Skip to content

Add just-in-time credential leases (zero standing privilege)#241

Merged
JE-Chen merged 1 commit into
devfrom
feat/credential-lease-batch
Jun 19, 2026
Merged

Add just-in-time credential leases (zero standing privilege)#241
JE-Chen merged 1 commit into
devfrom
feat/credential-lease-batch

Conversation

@JE-Chen

@JE-Chen JE-Chen commented Jun 19, 2026

Copy link
Copy Markdown
Member

Security/PAM batch — completes the governance set begun with the maker-checker gate. Full layers + tests + EN/Zh v33 docs + README.

Feature (utils/governance/credential_broker.py, pure-stdlib)

  • CredentialBroker: a consumer takes a short-lived lease (lease(name, ttl) → token bound to a secret name + expiry). The real value is fetched only at redeem time, only while valid, through a pluggable resolver (an unlocked SecretManager's get, an env lookup, a vault client). is_valid/revoke/active. Clock + resolver injectable → deterministic expiry tests, no real vault.
  • Secret values never enter executor/MCP records. The executor/MCP/Builder surfaces manage the lease lifecycle only: AC_lease_secret / AC_lease_valid / AC_revoke_lease / AC_lease_active (+ ac_*, Builder under Tools). redeem, which returns the value, is a deliberate Python-API-only escape hatch — there is intentionally no redeem command. Module-level default_broker + set_secret_resolver.

Verification

  • 9 tests pass (redeem-while-valid, expiry via injected clock, revoke, no-resolver, unknown-secret, active excludes-expired/hides-values, executor lifecycle round-trip, wiring); ruff clean; radon no CC≥C; bandit clean; PySide6-free.

@codacy-production

codacy-production Bot commented Jun 19, 2026

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 19 complexity · 0 duplication

Metric Results
Complexity 19
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@JE-Chen JE-Chen merged commit a442db4 into dev Jun 19, 2026
16 checks passed
@JE-Chen JE-Chen deleted the feat/credential-lease-batch branch June 19, 2026 14:46
@sonarqubecloud

sonarqubecloud Bot commented Jun 19, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JE-Chen