Skip to content

[Bounty $8k] fix(deploy): separate deploy credentials by environment with approval flow#3923

Open
neuralmint wants to merge 2 commits into
orchestration-agent:mainfrom
neuralmint:fix/deploy-env-scoped-credentials
Open

[Bounty $8k] fix(deploy): separate deploy credentials by environment with approval flow#3923
neuralmint wants to merge 2 commits into
orchestration-agent:mainfrom
neuralmint:fix/deploy-env-scoped-credentials

Conversation

@neuralmint
Copy link
Copy Markdown

@neuralmint neuralmint commented May 24, 2026

Closes #3921

Summary

  • Add DeployCredentialManager with environment-scoped identities
  • Staging/development identities issued immediately without approval
  • Production identities require explicit approval before credential issuance
  • EnvironmentMismatch raised when scoped credentials used against wrong environment
  • Expired identities rejected on verification
  • Deployment logs identify the environment-specific identity used

Acceptance Criteria

  • ✅ Staging credentials cannot modify production resources
  • ✅ Production deploy credentials issued only after environment approval
  • ✅ Deployment logs identify the environment-specific identity used

Tests

  • 13 regression tests covering all acceptance criteria
  • Run: pytest -q tests/test_deploy_credentials.py
pytest tests/test_deploy_credentials.py -v
============================= 13 passed in 0.08s ==============================

/claim #3921

neuralmint added 2 commits May 24, 2026 22:18
@neuralmint
fix(deploy): separate deploy credentials by environment with approval…
e92394e 
… flow

Closes orchestration-agent#3921

- Add DeployCredentialManager with environment-scoped identities
- Staging/development identities issued immediately
- Production identities require explicit approval before use
- EnvironmentMismatch raised when credential used against wrong env
- Expired identities rejected
- Full regression test suite (13 tests)

Acceptance criteria met:
- Staging credentials cannot modify production resources ✓
- Production deploy credentials issued only after approval ✓
- Deployment logs identify the environment-specific identity used ✓
@neuralmint
chore: add __pycache__ to gitignore
030b658
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ Bounty $8k ] [ Deploy ] Separate deploy credentials by environment — promotion automation

1 participant

@neuralmint