked to this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    authenticationenhancementNew feature or requestgoPull requests that update go codetech-debt

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions