docs(plan): DNS providers + DynDNS + scoped secret-set SPEC#735
Merged
Conversation
Caveman SPEC covering:
- Namecheap plugin (go-namecheap-sdk-backed) — T5..T8
- Hover plugin (scraper+TOTP, no SDK) — T9..T13
- Dynamic DNS module (multi-source IP detect, exp backoff) — T14..T16
- wfctl secrets set --scope ∈ {repo,env,org} (default repo) — T1..T2
- wfctl secrets setup --plugin: prompt for plugin-declared
required_secrets[] + write to chosen scope — T3..T4
- Registry + scenarios + docs + integration tests — T17..T20
20 tasks, 16 constraints, 18 invariants. Status §B empty.
Ships as multiple PRs across workflow, workflow-plugin-namecheap
(new repo), workflow-plugin-hover (new repo), workflow-registry.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new Caveman SPEC plan document describing a staged implementation for DNS provider plugins (Namecheap + Hover), a DynDNS module, and GitHub Actions secret scoping + plugin-declared required secrets as part of a broader multi-PR delivery.
Changes:
- Introduces a new plan/SPEC for DNS provider plugins and DynDNS behavior, including login/auth flows and invariants.
- Specifies proposed
wfctl secretsCLI extensions for scoped secret writes (repo/env/org) and plugin-driven secret prompting. - Outlines a 20-task execution plan spanning core workflow changes, new external plugins, scenarios, and docs.
| @@ -0,0 +1,111 @@ | |||
| # DNS providers + DynDNS + scoped secret-set | |||
|
|
|||
| Caveman SPEC. See `FORMAT.md` for grammar. | |||
Comment on lines
+50
to
+54
| env: HOVER_USERNAME ! set if iac.dns provider=hover | ||
| env: HOVER_PASSWORD ! set (sensitive) | ||
| env: HOVER_TOTP_SECRET ! set (sensitive; base32 seed) | ||
| manifest: plugin.json required_secrets[] = [{name, sensitive, description, prompt}] | ||
| ``` |
Comment on lines
+44
to
+46
| cmd: `wfctl secrets set <name> --scope <repo|env|org> [--env <env>] [--visibility <all|selected|private>]` | ||
| cmd: `wfctl secrets setup --plugin <plugin-name> [--scope <repo|env|org>]` | ||
| cmd: `wfctl secrets setup --provider <namecheap|hover|...>` (alias above) |
Comment on lines
+83
to
+84
| T1|.|workflow: extend secrets.GitHubSecretsProvider w/ scope (repo|env|org) constructor + Put switch on scope|C5,C6,C7,V4,V5,V6,V16,V17 | ||
| T2|.|wfctl secrets set --scope flag + delegation to scoped provider; default repo|C5,V18 |
| C10: dyndns ! polling cadence default = 5m; configurable | ||
| C11: dyndns IP-detect sources: icanhazip | ifconfig.me | opendns ; multiple sources for redundancy | ||
| C12: TOTP code generation in-process; ⊥ external `oathtool` dep | ||
| C13: Namecheap auth = (api_user, api_key, client_ip allowlist); wfctl secrets setup writes api_user + api_key |
Implements T1+T2 of docs/plans/2026-05-20-dns-providers.md.
secrets/github_provider.go:
- New GitHubSecretScope enum (repo | env | org).
- New GitHubOrgVisibility enum (all | selected | private).
- NewGitHubOrgSecretsProvider mints an org-scoped provider with
required-field validation (selected requires repoIDs; visibility
set must be canonical).
- secretsURL() switches on scope (/orgs/{org}, /repos/.../environments,
or repo default).
- Set() includes visibility + selected_repository_ids in PUT payload
when scope=org. Repo + env scopes keep existing shape.
- SetEnvironment("foo") flips scope to env; SetEnvironment("")
reverts to repo.
- Public Scope() reporter.
cmd/wfctl/secrets_detect.go:
- secrets set --scope repo|env|org
- env: --env <name> required; loads repo from app.yaml.
- org: --org <slug> required; --visibility flag (default all);
bypasses app.yaml.
- --token-env for non-default GH PAT env var.
5 new tests: OrgScopeURL, OrgScope_Selected_RequiresRepoIDs,
OrgScope_PrivateVisibility, RepoScope_NoVisibility, ScopeReporter.
Existing wfctl + secrets suites green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
⏱ Benchmark Results✅ No significant performance regressions detected. benchstat comparison (baseline → PR)
|
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Caveman SPEC for Namecheap + Hover + DynDNS + scoped GH secret-set + plugin-declared required-secrets. 20 tasks. Implementation ships as multi-PR cascade.