Require user-provisioned release credentials
Hop-State: A_06FN6KM758JV6S44F6CA6W0 Hop-Proposal: R_06FN6KJWAY5XWVMCVQHCXKR Hop-Task: T_06FN6GZKFMRV2HP5N7XMNSR Hop-Attempt: AT_06FN6GZKFP22ZCFRXGB7V00
This commit is contained in:
@@ -73,6 +73,11 @@ variable or secret-manager name instead.
|
||||
- Do not run `git commit`, `git checkout`, `git switch`, `git branch`,
|
||||
`git rebase`, `git reset`, `git stash`, `git worktree`, or `git push`.
|
||||
- Do not stage files. Hop captures every nonignored workspace change.
|
||||
- Never create, rotate, enumerate, revoke, or paste account access tokens
|
||||
through a provider website or API. For release or publishing work, use only a
|
||||
credential the user has already provisioned in an OS secret store or supplied
|
||||
through the runtime's secret mechanism. If it is missing, stop and ask the
|
||||
user to provision it; do not call a token-management endpoint.
|
||||
- Give a subagent project-changing work only after creating a distinct Hop
|
||||
prompt/attempt for that delegation.
|
||||
- Never discard either side of concurrent work. Let Hop perform its three-way
|
||||
|
||||
@@ -158,6 +158,15 @@ sanitizer replaces detected credential values before any durable write and
|
||||
returns only typed redaction counts. Do not place the value in any later
|
||||
command, summary, output, or source file.
|
||||
|
||||
## Account credential boundary
|
||||
|
||||
Hop never creates, rotates, lists, or revokes provider access tokens. Agents
|
||||
must not use account token-management APIs or settings pages as a shortcut for
|
||||
publishing work. A release or publishing task may use only a pre-existing
|
||||
credential the user deliberately provisioned through an OS secret store or the
|
||||
runtime's secret mechanism. When that credential is absent or invalid, stop and
|
||||
ask the user to replace it; never mint a task-named token.
|
||||
|
||||
## Exit codes
|
||||
|
||||
| Code | Meaning |
|
||||
|
||||
Reference in New Issue
Block a user