Context
Stage-3 step 11 (harness/v2-stage3-demo.sh, cred_memory_roundtrip cred) exercises the cred worker roundtrip (cap-mint → /v1/cred/store → /v1/cred/fetch) signed as the agent. While wiring the in-sandbox agent test (harness/scripts/sandbox-agent-isolation.sh + the stage-3 auto-upload), I scoped that real-sandbox test to memory only, on the assumption that the cred worker is master-facing (agents receive injected creds, they don't cred store).
That assumption is too narrow. The agent side can store credentials / provision:
- The agent has its own email + identity (its
actor_omni), so it can authenticate + provision credentials scoped to itself.
- The cred-store path is reachable from the agent with its own STS creds (tagged
agentkeys_actor_omni), writing to bots/<agent_omni>/cred/… — symmetric with the memory path the sandbox test already proves.
Scope (later work)
- Expose an agent-side cred store / provisioning flow (CLI/MCP), analogous to
agentkeys memory put, that the agent runs with its sandbox-held key.
- Wire the agent's own email/identity into provisioning, so the agent can provision its own service credentials.
- Extend
harness/scripts/sandbox-agent-isolation.sh to do a real cred roundtrip in the sandbox (not just memory) — closing the gap where stage-3 step 11 currently only has the master/mock cred test.
Why deferred
The memory roundtrip already proves the §10.2 agent end-to-end in the sandbox; cred-from-the-agent needs the provisioning + agent-email plumbing, which is a larger piece. Tracking here so the sandbox isolation test (currently memory-only) picks up the cred half when that lands.
Context
Stage-3 step 11 (
harness/v2-stage3-demo.sh,cred_memory_roundtrip cred) exercises the cred worker roundtrip (cap-mint → /v1/cred/store → /v1/cred/fetch) signed as the agent. While wiring the in-sandbox agent test (harness/scripts/sandbox-agent-isolation.sh+ the stage-3 auto-upload), I scoped that real-sandbox test to memory only, on the assumption that the cred worker is master-facing (agents receive injected creds, they don'tcred store).That assumption is too narrow. The agent side can store credentials / provision:
actor_omni), so it can authenticate + provision credentials scoped to itself.agentkeys_actor_omni), writing tobots/<agent_omni>/cred/…— symmetric with the memory path the sandbox test already proves.Scope (later work)
agentkeys memory put, that the agent runs with its sandbox-held key.harness/scripts/sandbox-agent-isolation.shto do a real cred roundtrip in the sandbox (not just memory) — closing the gap where stage-3 step 11 currently only has the master/mock cred test.Why deferred
The memory roundtrip already proves the §10.2 agent end-to-end in the sandbox; cred-from-the-agent needs the provisioning + agent-email plumbing, which is a larger piece. Tracking here so the sandbox isolation test (currently memory-only) picks up the cred half when that lands.