Skip to content

Scoped secret store: wire callers to use ScopedProvider and UserProvider #4227

Open
Open
Scoped secret store: wire callers to use ScopedProvider and UserProvider#4227
Labels
authenticationenhancementNew feature or requestgoPull requests that update go code
@amirejaz

Description

@amirejaz
amirejaz
opened on Mar 19, 2026

Summary

Phase 4 of the scoped secret store implementation (#4192).

Update all callers to use the correct provider wrapper so system secrets are isolated in practice, not just in theory.

Work

  • Registry auth (pkg/registry/auth/): use CreateScopedSecretProvider(ScopeRegistry)
  • Workload auth (pkg/auth/): use CreateScopedSecretProvider(ScopeWorkloads)
  • All user-facing entry points (CLI secret commands, API secrets routes, MCP tool server): use CreateUserSecretProvider
  • Integration tests verifying isolation end-to-end

Dependencies

Depends on Phase 3. Must ship in the same PR as Phase 3 (migration infrastructure) — callers must not be updated before migration runs, and migration is useless without updated callers.

Metadata

Metadata

Assignees

No one assigned

    Labels

    authenticationenhancementNew feature or requestgoPull requests that update go code

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions