Summary
Phase 1 of the scoped secret store implementation (#4192).
Introduces the foundational types that isolate system-managed secrets from user-managed secrets using a reserved __thv_<scope>_ key prefix.
Work
ScopedProvider: wraps any Provider and namespaces all operations under __thv_<scope>_. Used by internal callers (registry auth, workload auth, enterprise login).UserProvider: wraps any Provider and blocks access to system-reserved keys. Used at all user-facing boundaries (CLI, API, MCP tool server).SystemKeyPrefix, ScopeRegistry, ScopeWorkloads, ScopeAuth constants.ErrReservedKeyName: returned when a user command attempts to manage a system key.BulkDeleteSecrets added to the Provider interface so Cleanup on both wrappers is handled in a single write on EncryptedManager (no-op on read-only providers).
Status
Covered by PR linked to this issue.
Summary
Phase 1 of the scoped secret store implementation (#4192).
Introduces the foundational types that isolate system-managed secrets from user-managed secrets using a reserved
__thv_<scope>_key prefix.Work
ScopedProvider: wraps anyProviderand namespaces all operations under__thv_<scope>_. Used by internal callers (registry auth, workload auth, enterprise login).UserProvider: wraps anyProviderand blocks access to system-reserved keys. Used at all user-facing boundaries (CLI, API, MCP tool server).SystemKeyPrefix,ScopeRegistry,ScopeWorkloads,ScopeAuthconstants.ErrReservedKeyName: returned when a user command attempts to manage a system key.BulkDeleteSecretsadded to theProviderinterface soCleanupon both wrappers is handled in a single write onEncryptedManager(no-op on read-only providers).Status
Covered by PR linked to this issue.