Expand description
SecretBroker that reads CELLOS_SECRET_<KEY> from the process environment.
Intended for CI runners and shell-level composition where the host or CI system has already injected secrets as environment variables. For workload-identity (OIDC) flows, use a dedicated OIDC broker crate instead.
§Revocation
revoke_for_cell is a documented no-op: environment variables cannot be unset from
a parent process after injection. Isolation relies on the cell model’s teardown
semantics (cleared subprocess env, short TTLs) rather than runtime revocation.
§Correlation propagation (Tranche-1 seam-freeze G1)
This broker has no upstream session of its own (env vars are stamped before
the supervisor starts) and therefore returns None from
SecretBroker::broker_correlation_id. The supervisor falls back to the
operator-supplied spec.correlation.correlationId for cross-tool
correlation in that case. Future env-style brokers that observe a CI
workflow run ID (e.g. GITHUB_RUN_ID) MAY override broker_correlation_id
to thread that ID into every event the supervisor emits for the cell that
consumed the resolved secret.
Structs§
- EnvSecret
Broker - Resolves secrets from environment variables using the pattern
CELLOS_SECRET_<UPPER_KEY>.