service_manager: FromHeroProcSecret resolver (currently stubbed) #99

New issue

Open

opened 2026-05-07 19:12:42 +00:00 by mik-tf · 0 comments

mik-tf commented

2026-05-07 19:12:42 +00:00

Owner

Tracked from #90.

The v2 trait HeroService does NOT have a FromHeroProcSecret resolver — env values from hero_proc secrets are NOT resolved at action-build time. The canonical Hero pattern (per hero_proc_meta skill) is for the daemon binary itself to read secrets at runtime via hero_proc_sdk::secrets, not for the manager to bake them into the action spec.

A few services could legitimately want secret resolution at action-build time though (e.g. for ARGs not env vars).

Fix (if needed): add a small helper lib::hp_get_secret(key: &str) -> Result<String> callable from start impls. Keep it explicit per-service rather than a generic resolver.

Lower priority — not blocking any service today.

Tracked from #90. The v2 trait `HeroService` does NOT have a `FromHeroProcSecret` resolver — env values from hero_proc secrets are NOT resolved at action-build time. The canonical Hero pattern (per `hero_proc_meta` skill) is for the daemon binary itself to read secrets at runtime via `hero_proc_sdk::secrets`, not for the manager to bake them into the action spec. A few services *could* legitimately want secret resolution at action-build time though (e.g. for ARGs not env vars). **Fix (if needed)**: add a small helper `lib::hp_get_secret(key: &str) -> Result<String>` callable from `start` impls. Keep it explicit per-service rather than a generic resolver. Lower priority — not blocking any service today.