Expand description
Per-session approve-on-use cache for @secret:<path>
resolution per ADR-023 §3.7 (P25.4).
When a manifest entry’s approve_on_use is Session or
PerCall, every alias resolve must surface the
secrets_request_use_approval dialog before the value
reaches the consumer. The agent picks one of three
decisions:
Once— single resolve, no caching.AlwaysSession— cache the approval for the chosen TTL.Deny— refuse the resolve.
SessionApprovalCache holds the AlwaysSession decisions
for the lifetime of one process. The cache is intentionally
advisory: it lives in devboy-core (the lowest leaf of
the dependency graph) so any consumer — config loader,
router, MCP server — can reuse the same gate logic without
pulling in devboy-storage or the dialog crate.
The dialog and the storage manifest both stay decoupled
from this module: devboy-storage exposes the
ApproveOnUse enum on its IndexEntry, and a small
From bridge in that crate turns it into the local
ApproveOnUsePolicy enum so this cache stays
dependency-free.
Structs§
- Approval
Gated Resolver - Type-safe wrapper that enforces the approve-on-use policy
before dispatching to an inner
SecretResolver. This is what closes the loop on the P25 protocol — a resolver that is not gated through this wrapper makes theapprove_on_usefield a metadata-only theatrical control. - Session
Approval Cache - Process-lifetime cache of
AlwaysSessionapprovals, keyed by ADR-020 path. Mutex-guarded — accesses are infrequent (one per resolve at most) and short.
Enums§
- Approval
Gate - What a consumer must do before resolving a
@secret:<path>alias. Returned bySessionApprovalCache::evaluate. - Approve
OnUse Policy - Mirror of
devboy_storage::index::ApproveOnUseexposed here so the cache is reachable fromdevboy-corewithout a circular dependency.devboy-storageprovides aFromimpl from its own enum.