commit 07be61b48ac53deb4f83b4aa373f22b40786c88f
parent 002d16da89328f345cb7bf1e1d78a08ad08fb2da
Author: triesap <tyson@radroots.org>
Date: Thu, 9 Apr 2026 17:50:48 +0000
runtime: report reserved hyf secret posture
Diffstat:
3 files changed, 157 insertions(+), 4 deletions(-)
diff --git a/src/hyf_runtime/secrets.mojo b/src/hyf_runtime/secrets.mojo
@@ -0,0 +1,41 @@
+from hyf_runtime.paths import RuntimePaths, join_runtime_path
+
+
+# Runtime status posture only: do not load, create, wrap, or persist secrets here.
+comptime _DEFAULT_SECRET_BACKEND = "encrypted_file"
+comptime _SECRET_STORAGE_STATUS = "reserved_pending_shared_secret_storage"
+comptime _PROTECTED_LOCAL_DATA_STATUS = "reserved_pending_protected_store"
+
+
+def default_secret_backend_name() -> String:
+ return _DEFAULT_SECRET_BACKEND
+
+
+def secret_storage_status_name() -> String:
+ return _SECRET_STORAGE_STATUS
+
+
+def secret_storage_backend_implemented() -> Bool:
+ return False
+
+
+def identity_material_loaded() -> Bool:
+ return False
+
+
+def identity_material_created_by_startup() -> Bool:
+ return False
+
+
+def protected_local_data_status_name() -> String:
+ return _PROTECTED_LOCAL_DATA_STATUS
+
+
+def protected_local_data_store_open() -> Bool:
+ return False
+
+
+def protected_local_data_dir_for_runtime_paths(
+ paths: RuntimePaths,
+) raises -> String:
+ return join_runtime_path(paths.data_dir, "protected")
diff --git a/src/hyf_runtime/status.mojo b/src/hyf_runtime/status.mojo
@@ -1,5 +1,15 @@
from mojson import Value, loads
+from hyf_runtime.secrets import (
+ default_secret_backend_name,
+ identity_material_created_by_startup,
+ identity_material_loaded,
+ protected_local_data_dir_for_runtime_paths,
+ protected_local_data_status_name,
+ protected_local_data_store_open,
+ secret_storage_backend_implemented,
+ secret_storage_status_name,
+)
from hyf_runtime.startup import RuntimeStartupContext
@@ -37,9 +47,45 @@ def build_runtime_status_value(context: RuntimeStartupContext) raises -> Value:
config.set("compiled_defaults_active", Value(True))
status.set("config", config)
+ status.set("secret_storage", _secret_storage_status_value(context))
+ status.set(
+ "protected_local_data", _protected_local_data_status_value(context)
+ )
+
+ return status^
+
+
+def _secret_storage_status_value(
+ context: RuntimeStartupContext,
+) raises -> Value:
var secret_storage = loads("{}")
- secret_storage.set("default_backend", Value("local_file"))
+ secret_storage.set("default_backend", Value(default_secret_backend_name()))
+ secret_storage.set("status", Value(secret_storage_status_name()))
+ secret_storage.set(
+ "backend_implemented", Value(secret_storage_backend_implemented())
+ )
+ secret_storage.set(
+ "identity_path", Value(String(context.paths.identity_path))
+ )
+ secret_storage.set(
+ "identity_material_loaded", Value(identity_material_loaded())
+ )
+ secret_storage.set(
+ "identity_material_created_by_startup",
+ Value(identity_material_created_by_startup()),
+ )
secret_storage.set("secret_values_reported", Value(False))
- status.set("secret_storage", secret_storage)
+ return secret_storage^
- return status^
+
+def _protected_local_data_status_value(
+ context: RuntimeStartupContext,
+) raises -> Value:
+ var protected_data = loads("{}")
+ protected_data.set("status", Value(protected_local_data_status_name()))
+ protected_data.set(
+ "default_dir",
+ Value(protected_local_data_dir_for_runtime_paths(context.paths)),
+ )
+ protected_data.set("store_open", Value(protected_local_data_store_open()))
+ return protected_data^
diff --git a/tests/test_stdio_contract.mojo b/tests/test_stdio_contract.mojo
@@ -104,7 +104,37 @@ def test_status_reports_repo_local_runtime_truth() raises:
response["output"]["runtime"]["secret_storage"][
"default_backend"
].string_value(),
- "local_file",
+ "encrypted_file",
+ )
+ assert_equal(
+ response["output"]["runtime"]["secret_storage"][
+ "status"
+ ].string_value(),
+ "reserved_pending_shared_secret_storage",
+ )
+ assert_equal(
+ response["output"]["runtime"]["secret_storage"][
+ "identity_path"
+ ].string_value(),
+ temp_dir + "/secrets/services/hyf/identity.secret.json",
+ )
+ assert_equal(
+ response["output"]["runtime"]["secret_storage"][
+ "backend_implemented"
+ ].bool_value(),
+ False,
+ )
+ assert_equal(
+ response["output"]["runtime"]["secret_storage"][
+ "identity_material_loaded"
+ ].bool_value(),
+ False,
+ )
+ assert_equal(
+ response["output"]["runtime"]["secret_storage"][
+ "identity_material_created_by_startup"
+ ].bool_value(),
+ False,
)
assert_equal(
response["output"]["runtime"]["secret_storage"][
@@ -112,6 +142,42 @@ def test_status_reports_repo_local_runtime_truth() raises:
].bool_value(),
False,
)
+ assert_equal(
+ response["output"]["runtime"]["protected_local_data"][
+ "status"
+ ].string_value(),
+ "reserved_pending_protected_store",
+ )
+ assert_equal(
+ response["output"]["runtime"]["protected_local_data"][
+ "default_dir"
+ ].string_value(),
+ temp_dir + "/data/services/hyf/protected",
+ )
+ assert_equal(
+ response["output"]["runtime"]["protected_local_data"][
+ "store_open"
+ ].bool_value(),
+ False,
+ )
+ assert_true(
+ not exists(
+ Path(temp_dir)
+ / "secrets"
+ / "services"
+ / "hyf"
+ / "identity.secret.json"
+ )
+ )
+ assert_true(
+ not exists(
+ Path(temp_dir)
+ / "data"
+ / "services"
+ / "hyf"
+ / "protected"
+ )
+ )
def test_capabilities_success() raises:
