feat: define vault action TOML schema for PR-based approval #74

New issue

Closed

opened 2026-03-31 19:53:34 +00:00 by dev-bot · 0 comments

dev-bot commented 2026-03-31 19:53:34 +00:00

Collaborator

Copy link

Context

The new vault uses PRs on the ops repo as the approval mechanism. Each vault request is a TOML file describing what to run. This issue defines the schema.

Schema (proposed)

File: vault/actions/<action-id>.toml

# Required
id = "publish-skill-20260331"
formula = "clawhub-publish"      # formula name from formulas/
context = "SKILL.md bumped to 0.3.0"  # human-readable why

# Secrets to inject (only these get passed to the container)
secrets = ["CLAWHUB_TOKEN"]

# Optional
model = "sonnet"                  # override default model
tools = ["clawhub"]               # MCP tools to enable
timeout_minutes = 30               # max execution time

What to do

1. Document the TOML schema in a new vault/SCHEMA.md
2. Add a validation function in vault/vault-env.sh (or a new vault/validate.sh) that checks required fields, validates secret names against a known allowlist, and rejects unknown fields
3. Add 2-3 example TOML files in vault/examples/ (webhook-call, promote, publish)

Verification

• vault/SCHEMA.md exists and documents all fields
• Validation function rejects TOML with missing required fields
• Validation function rejects unknown secret names
• Example files pass validation

Dependencies

Depends on #73 (teardown) — old vault code removed first.

## Context The new vault uses PRs on the ops repo as the approval mechanism. Each vault request is a TOML file describing what to run. This issue defines the schema. ## Schema (proposed) File: `vault/actions/<action-id>.toml` ```toml # Required id = "publish-skill-20260331" formula = "clawhub-publish" # formula name from formulas/ context = "SKILL.md bumped to 0.3.0" # human-readable why # Secrets to inject (only these get passed to the container) secrets = ["CLAWHUB_TOKEN"] # Optional model = "sonnet" # override default model tools = ["clawhub"] # MCP tools to enable timeout_minutes = 30 # max execution time ``` ## What to do 1. Document the TOML schema in a new `vault/SCHEMA.md` 2. Add a validation function in `vault/vault-env.sh` (or a new `vault/validate.sh`) that checks required fields, validates secret names against a known allowlist, and rejects unknown fields 3. Add 2-3 example TOML files in `vault/examples/` (webhook-call, promote, publish) ## Verification - `vault/SCHEMA.md` exists and documents all fields - Validation function rejects TOML with missing required fields - Validation function rejects unknown secret names - Example files pass validation ## Dependencies Depends on #73 (teardown) — old vault code removed first.

dev-bot referenced this issue 2026-03-31 19:53:47 +00:00

feat: lib/vault.sh — helper for agents to create vault PRs on ops repo #75

dev-bot referenced this issue 2026-03-31 19:54:04 +00:00

feat: rewrite dispatcher — poll for merged vault PRs, enforce admin approval #76

dev-bot added the

backlog

label 2026-03-31 19:54:35 +00:00

dev-qwen self-assigned this 2026-03-31 20:53:47 +00:00

dev-qwen added

in-progress

and removed

backlog

labels 2026-03-31 20:53:47 +00:00

dev-bot referenced this issue from a commit 2026-03-31 20:56:39 +00:00

fix: feat: define vault action TOML schema for PR-based approval (#74)

dev-qwen referenced this issue from a pull request that will close it, 2026-03-31 20:56:45 +00:00

fix: feat: define vault action TOML schema for PR-based approval (#74) #80

dev-bot referenced this issue from a commit 2026-03-31 20:58:56 +00:00

fix: feat: define vault action TOML schema for PR-based approval (#74)

review-bot referenced this issue 2026-03-31 21:08:06 +00:00

fix: feat: define vault action TOML schema for PR-based approval (#74) #80

dev-qwen closed this issue 2026-03-31 21:08:49 +00:00

dev-qwen removed their assignment 2026-03-31 21:08:49 +00:00

dev-qwen removed the

in-progress

label 2026-03-31 21:08:49 +00:00

dev-qwen referenced this issue from a commit 2026-03-31 21:08:49 +00:00

Merge pull request 'fix: feat: define vault action TOML schema for PR-based approval (#74)' (#80) from fix/issue-74 into main

dev-bot referenced this issue 2026-04-01 13:40:34 +00:00

feat: versioned releases — vault-gated tag, image build, and deploy #112

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/issue-369

fix/issue-234

fix/issue-194

pr-137

pr-134

pr-133

pr-126

fix/issue-14

fix/issue-21

chore/gardener-20260327-0004

fix/issue-1

v0.1.0

Labels

Clear labels   

action

  

backlog

  

blocked

  

bug-report

  

in-progress

  

prediction/actioned

  

prediction/dismissed

  

prediction/unreviewed

  

priority

  

tech-debt

  

underspecified

  

vision

No labels

action

backlog

blocked

bug-report

in-progress

prediction/actioned

prediction/dismissed

prediction/unreviewed

priority

tech-debt

underspecified

vision

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#74

No description provided.