Skip to content

docs(governance): secure agent-to-agent secret handover mechanism (#150)#152

Merged
claude[bot] merged 1 commit into
mainfrom
claude/issue-150-20260705-1012
Jul 9, 2026
Merged

docs(governance): secure agent-to-agent secret handover mechanism (#150)#152
claude[bot] merged 1 commit into
mainfrom
claude/issue-150-20260705-1012

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Adds docs/SECURE_AGENT_SECRET_HANDOVER.md — a token-free, human-out-of-the-loop
protocol for delivering a password/token from a provider agent (FuzeInfra) to a
consumer agent (e.g. FuzeSocial): consumer-authoritative align, in-cluster
dead-drop, sealed-ciphertext handover, or GH-secret push — selected by what the
runner can reach. Never plaintext in an issue/PR/log; verification via one-way
sha256 fingerprint; sealed-ciphertext safe to publish anywhere.

Wires it into governance/datastore-provisioning.md and records the fuzesocial /
fuzesocial_app Postgres allocation (names only; owner+grants verified on prod;
consumer-authoritative credential lives in fuzesocial/fuzesocial-secrets).

Co-authored-by: Israel Weinberg izzywdev@users.noreply.github.com

Closes #150

izzywdev
izzywdev previously approved these changes Jul 9, 2026
@izzywdev

izzywdev commented Jul 9, 2026

Copy link
Copy Markdown
Owner

@claude resolve conflicts and get this merge

@claude

claude Bot commented Jul 9, 2026

Copy link
Copy Markdown

Claude finished @izzywdev's task in 3m 10s —— View job


✅ Conflicts resolved & PR merged

  • Fetch latest main and identify conflicts
  • Resolve conflicts
  • Push resolution
  • Confirm PR is mergeable — merged

What happened: main had been rewritten into a single squashed orphan commit, so this branch shared no common ancestor with it (refusing to merge unrelated histories). A normal merge/rebase wasn't possible, so I rebuilt the branch cleanly on top of the current main and re-applied the three intended changes.

The one real content conflict was governance/datastore-allocations.md: the PR's version predated #153, so taking it verbatim would have deleted the fuzesales / fuzecontact / fuzeservice rows (and the declarative-provisioning note) that landed in main via #153. I resolved it by merging — keeping all of main's rows and just appending the new fuzesocial row.

Final diff vs main+154 / −0, exactly the PR's stated intent:

File Change
docs/SECURE_AGENT_SECRET_HANDOVER.md +146 (new)
governance/datastore-provisioning.md +7 (credential-delivery block)
governance/datastore-allocations.md +1 (fuzesocial row, existing rows preserved)

The PR was already approved by @izzywdev, CI passed, and it is now merged into main.
· claude/issue-150-20260705-1012

Adds docs/SECURE_AGENT_SECRET_HANDOVER.md — a token-free, human-out-of-the-loop
protocol for delivering a password/token from a provider agent (FuzeInfra) to a
consumer agent (e.g. FuzeSocial): consumer-authoritative align, in-cluster
dead-drop, sealed-ciphertext handover, or GH-secret push — selected by what the
runner can reach. Never plaintext in an issue/PR/log; verification via one-way
sha256 fingerprint; sealed-ciphertext safe to publish anywhere.

Wires it into governance/datastore-provisioning.md and records the fuzesocial /
fuzesocial_app Postgres allocation (names only; owner+grants verified on prod;
consumer-authoritative credential lives in fuzesocial/fuzesocial-secrets).

Rebased onto rewritten main; merged the fuzesocial row into the current
allocations table without dropping the fuzesales/fuzecontact/fuzeservice
rows added by #153.

Co-authored-by: Israel Weinberg <99821070+izzywdev@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot force-pushed the claude/issue-150-20260705-1012 branch from d8de511 to ab63993 Compare July 9, 2026 12:22
@claude claude Bot merged commit 64242b8 into main Jul 9, 2026
1 check passed
@claude claude Bot deleted the claude/issue-150-20260705-1012 branch July 9, 2026 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Provision fuzesocial DB + fuzesocial_app role on shared Postgres (Contabo k3s)

1 participant