Add runtime barrier to prevent secret modifications during upgrade

[Copilot]

The upgrade command needed verification that it doesn't modify secrets, plus a runtime safeguard against future modifications.

Implementation

Execution context system (pkg/cli/execution_context.go)

• Global context tracks current command execution
• SetUpgradeContext() marks upgrade execution and blocks secret modifications
• CheckSecretModificationAllowed() enforces the barrier
• Thread-safe with RWMutex

Runtime checks in secret modification functions

• setRepoSecret() in secret_set_command.go
• attemptSetSecret() in init.go
• Both check context before proceeding

Upgrade command integration (upgrade_command.go)

func runUpgradeCommand(...) error {
    // Set execution context to prevent secret modifications during upgrade
    cleanup := SetUpgradeContext()
    defer cleanup()
    
    // ... rest of upgrade logic
}

Any attempt to modify secrets during upgrade now returns:

error: secret modifications are not allowed during upgrade command execution

The upgrade command itself makes no secret modifications (verified during audit). This adds defense-in-depth against accidental future additions.

Original prompt

Review the upgrade command and ensure it does not modify any secrets. Add a runtime barrier on the API so that we get a runtime error if the code attempts to modify a secret while running the upgrade command.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

🔍 PR Triage Results

Category: feature | Risk: medium | Priority: 62/100

Scores Breakdown

• Impact: 38/50 - Security-focused feature adding runtime barriers to prevent secret modifications during upgrade; creates new execution context system; 279 additions, 12 deletions across 10 files; affects secret handling in critical commands
• Urgency: 15/30 - Created 0.5 hours ago (very recent); draft status (not ready for final review); 4 commits; 0 comments (new PR); assigned to pelikhan; security-related but preventative
• Quality: 9/20 - CI unstable; draft status; good description with code examples and clear implementation details; includes test files; security best practice (defense-in-depth)

📋 Recommended Action: batch_review

Security-focused PR that adds runtime barriers for secret modifications. While the topic is security-related, this is a preventative measure rather than a vulnerability fix. The draft status indicates it needs more work. Once out of draft and CI passes, it should be reviewed alongside other security enhancement PRs. The implementation is solid with clear documentation.

---

Triaged by PR Triage Agent on 2026-02-04T00:35:56Z

AI generated by PR Triage Agent