From 57d76740ef422efdda97e26d98862cac2a4422da Mon Sep 17 00:00:00 2001 From: mikemolinet Date: Sat, 9 May 2026 13:38:34 -0700 Subject: [PATCH] feat: expose agents-webhook-secret-regenerate (destructive) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes Backlog row cmousycjv ("Parity port: agents-webhook-secret-regenerate (destructive) → cueapi-action") — Drift-audit deferred 2026-05-07, re-claimed by cueapi-secondary 2026-05-09 after pre-verify of action.yml confirmed it was genuinely missing. Wraps `cueapi agents webhook-secret regenerate --yes`. Always passes --yes since CI has no interactive confirmation; the CLI sends the X-Confirm-Destructive: true header automatically. Operator caveat: rotation drops the old secret immediately. Any in-flight webhook deliveries already signed with the old secret will fail signature verification on the consumer side. Coordinate consumer-side updates if you need zero-downtime rotation. Files changed: - action.yml: add `agents-webhook-secret-regenerate` to command description + new `runs.steps` case branch passing --yes; update unsupported-command error message - parity-manifest.json: move from `commands_missing_from_action` to `commands_exposed_via_action` with provenance note Co-Authored-By: Claude Opus 4.7 (1M context) --- action.yml | 17 +++++++++++++++-- parity-manifest.json | 4 ++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/action.yml b/action.yml index 0c88b05..8697fb9 100644 --- a/action.yml +++ b/action.yml @@ -17,7 +17,9 @@ inputs: executions-report-outcome Agent identity (Surface 6 messaging primitive, cueapi-cli 0.3.0+): agents-create, agents-list, agents-get (alias: agents-describe), - agents-update, agents-delete, agents-webhook-secret-get + agents-update, agents-delete, agents-webhook-secret-get, + agents-webhook-secret-regenerate (destructive — rotates the secret; + always passes --yes since CI has no interactive confirm) Messaging primitive (Surface 6, cueapi-cli 0.3.0+): messages-send, messages-get, messages-read, messages-ack Workers (worker registration / cleanup): @@ -394,6 +396,17 @@ runs: cmd=(cueapi agents webhook-secret get) [ -n "$REF" ] && cmd+=("$REF") ;; + agents-webhook-secret-regenerate) + # Destructive: rotates the agent's webhook signing secret and + # drops the old one immediately. Any in-flight webhook + # deliveries already signed with the old secret will fail + # signature verification on the consumer side. The CLI sends + # the X-Confirm-Destructive: true header automatically; + # we always pass --yes since CI has no interactive confirm. + cmd=(cueapi agents webhook-secret regenerate) + [ -n "$REF" ] && cmd+=("$REF") + cmd+=(--yes) + ;; # Messaging primitive subgroup (Surface 6, cueapi-cli 0.3.0+). messages-send) cmd=(cueapi messages send) @@ -451,7 +464,7 @@ runs: [ -n "$SUMMARY" ] && cmd+=(--reason "$SUMMARY") ;; *) - echo "::error::Unsupported command '$COMMAND'. Supported: create, list, get, update, delete, pause, resume, whoami, usage, fire, executions-list, executions-list-claimable, executions-get, executions-claim, executions-claim-next, executions-heartbeat, executions-report-outcome, agents-create, agents-list, agents-get, agents-describe, agents-update, agents-delete, agents-webhook-secret-get, messages-send, messages-get, messages-read, messages-ack, workers-list, workers-delete, executions-replay, executions-verification-pending, executions-verify." + echo "::error::Unsupported command '$COMMAND'. Supported: create, list, get, update, delete, pause, resume, whoami, usage, fire, executions-list, executions-list-claimable, executions-get, executions-claim, executions-claim-next, executions-heartbeat, executions-report-outcome, agents-create, agents-list, agents-get, agents-describe, agents-update, agents-delete, agents-webhook-secret-get, agents-webhook-secret-regenerate, messages-send, messages-get, messages-read, messages-ack, workers-list, workers-delete, executions-replay, executions-verification-pending, executions-verify." exit 1 ;; esac diff --git a/parity-manifest.json b/parity-manifest.json index 95a73ca..7fdb68d 100644 --- a/parity-manifest.json +++ b/parity-manifest.json @@ -39,7 +39,8 @@ "agents-describe": "Verb alias for agents-get (PR #5, merged 2026-05-07)", "agents-update": "cueapi agents update — covers --display-name, --description, --webhook-url, --clear-webhook-url sentinel (PR #5, merged 2026-05-07)", "agents-delete": "cueapi agents delete — soft delete (PR #5, merged 2026-05-07)", - "agents-webhook-secret-get":"cueapi agents webhook-secret get (PR #5, merged 2026-05-07)" + "agents-webhook-secret-get":"cueapi agents webhook-secret get (PR #5, merged 2026-05-07)", + "agents-webhook-secret-regenerate":"cueapi agents webhook-secret regenerate --yes — destructive (rotates webhook signing secret + drops old one immediately). The CLI sends X-Confirm-Destructive: true; action passes --yes since CI has no interactive confirm. Ported from Backlog row cmousycjv (Drift-audit deferred 2026-05-07; ported 2026-05-09)." }, "commands_missing_from_action": { @@ -49,7 +50,6 @@ "key regenerate": "POST /v1/auth/key/regenerate — destructive, intentionally gated behind manual flow. NOT-PORTED-INTENTIONAL.", "key webhook-secret get": "GET /v1/auth/webhook-secret — could be exposed for `outputs:` in CI workflows that need to verify webhook signatures. NEEDS-PORT.", "key webhook-secret regenerate": "POST /v1/auth/webhook-secret/regenerate — destructive. NOT-PORTED-INTENTIONAL.", - "agents webhook-secret regenerate": "POST /v1/agents/{ref}/webhook-secret/regenerate — destructive; needs --confirm-destructive pattern. Tracked on Backlog (Drift-audit deferred 2026-05-07).", "agents roster": "GET /v1/agents/roster (cueapi #630) — NEEDS-PORT in cueapi-cli + cueapi-action; cueapi-cli upstream port pending.", "agents presence": "GET /v1/agents/{ref}/presence (cueapi #662) — NEEDS-PORT in cueapi-cli + cueapi-action; cueapi-cli upstream port pending.", "agents inbox": "GET /v1/agents/{ref}/inbox — NEEDS-PORT (cueapi-cli has it via #28; Action wrap pending).",