feat: expose agents-webhook-secret-regenerate (destructive)

[mikemolinet]

Summary

Exposes cueapi agents webhook-secret regenerate as the agents-webhook-secret-regenerate Action command. Closes Backlog row cmousycjv (Drift-audit deferred 2026-05-07; re-claimed + verified-genuinely-open 2026-05-09 via action.yml inspection).

What's added

• action.yml:
  • Add agents-webhook-secret-regenerate to the command input description (Agent identity section), with a callout noting it's destructive + always passes --yes since CI has no interactive confirm.
  • New runs.steps case branch: cmd=(cueapi agents webhook-secret regenerate); [ -n "$REF" ] && cmd+=("$REF"); cmd+=(--yes).
  • Update the unsupported-command error message to include the new command.
• parity-manifest.json:
  • Move from commands_missing_from_action to commands_exposed_via_action.
  • Provenance note: "ported from Backlog row cmousycjv (Drift-audit deferred 2026-05-07; ported 2026-05-09)".

Behavior

- uses: cueapi/cueapi-action@v1
  with:
    command: agents-webhook-secret-regenerate
    ref: scout@govind   # or agt_xxx
    api-key: ${{ secrets.CUEAPI_API_KEY }}

Server-side: the underlying POST /v1/agents/{ref}/webhook-secret/regenerate requires X-Confirm-Destructive: true (substrate gate against accidental rotation). The CLI sends this header automatically when invoked with --yes. The new secret is printed to stdout for the caller to capture (e.g. via outputs: in a downstream step).

Operator caveat: rotation drops the old secret immediately. In-flight webhook deliveries already signed with the old secret will fail signature verification on the consumer side. Coordinate consumer-side updates if you need zero-downtime rotation.

Stats

• 2 files changed (+17/-4).

Test plan

• python3 -c "import yaml; yaml.safe_load(open('action.yml'))" passes
• python3 -c "import json; json.load(open('parity-manifest.json'))" passes
• Verified upstream cueapi agents webhook-secret regenerate <ref> --yes exists in cueapi-cli (PR #28, merged 2026-05-04). Action invocation matches the CLI shape.
• action.yml runs section follows the same shape as the existing agents-webhook-secret-get case (added immediately after for visual proximity).
• Unsupported-command error message updated to keep the supported-list comprehensive.

Related

• Backlog row: cmousycjv (Parity port: agents-webhook-secret-regenerate destructive → cueapi-action)
• Upstream CLI: PR feat: add cueapi agents command group (messaging primitive — identity + inbox + sent) cueapi-cli#28 (merged 2026-05-04 — added the full agents commands group including this subcommand)
• Server-side: POST /v1/agents/{ref}/webhook-secret/regenerate (cueapi-core; documented in docs/agents.md shipped today via PR #68)

Closes

• Closes cmousycjv000504jr0zsiu826 (Parity port: agents-webhook-secret-regenerate destructive → cueapi-action)

🤖 Generated with Claude Code