disinto/vault/policies/runner-DOCKER_HUB_TOKEN.hcl

# vault/policies/runner-DOCKER_HUB_TOKEN.hcl
#
# Per-secret runner policy: Docker Hub access token for image push.
# vault-runner (Step 5) composes only the runner-* policies named by the
# dispatching action's `secrets = [...]` list, so this policy intentionally
# scopes a single KV path — no wildcards, no list capability.

path "kv/data/disinto/runner/DOCKER_HUB_TOKEN" {
  capabilities = ["read"]
}
fix: [nomad-step-2] S2.1 — vault/policies/.hcl + tools/vault-apply-policies.sh (#879) Land the Vault ACL policies and an idempotent apply script. 18 policies: service-{forgejo,woodpecker}, bot-{dev,review,gardener,architect,planner, predictor,supervisor,vault,dev-qwen}, runner-{GITHUB,CODEBERG,CLAWHUB, NPM,DOCKER_HUB}_TOKEN + runner-DEPLOY_KEY, and dispatcher. tools/vault-apply-policies.sh diffs each file against the on-server policy text before calling hvault_policy_apply, reporting created / updated / unchanged per file. --dry-run prints planned names + SHA256 and makes no Vault calls. vault/policies/AGENTS.md documents the naming convention (service-/ bot-/runner-/dispatcher), the KV path each policy grants, the rationale for one-policy-per-runner-secret (AD-006 least-privilege at dispatch time), and what lands in later S2. issues (#880-#884). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-16 15:39:26 +00:00			`# vault/policies/runner-DOCKER_HUB_TOKEN.hcl`
			`#`
			`# Per-secret runner policy: Docker Hub access token for image push.`
			`# vault-runner (Step 5) composes only the runner-* policies named by the`
			# dispatching action's `secrets = [...]` list, so this policy intentionally
			`# scopes a single KV path — no wildcards, no list capability.`

			`path "kv/data/disinto/runner/DOCKER_HUB_TOKEN" {`
			`capabilities = ["read"]`
			`}`