Explicit injection only

secret-handling:explicit-injection

SecretHandlingPolicysecurity/secret-handling/secret-handling-policies.yaml·Open in Graph →

{
  "id": "secret-handling:explicit-injection",
  "_kind": "SecretHandlingPolicy",
  "_file": "security/secret-handling/secret-handling-policies.yaml",
  "_cluster": "security",
  "attributes": {
    "displayName": "Explicit injection only",
    "rule": "Secrets are injected into agent subprocess via env vars listed in LaunchContract.advertisedSecrets only; no implicit forwarding.",
    "scope": "agent-session",
    "enforcement": "launch-contract",
    "rationale": "Audit trail of which secrets each agent run had access to."
  },
  "outgoingEdges": [],
  "incomingEdges": [
    {
      "from": "workflow:linear-default",
      "to": "secret-handling:explicit-injection",
      "kind": "applies_secret_policy",
      "attributes": {}
    }
  ]
}