feat(cred_inject): add value_prefix to CredInjectHeader#8
Merged
Conversation
Lets cred_inject prepend a literal prefix (e.g. "Bearer ") to the resolved credential value when composing the injected header, so a raw stored token can emit `Authorization: Bearer <token>`. Wires the new proto field through the YAML policy def, OPA serialization, and the sandbox CredInjectDirective. Empty prefix is a no-op (back-compat).
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
value_prefixfield to the gateway'scred_injectmechanism so it can prepend a literal prefix (e.g."Bearer ") to a raw stored credential when composing an injected header. This letscred_injectemitAuthorization: Bearer <token>from a token stored without the prefix — required for gateway-native OAuth refresh (which stores raw access tokens).This is the sole fork delta for openlock's upcoming Claude
/loginsubscription-billing feature.Changes
proto/sandbox.proto:CredInjectHeader.value_prefix = 3(field 3 free;CredInjectHeaderis a fork-only message → no upstream collision).crates/openshell-sandbox/src/secrets.rs:CredInjectDirective.value_prefix, prepended at the header-composition site; new testcred_inject_applies_value_prefix.opa.rs(proto→OPA-JSON serialize) → Rego passthrough →l7/mod.rs(parse into directive). Also wiredcrates/openshell-policy/src/lib.rsYAML↔proto conversions.value_prefixis a no-op → fully back-compatible (byte-identical output for existing directives).Test Plan
cargo test -p openshell-sandbox -p openshell-policy→ 819 + 78 passcargo clippy --workspace --features openshell-prover/bundled-z3 -- -D warnings→ cleanmain(force-push per fork-sync flow), tagvX.Y.0, release workflow builds binariesOPENSHELL_FORK_TAGin openlocksrc/sandbox/fork-binaries.tsapply_cred_injectemits exactly oneAuthorization: Bearer <raw>(not zero, not double)Review artifact for the openlock subscription-billing work (openlock-ndb).