feat(harmony_secret): SSO auth hardening — silent refresh, renewal, namespacing #302

Merged

johnride merged 1 commits from pr/harmony-secret-auth into master

2026-05-29 15:11:53 +00:00

Author	SHA1	Message	Date
Sylvain Tremblay	9eb6bda257	feat(harmony_secret): SSO auth hardening — silent refresh, renewal, namespacing All checks were successful Run Check Script / check (pull_request) Successful in 2m48s Details Net-diff PR (1 of 4) splitting feat/unified-config-and-secrets into reviewable pieces. harmony_secret changes only; compiles against master. - Silent OIDC refresh + clearer device-code error surfacing - renew-self on cached OpenBao token; auto-open device-flow browser - OIDC session cache scoped by sso_url + client_id (was one shared file) - LocalFileSecretStore nested per namespace - validate cached token via lookup-self (default policy), not lookup (sudo) - drop dead HARMONY_SECRETS_URL var and OidcSession::is_openbao_token_expired Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-28 13:23:03 -04:00

Author

SHA1

Message

Date

Sylvain Tremblay

9eb6bda257

feat(harmony_secret): SSO auth hardening — silent refresh, renewal, namespacing

Run Check Script / check (pull_request) Successful in 2m48s

Details

Net-diff PR (1 of 4) splitting feat/unified-config-and-secrets into
reviewable pieces. harmony_secret changes only; compiles against master.

- Silent OIDC refresh + clearer device-code error surfacing
- renew-self on cached OpenBao token; auto-open device-flow browser
- OIDC session cache scoped by sso_url + client_id (was one shared file)
- LocalFileSecretStore nested per namespace
- validate cached token via lookup-self (default policy), not lookup (sudo)
- drop dead HARMONY_SECRETS_URL var and OidcSession::is_openbao_token_expired

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-28 13:23:03 -04:00

feat(harmony_secret): SSO auth hardening — silent refresh, renewal, namespacing #302

1 Commits