Summary
Implement Phase 1 of the harness-auth-flow feature: agent-initiated secret creation via a new Hub API endpoint and sciontool secret set command.
This enables the credential capture workflow where a setup agent authenticates inside its container (e.g., claude login) and persists the resulting credentials as project-scoped secrets for subsequent agents.
Changes
New Hub API endpoint
PUT /api/v1/agents/{agentID}/secrets/{key} — agents can store project-scoped secrets:
- Agent-only authentication (JWT validation, agent ID must match URL)
- Secrets always scoped to the agent's project (derived from JWT)
- Create-only by default;
force flag enables overwrite
- Returns 201/204/409 based on state
New sciontool command
sciontool secret set KEY VALUE [--type] [--target] [--force]
- Supports
@file syntax to read and base64-encode file contents
- Auto-detects file type and target path from
@file source
New hub client method
Client.SetSecret() in pkg/sciontool/hub/client.go
Test Plan
- Hub handler tests: create, conflict, force overwrite, auth failures, validation
- Client tests: request construction, response parsing, error handling
Summary
Implement Phase 1 of the harness-auth-flow feature: agent-initiated secret creation via a new Hub API endpoint and
sciontool secret setcommand.This enables the credential capture workflow where a setup agent authenticates inside its container (e.g.,
claude login) and persists the resulting credentials as project-scoped secrets for subsequent agents.Changes
New Hub API endpoint
PUT /api/v1/agents/{agentID}/secrets/{key}— agents can store project-scoped secrets:forceflag enables overwriteNew sciontool command
sciontool secret set KEY VALUE [--type] [--target] [--force]@filesyntax to read and base64-encode file contents@filesourceNew hub client method
Client.SetSecret()inpkg/sciontool/hub/client.goTest Plan