Help wrapper authors understand what changes when a wrapper targets different trust modes.
All wrappers should:
- keep the command surface small and explicit
- validate input before broker access
- fail closed on unknown operations
- call
latchkeyd execinstead of resolving secrets themselves - pass their own trusted wrapper path as caller identity
Wrapper shape:
- normalize input
- call
latchkeyd exec - let the trusted child start with approved env vars
Good for:
- existing tools that already expect env-based auth
Wrapper shape:
- same as
handoff, but designed for clearly bounded commands
Good for:
- publish
- release
- one-shot admin tasks
Wrapper advice:
- avoid exposing actions that naturally want to linger or watch
Wrapper shape:
- call
latchkeyd execfor a brokered policy - launch a child that knows how to talk to the local broker session
- keep request names explicit and narrow
Good for:
- repeated bounded operations
- workflows that benefit from request-time control
Current example:
example-wrapper brokered-demo
Planned wrapper implication:
- wrappers may need to understand short-lived credential lifetime or refresh boundaries
Planned wrapper implication:
- wrappers may become capability-oriented rather than secret-oriented
The example wrapper demonstrates:
demoforhandoffbrokered-demoforbrokered
That split is intentional. Different trust postures should be visible in the wrapper surface, not hidden behind a vague one-command interface.