Skip to content

PRIV-372: Add --confidential/--secret flags to workflow simulate#306

Open
nadahalli wants to merge 1 commit intomainfrom
tejaswi/PRIV-372-simulate-confidential
Open

PRIV-372: Add --confidential/--secret flags to workflow simulate#306
nadahalli wants to merge 1 commit intomainfrom
tejaswi/PRIV-372-simulate-confidential

Conversation

@nadahalli
Copy link
Contributor

@nadahalli nadahalli commented Mar 10, 2026

Summary

  • Adds --confidential and --secret flags to cre workflow simulate, mirroring the deploy command
  • In confidential mode, secrets are filtered to only declared keys before reaching the WASM engine, matching production behavior where undeclared secrets aren't in the enclave's secretsMap
  • Validates flag combinations: --secret requires --confidential, --confidential requires at least one --secret, empty keys are rejected

Changed files

  • cmd/workflow/simulate/simulate.go - flags, Inputs fields, validation, filtering call in Execute
  • cmd/workflow/simulate/secrets.go - FilterSecretsByAllowedKeys, secretKeys helper
  • cmd/workflow/simulate/secrets_test.go - 5 filter tests + secretKeys test
  • cmd/workflow/simulate/simulate_test.go - 3 validation tests

@nadahalli
Add --confidential and --secret flags to workflow simulate
b53d314 
In production, confidential workflows only get access to secrets declared
at deploy time. The simulator now enforces the same restriction so
developers catch mismatches before deploying.

PRIV-372
@nadahalli nadahalli requested a review from a team as a code owner March 10, 2026 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anirudhwarrier anirudhwarrier Awaiting requested review from anirudhwarrier

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nadahalli