docs: list is a non-sensitive index; secrets require get#46
Merged
Conversation
Document the SPEC-list-field-scoping boundary: deployment.list and envgroup.list are non-sensitive indexes — env, mounted files, command/args, annotations and the signed log URLs require deployment.get, and env-group values require envgroup.get (list returns only a count). - access/roles.md: explain that .list and .get differ in WHAT DATA they return, so a role can hold .list without .get and never see secrets. - deployments/environment-variables.md: extend "Sensitive values" — the boundary is deployment.get, list never carries env (same for env groups). - api/conventions.md: note that a list item can be a reduced projection of what get returns (deployment + env-group examples). - deployments/overview.md: annotate the list vs get CLI examples. Implements SPEC-list-field-scoping.md (docs). hugo build OK. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01N9FhPEapaKr4VugQBEdisj
|
Preview deleted (PR closed). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Documents the
SPEC-list-field-scoping.mdboundary:deployment.listandenvgroup.listare non-sensitive indexes. The environment, mounted files, command/args, annotations and the signed log URLs requiredeployment.get; env-group values requireenvgroup.get(the list returns only a count). A role can therefore hold.listwithout.getand never see secrets.Changes
access/roles.md— new paragraph after the permissions table:.listand.getdiffer in what data they return, not just scope; adeployment.list/envgroup.list-only role can enumerate without reading secrets.deployments/environment-variables.md— extend "Sensitive values": the boundary isdeployment.get;deployment.listnever carriesenv, andenvGroup.listreturns onlyenvCount.api/conventions.md— note in the verb table that alistitem can be a reduced projection of whatgetreturns, with the deployment + env-group examples.deployments/overview.md— annotate thelistvsgetCLI examples.Pairs with api#110 + apiserver#202 + console#286.
hugo buildpasses.