johba/disinto
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions
disinto/vault
History
openhands cb5252588c fix: Secure action runtime — ephemeral container with vault-injected secrets (#748) 
Split secrets into two SOPS-encrypted files:
- .env.enc for agent secrets (FORGE_TOKEN, CLAUDE_API_KEY, etc.)
- .env.vault.enc for vault secrets (GITHUB_TOKEN, deploy keys, etc.)

Add ephemeral vault-runner container (profiles: ["vault"]) that receives
only vault secrets at runtime. Agents never see vault secrets; vault-runner
never sees agent secrets.

Key changes:
- bin/disinto: vault-run subcommand, dual-file secrets management,
  vault-runner service in compose template
- vault/vault-fire.sh: delegates action execution to vault-runner
  container via disinto vault-run (bare-metal fallback preserved)
- vault/vault-poll.sh: new phase 5 detects vault-bot authorized
  comments on issues with action label
- vault/vault-run-action.sh: entrypoint for ephemeral container,
  dispatches to action handlers

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 16:41:27 +00:00
..
.locks feat: vault — publishing gate for external-facing agent actions (#19) 2026-03-17 08:07:02 +01:00
approved feat: vault — publishing gate for external-facing agent actions (#19) 2026-03-17 08:07:02 +01:00
fired feat: vault — publishing gate for external-facing agent actions (#19) 2026-03-17 08:07:02 +01:00
outreach fix: feat: rent-a-human — formula-dispatchable human action drafts (#679) 2026-03-25 14:31:35 +00:00
pending feat: vault — publishing gate for external-facing agent actions (#19) 2026-03-17 08:07:02 +01:00
rejected feat: vault — publishing gate for external-facing agent actions (#19) 2026-03-17 08:07:02 +01:00
AGENTS.md fix: Remove Matrix integration — notifications move to forge + OpenClaw (#732) 2026-03-26 14:53:56 +00:00
PROMPT.md fix: Remove Matrix integration — notifications move to forge + OpenClaw (#732) 2026-03-26 14:53:56 +00:00
vault-agent.sh fix: Extract vault-env.sh to deduplicate vault token override 2026-03-26 16:20:40 +00:00
vault-env.sh fix: Extract vault-env.sh to deduplicate vault token override 2026-03-26 16:20:40 +00:00
vault-fire.sh fix: Secure action runtime — ephemeral container with vault-injected secrets (#748) 2026-03-26 16:41:27 +00:00
vault-poll.sh fix: Secure action runtime — ephemeral container with vault-injected secrets (#748) 2026-03-26 16:41:27 +00:00
vault-reject.sh fix: Extract vault-env.sh to deduplicate vault token override 2026-03-26 16:20:40 +00:00
vault-run-action.sh fix: Secure action runtime — ephemeral container with vault-injected secrets (#748) 2026-03-26 16:41:27 +00:00