feat(secrets): add --not-exposed-by-default flag to fal secrets set#1103
Open
hanchchch wants to merge 1 commit into
Open
feat(secrets): add --not-exposed-by-default flag to fal secrets set#1103hanchchch wants to merge 1 commit into
hanchchch wants to merge 1 commit into
Conversation
93890bc to
080b004
Compare
`fal secrets set` now marks secrets as exposed by default unless --not-exposed-by-default is passed; such secrets are only injected into apps that explicitly list them in their secrets config. `fal secrets list` shows the per-secret exposure setting. Uses the default_exposed proto field added in #1104; bumps the isolate-proto requirement to >=0.34.1 accordingly. SERV-768 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
080b004 to
6d6b8d4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Client-side part of SERV-768: per-secret opt-out of default exposure. Uses the
default_exposedproto field from #1104 (merged, published asisolate-proto 0.34.1).fal secrets setnow sendsdefault_exposed=trueunless--not-exposed-by-defaultis passed. A secret set with the flag is not injected into apps by default — it is only available to apps that explicitly list it in theirsecretsconfig.fal secrets list(pretty + json) shows the per-secret setting;account default/nullmeans the secret predates this feature and the account-levelexpose_secrets_by_defaultadmin config decides.client.secrets.set(..., default_exposed=...)defaults toNone(no opinion → server preserves the existing setting on updates, account default for new secrets), so programmatic callers are unaffected.isolate-protorequirement to>=0.34.1.Server side
Enforcement lands in fal-ai/isolate-cloud#8210 (migration) + fal-ai/isolate-cloud#8208 (logic). Until those deploy, the server ignores the new field.
Test plan
pytest projects/fal/tests/unitagainst the publishedisolate-proto 0.34.1— secret tests pass (new parser tests for the flag included).🤖 Generated with Claude Code