Sensitive Package Variable policy and redaction

[zack-nova]

Parent

#136

What to build

Enforce the P0 sensitive Package Variable contract across declarations, Runtime Bindings resolution, and diagnostics. Sensitive values should be safe by default: env-only for P0, never defaulted, and redacted everywhere users inspect variable state.

Acceptance criteria

• Package Variable declarations support sensitive and reject sensitive: true declarations that also define default.
• Sensitive Package Variables reject Runtime Bindings that use inline value or value_from.file.
• Sensitive Package Variables accept value_from.env when the referenced environment variable is present.
• hyard vars doctor reports sensitive policy violations as errors.
• hyard vars explain redacts sensitive values in text and JSON output while still reporting selected source and resolved status.
• Any install-time or variable diagnostics introduced by this work use the same redaction behavior and do not print resolved sensitive values by default.

Blocked by

• Runtime Bindings schema v2 and canonical validation #137
• Runtime Bindings resolution, defaults, doctor, and explain #138

[zack-nova]

This was generated by AI during triage.

Triage Notes

• Dependency release closeout for Runtime Bindings schema v2 and canonical validation #137: PR Implement Runtime Bindings schema v2 #144 landed successfully at merge commit 760c38334b3de16830449d509c25a8258d90b168.
• This issue still lists Runtime Bindings resolution, defaults, doctor, and explain #138 in ## Blocked by, and Runtime Bindings resolution, defaults, doctor, and explain #138 remains open.
• State update: leave state:blocked in place until the remaining blocker is resolved.

[zack-nova]

This was generated by AI during triage.

Triage Notes

• Dependency release closeout for Runtime Bindings resolution, defaults, doctor, and explain #138: PR Implement Runtime Bindings doctor and explain #145 landed successfully at merge commit 816afbf8d30ba71bc59fdf65e2d8686fa325dfa6.
• ## Blocked by lists Runtime Bindings schema v2 and canonical validation #137 and Runtime Bindings resolution, defaults, doctor, and explain #138. Runtime Bindings schema v2 and canonical validation #137 is closed with state:merged; Runtime Bindings resolution, defaults, doctor, and explain #138 has landed.
• No other blockers remain open or unmerged.
• State update: replace state:blocked with state:needs-triage so this issue can be re-evaluated for implementation readiness.

[zack-nova]

This was generated by AI during triage.

Triage Notes

Confirmed

• Parent issue: PRD: Runtime Bindings contract #136.
• Prior blockers are resolved by merge evidence: Runtime Bindings schema v2 and canonical validation #137 landed through PR Implement Runtime Bindings schema v2 #144 at 760c38334b3de16830449d509c25a8258d90b168 on 2026-05-12T10:28:07Z; Runtime Bindings resolution, defaults, doctor, and explain #138 landed through PR Implement Runtime Bindings doctor and explain #145 at 816afbf8d30ba71bc59fdf65e2d8686fa325dfa6 on 2026-05-12T12:41:01Z.
• Current metadata is valid for implementation handoff: exactly one state label (state:needs-triage), exactly one type label (type:feature), and AFK-compatible delivery mode (delivery-mode:afk).
• No out-of-scope catalog issue exists in the tracker, and this request matches the active Runtime Bindings contract backlog rather than a rejected concept.
• No split required. This is one cohesive P0 sensitive Package Variable policy slice across declaration validation, Runtime Bindings selected-source policy, doctor diagnostics, explain output, and shared redaction behavior.

Missing Information

• None.

Current Decision

The issue is ready for implementation. Add the Dev Brief below, then move from state:needs-triage to state:ready-for-dev.

Dev Brief

Type: feature

Delivery mode: afk

HITL rationale:

Not applicable; this slice can be implemented and reviewed through objective repository gates.

Summary:

Enforce the P0 sensitive Package Variable contract across declarations, Runtime Bindings selected-source resolution, hyard vars doctor, hyard vars explain, and any diagnostics added by this work. Sensitive values must be safe by default: env-only for P0, never defaulted, and redacted wherever users inspect variable state.

Current behavior / context:

#137 established schema 2 Runtime Bindings at .harness/vars.yaml. #138 added selected Runtime Bindings resolution plus P0 hyard vars doctor and hyard vars explain behavior, including placeholder support for sensitive metadata. This issue tightens that substrate into the sensitive-variable policy contract: declarations may mark variables sensitive, sensitive declarations cannot have defaults, sensitive selected values cannot come from inline values or files, and diagnostic/reporting surfaces must not print resolved sensitive values by default.

Desired behavior:

Package Variable declarations support a sensitive flag. Declaration validation rejects sensitive: true when a declaration also defines default. Runtime Bindings resolution rejects sensitive variables bound through inline value or value_from.file, accepts value_from.env when the referenced environment variable is present, and treats missing env values as diagnostics according to the existing doctor/explain model. hyard vars doctor reports sensitive policy violations as errors. hyard vars explain reports selected source, resolved status, required flag, sensitive flag, declaring package/orbit context, and selected scope while redacting sensitive values in both text and JSON output. Any install-time or variable diagnostics introduced by this work must reuse the same redaction behavior and avoid printing resolved sensitive values by default.

Key interfaces / constraints:

• Public CLI surface remains under hyard vars; keep command wrappers thin and route durable behavior into existing packages.
• Runtime Bindings remain schema 2 at .harness/vars.yaml.
• P0 sensitive source policy is env-only: reject inline value and value_from.file for sensitive declarations; accept value_from.env only when the referenced environment variable is present.
• Sensitive declaration defaults are invalid; do not silently ignore or resolve them.
• Centralize redaction behavior enough that doctor, explain text, explain JSON, and any new install-time/variable diagnostics are consistent.
• Preserve existing selected-resolution precedence from Runtime Bindings resolution, defaults, doctor, and explain #138 for non-sensitive variables.
• Do not introduce secret managers, encrypted storage, databases, services, background daemons, or auxiliary refs.

Acceptance criteria:

• Package Variable declarations support sensitive and reject sensitive: true declarations that also define default.
• Sensitive Package Variables reject Runtime Bindings that use inline value or value_from.file.
• Sensitive Package Variables accept value_from.env when the referenced environment variable is present.
• hyard vars doctor reports sensitive policy violations as errors.
• hyard vars explain redacts sensitive values in text and JSON output while still reporting selected source and resolved status.
• Any install-time or variable diagnostics introduced by this work use the same redaction behavior and do not print resolved sensitive values by default.

Validation plan:

• Unit: add focused declaration validation tests for sensitive, invalid sensitive defaults, and non-sensitive default compatibility.
• Unit: add selected-resolution/policy tests for sensitive inline value rejection, sensitive value_from.file rejection, sensitive value_from.env success when present, and missing env diagnostics.
• Unit: add redaction tests for shared diagnostic/explain output structures so sensitive resolved values are not exposed.
• Integration: add hyard vars doctor CLI coverage for sensitive policy errors.
• Integration: add hyard vars explain text and JSON coverage proving selected source/resolved status are reported while sensitive values are redacted.
• Regression risk: run mise run fix followed by mise run ci; also run sh ./scripts/test_release_surface_hyard.sh if help text, public command output contracts, or release-surface files change.

Out of scope:

• Secret-manager integrations, encrypted local storage, or prompting for secret values.
• Runtime Bindings schema migration or compatibility for schema 1 / .orbit/vars.yaml.
• Template usage scanning, unknown template reference scanning, shadowed candidate display, or full precedence-tree reporting.
• Typed validation, enum validation, JSON Schema generation, or non-P0 variable policy expansion.
• Interactive install onboarding beyond diagnostics directly introduced or touched by this sensitive-variable policy work.