Skip to content

Enforce sensitive Package Variable policy#146

Merged
zack-nova merged 1 commit into
mainfrom
issue-139-sensitive-package-vars
May 12, 2026
Merged

Enforce sensitive Package Variable policy#146
zack-nova merged 1 commit into
mainfrom
issue-139-sensitive-package-vars

Conversation

@zack-nova
Copy link
Copy Markdown
Owner

@zack-nova zack-nova commented May 12, 2026

Summary

  • Enforces sensitive Package Variable declaration policy across manifest loading, install snapshots, declaration merging, and runtime resolution.
  • Reuses a shared redaction helper for resolved sensitive values and adds doctor coverage for sensitive inline binding diagnostics.

Linked Issue

Closes #139

Dev Brief Mapping

  • Acceptance criterion 1: Package Variable declarations support sensitive and reject sensitive: true declarations that also define default.
  • Acceptance criterion 2: Sensitive Package Variables reject Runtime Bindings that use inline value or value_from.file.
  • Acceptance criterion 3: Sensitive Package Variables accept value_from.env when the referenced environment variable is present.
  • Acceptance criterion 4: hyard vars doctor reports sensitive policy violations as errors.
  • Acceptance criterion 5: hyard vars explain redacts sensitive values in text and JSON output while still reporting selected source and resolved status.
  • Acceptance criterion 6: Install-time and variable diagnostics do not print resolved sensitive values by default.

What Changed

  • Added shared declaration validation that rejects sensitive defaults in author manifests, install records, merge compatibility, and runtime resolution.
  • Added shared runtime binding value redaction and routed vars explain through it.
  • Added focused tests for declaration rejection and a hyard vars doctor no-leak diagnostic case.

Validation

  • Command: mise run fix
  • Result: passed
  • Manual verification: repository formatting/lint fix workflow completed successfully.
  • Command: mise run ci
  • Result: passed
  • Manual verification: full repository CI workflow passed, including lint, Go tests, govulncheck, shell validation tests, and release surface checks.
  • Command: sh ./scripts/test_release_surface_hyard.sh
  • Result: passed
  • Manual verification: public hyard release-surface smoke checks passed.

Risk

  • Low to moderate: the new declaration validator is shared across multiple load and merge paths, so invalid historical sensitive defaults now fail earlier.

Out of Scope

  • No changes to Runtime Binding schema shape or precedence beyond enforcing the sensitive policy contract.

Reviewer Notes

  • Work was implemented in src-git/ inside the Symphony issue workspace because the root issue workspace Git metadata was locked against fetch/ref/index writes. The branch is pushed from the nested clone against current main.

@zack-nova
Enforce sensitive package variable policy
6a1b41b 
Reject sensitive Package Variable defaults across template manifests, install snapshots, declaration merging, and runtime resolution.

Share sensitive value redaction for vars explain output and cover doctor diagnostics against inline sensitive value leaks.

Validation: mise run fix; mise run ci; sh ./scripts/test_release_surface_hyard.sh
@zack-nova zack-nova mentioned this pull request May 12, 2026
Closed
6 tasks
@zack-nova zack-nova merged commit feb26e4 into main May 12, 2026
9 checks passed
@zack-nova zack-nova deleted the issue-139-sensitive-package-vars branch May 12, 2026 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sensitive Package Variable policy and redaction

1 participant

@zack-nova