feat(spec): add HostCommand and Refresh to CredentialSource#41
Draft
zampani-docker wants to merge 1 commit into
Draft
feat(spec): add HostCommand and Refresh to CredentialSource#41zampani-docker wants to merge 1 commit into
zampani-docker wants to merge 1 commit into
Conversation
Extends spec.CredentialSource with two new optional fields: - HostCommand: a POSIX sh -c command run on the host whose trimmed stdout becomes the credential value. Useful for credential helpers (vault, aws sts, gcloud auth print-access-token) that don't write to env vars or files. - Refresh: a positive Go duration string (e.g. "15m", "1h") that controls how often the sandbox runtime re-runs the command and syncs the fresh token while `sbx run` is attached. Requires HostCommand to be set. ValidateCredentialPolicy is updated to: - Accept HostCommand alone as a valid source (at least one of env, file, or hostCommand is now required per source) - Reject blank/whitespace-only HostCommand - Reject Refresh without HostCommand - Reject non-positive or unparseable Refresh durations Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Michael Zampani <michael.zampani@docker.com>
zampani-docker
force-pushed
the
zampani/host-command-credential-source
branch
from
f75c586 to
3b8ea87
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends
spec.CredentialSourcewith two new optional fields that enable credential helpers — shell commands that run on the host to obtain credential values:hostCommand— a POSIXsh -ccommand whose trimmed stdout becomes the credential value. Executed at sandbox creation time (CLI), on-demand by the daemon proxy, and periodically on therefreshcadence whilesbx runis attached.refresh— a positive Go duration string (e.g."15m","1h") controlling how often the sandbox runtime re-runs the command and syncs the fresh token while the sandbox is attached. RequireshostCommandto be set.Motivation
Some credentials live in platform-specific locations (Docker Desktop backend socket,
vault read,aws sts get-session-token,gcloud auth print-access-token) and cannot be captured via env vars or static files.hostCommandprovides a first-class credential helper interface for these cases.Validation changes
ValidateCredentialPolicyis updated to:hostCommandalone as a valid source (env,file, orhostCommand— at least one required)hostCommandrefreshwithouthostCommandrefreshdurationsThe error message for empty sources changes from
"must have at least one of env or file"to"must have at least one of env, file, or hostCommand".Example spec.yaml usage
Context
This unblocks a companion PR in the sandboxes engine that adds the full
hostCommandcredential source implementation. The strict YAML decoder (KnownFields(true)) inspec/artifact.gorejects anyspec.yamlcontaininghostCommand:orrefresh:until these fields are present — so merging here is a prerequisite for kit authors to use the feature.Test plan
go test ./spec/...— existing tests pass, 7 new subtests added forhostCommand/refreshvalidation