feat(registry): v0.4 Phase 2b — registry invite#51
Merged
TechAlchemistX merged 1 commit intomainfrom Apr 20, 2026
Merged
Conversation
Adds `secretenv registry invite [--registry <name>] [--invitee <id>]
[--json]` — emits a copy-pasteable onboarding payload for sharing a
registry with a new collaborator.
Three sections in the human output:
1. The `config.toml` snippet the new user adds. Mirrors every
non-`type` field from the inviter's `[backends.<instance>]`
block, sorted for determinism. Strict-mock test-only fields
(`aws_bin`, `vault_bin`, `op_bin`, `gcloud_bin`, `az_bin`) are
filtered so production snippets never leak mock-binary paths.
The snippet round-trips through `Config::from_str` — locked by
`config_block_round_trips_through_config_loader`.
2. The IAM/RBAC grant command the inviter runs as administrator.
Hand-tuned per backend type:
- aws-ssm → aws iam attach-user-policy --policy-arn
AmazonSSMReadOnlyAccess
- aws-secrets → same shape with SecretsManagerReadWrite
- 1password → op vault user grant ... (vault name extracted
from URI path)
- vault → vault policy write + vault token create
- gcp → gcloud secrets add-iam-policy-binding ...
--role roles/secretmanager.secretAccessor
- azure → az role assignment create
--role "Key Vault Secrets User"
- local → filesystem/git guidance, no CLI grant
- unknown → generic "no canonical template" pointer
3. Two universal verify steps the invitee runs to confirm
onboarding (`secretenv doctor`, `secretenv registry list`).
`--invitee <id>` substitutes a real identifier into the grant; absent,
the placeholder is `<INVITEE>` so operators can sub it in later.
`--json` emits the same `Invitation` struct as a stable JSON shape for
internal-tooling consumers.
Tests:
- 16 unit tests in `invite.rs` covering selection error paths
(URI not Name, missing registry, missing backend instance), all 7
per-backend grant arms (including unknown-type fallback), config-
block round-trip through Config loader, test-only field filtering
(no aws_bin leak), bare-key vs needs-quoting heuristic, and both
human + JSON renderers.
- 3 CLI integration tests: end-to-end against the local-backend
fixture (sectioned output + invitee propagation), JSON round-trip,
and clap --help discoverability lock for --invitee + --json.
Workspace tests: 493/493 (was 474; +19). fmt + clippy + deny + audit
clean (CI-style `--all-targets --workspace -- --deny warnings` form).
Refs build-plan-v0.4 §Phase 2.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: TechAlchemistX <mandeep@techalchemist.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
v0.4 Phase 2b lands per build-plan-v0.4: `secretenv registry invite [--registry ] [--invitee ] [--json]` — emits a copy-pasteable onboarding payload for sharing a registry with a new collaborator.
Three sections in human output:
`--invitee ` substitutes a real identifier into the grant; absent, the placeholder is `` so operators can sub it in later. `--json` emits the same `Invitation` struct as a stable JSON shape.
Tests
Test plan
Out of scope
🤖 Generated with Claude Code