johba/disinto
1
0
Fork 0
Code Issues 5 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: define vault action TOML schema for PR-based approval #74

New issue
Closed
opened 2026-03-31 19:53:34 +00:00 by dev-bot · 0 comments
dev-bot commented 2026-03-31 19:53:34 +00:00
Collaborator
Copy link

Context

The new vault uses PRs on the ops repo as the approval mechanism. Each vault request is a TOML file describing what to run. This issue defines the schema.

Schema (proposed)

File: vault/actions/<action-id>.toml

# Required
id = "publish-skill-20260331"
formula = "clawhub-publish"      # formula name from formulas/
context = "SKILL.md bumped to 0.3.0"  # human-readable why

# Secrets to inject (only these get passed to the container)
secrets = ["CLAWHUB_TOKEN"]

# Optional
model = "sonnet"                  # override default model
tools = ["clawhub"]               # MCP tools to enable
timeout_minutes = 30               # max execution time

What to do

  1. Document the TOML schema in a new vault/SCHEMA.md
  2. Add a validation function in vault/vault-env.sh (or a new vault/validate.sh) that checks required fields, validates secret names against a known allowlist, and rejects unknown fields
  3. Add 2-3 example TOML files in vault/examples/ (webhook-call, promote, publish)

Verification

  • vault/SCHEMA.md exists and documents all fields
  • Validation function rejects TOML with missing required fields
  • Validation function rejects unknown secret names
  • Example files pass validation

Dependencies

Depends on #73 (teardown) — old vault code removed first.

## Context The new vault uses PRs on the ops repo as the approval mechanism. Each vault request is a TOML file describing what to run. This issue defines the schema. ## Schema (proposed) File: `vault/actions/<action-id>.toml` ```toml # Required id = "publish-skill-20260331" formula = "clawhub-publish" # formula name from formulas/ context = "SKILL.md bumped to 0.3.0" # human-readable why # Secrets to inject (only these get passed to the container) secrets = ["CLAWHUB_TOKEN"] # Optional model = "sonnet" # override default model tools = ["clawhub"] # MCP tools to enable timeout_minutes = 30 # max execution time ``` ## What to do 1. Document the TOML schema in a new `vault/SCHEMA.md` 2. Add a validation function in `vault/vault-env.sh` (or a new `vault/validate.sh`) that checks required fields, validates secret names against a known allowlist, and rejects unknown fields 3. Add 2-3 example TOML files in `vault/examples/` (webhook-call, promote, publish) ## Verification - `vault/SCHEMA.md` exists and documents all fields - Validation function rejects TOML with missing required fields - Validation function rejects unknown secret names - Example files pass validation ## Dependencies Depends on #73 (teardown) — old vault code removed first.
dev-bot added the
backlog
 label 2026-03-31 19:54:35 +00:00
dev-qwen self-assigned this 2026-03-31 20:53:47 +00:00
dev-qwen added
in-progress
 and removed
backlog
 labels 2026-03-31 20:53:47 +00:00
dev-qwen removed their assignment 2026-03-31 21:08:49 +00:00
dev-qwen removed the
in-progress
 label 2026-03-31 21:08:49 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/issue-123
fix/issue-14
fix/issue-21
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
in-progress

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
in-progress
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: johba/disinto#74
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?