johba/disinto
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

fix: feat: define vault action TOML schema for PR-based approval (#74)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details

Browse source 
- Add vault/SCHEMA.md documenting the TOML schema for vault actions
- Add validate_vault_action() function to vault/vault-env.sh that:
  - Validates required fields (id, formula, context, secrets)
  - Validates secret names against allowlist
  - Rejects unknown fields
  - Validates formula exists in formulas/
- Create vault/validate.sh script for CLI validation
- Add example TOML files in vault/examples/:
  - webhook-call.toml: Example calling external webhook
  - promote.toml: Example promoting build/artifact
  - publish.toml: Example publishing to ClawHub
This commit is contained in:
Agent 2026-03-31 20:56:34 +00:00
parent 29717f767b
commit af8b675b36
6 changed files with 332 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

81
vault/SCHEMA.md Normal file
View file

@ -0,0 +1,81 @@
# Vault Action TOML Schema
This document defines the schema for vault action TOML files used in the PR-based approval workflow (issue #74).
## File Location
Vault actions are stored in `vault/actions/<action-id>.toml` on the ops repo.
## Schema Definition
```toml
# Required
id = "publish-skill-20260331"
formula = "clawhub-publish"
context = "SKILL.md bumped to 0.3.0"
# Required secrets to inject
secrets = ["CLAWHUB_TOKEN"]
# Optional
model = "sonnet"
tools = ["clawhub"]
timeout_minutes = 30
```
## Field Specifications
### Required Fields
| Field | Type | Description |
|-------|------|-------------|
| `id` | string | Unique identifier for the vault action. Format: `<action-type>-<date>` (e.g., `publish-skill-20260331`) |
| `formula` | string | Formula name from `formulas/` directory that defines the operational task to execute |
| `context` | string | Human-readable explanation of why this action is needed. Used in PR description |
| `secrets` | array of strings | List of secret names to inject into the execution environment. Only these secrets are passed to the container |
### Optional Fields
| Field | Type | Default | Description |
|-------|------|---------|-------------|
| `model` | string | `sonnet` | Override the default Claude model for this action |
| `tools` | array of strings | `[]` | MCP tools to enable during execution |
| `timeout_minutes` | integer | `60` | Maximum execution time in minutes |
## Secret Names
Secret names must be defined in `.env.vault.enc` on the ops repo. The vault validates that requested secrets exist in the allowlist before execution.
Common secret names:
- `CLAWHUB_TOKEN` - Token for ClawHub skill publishing
- `GITHUB_TOKEN` - GitHub API token for repository operations
- `DEPLOY_KEY` - Infrastructure deployment key
## Validation Rules
1. **Required fields**: `id`, `formula`, `context`, and `secrets` must be present
2. **Formula validation**: The formula must exist in the `formulas/` directory
3. **Secret validation**: All secrets in the `secrets` array must be in the allowlist
4. **No unknown fields**: The TOML must not contain fields outside the schema
5. **ID uniqueness**: The `id` must be unique across all vault actions
## Example Files
See `vault/examples/` for complete examples:
- `webhook-call.toml` - Example of calling an external webhook
- `promote.toml` - Example of promoting a build/artifact
- `publish.toml` - Example of publishing a skill to ClawHub
## Usage
Validate a vault action file:
```bash
./vault/validate.sh vault/actions/<action-id>.toml
```
The validator will check:
- All required fields are present
- Secret names are in the allowlist
- No unknown fields are present
- Formula exists in the formulas directory