Docs / Safe resource outputs

Safe resource outputs keep workspace handoffs useful without leaking secrets.

Resource modes decide how a database, cache, storage bucket, mail sink, or queue is fulfilled. Resource outputs decide what the CLI, dashboard, logs, and handoff notes may show after that binding resolves: reference name, mode, readiness, and consumer service, never raw credential material.

resource outputmasked receipt

resource.database.url: ready

mode: managed local; consumer: api

masked: postgres://***@resource.database/app

resource.storage.bucket: disabled by workspace policy

hidden: password, access key, provider ID, console URL

Output boundary

Resource output describes the contract, not the secret value.

Safe receipts should be useful enough to debug workspace readiness and review setup, while keeping provider wiring and credentials behind runtime injection and authenticated admin surfaces.

Reference nameresource.database.url

Show the stable reference the repo requested so developers know which contract resolved without exposing the backing provider value.

Readiness stateready / waking / blocked

Report whether the resource can be injected when the runtime wakes, plus the service that is waiting on it.

Provider modemanaged local / provided / customer-cloud / disabled

Name the workspace binding mode so reviewers can understand behavior without seeing account IDs, hostnames, or console links.

Output flow

Mask before publishing any resource receipt.

The same resource may resolve differently across branches, provider modes, and runtime states. The visible output should update with readiness while preserving the secret boundary.

resource receiptsecret-safe
  1. Resolveenvforge.yml reference + workspace binding

    The workspace chooses the backing resource.

    EnvForge starts from the repo reference, reads the workspace resource mode, and resolves the value only for the service that declared it.

  2. Masksecret values removed before output

    Credentials are stripped before receipts are written.

    CLI, dashboard, logs, and handoff text can show status and reference names, but passwords, tokens, access keys, and private URLs stay out of the output.

  3. Publishreference + mode + readiness + consumer

    The receipt explains what is usable.

    A safe output says which reference resolved, which mode fulfilled it, which service receives it, and whether the resource is ready, waking, or blocked.

  4. Recheckwake / sleep / mode change

    Resource output changes stay auditable.

    When runtime wake, idle sleep, or a mode change updates resource readiness, EnvForge records the state change without logging raw secret material.

Review checklist

A resource output is safe when the handoff can be pasted into a PR.

Treat CLI output, dashboard status, logs, and support handoffs as shareable product surfaces. They should show what resolved and what is blocked without revealing the backing credential.

Allowed in handoffsreference / mode / readiness / consumer

Use product-level names such as resource.database.url, managed local, ready, and api service.

Useful for developers and reviewers.
Masked by defaultcredential handles

If a connection string must appear, show only a masked shape such as postgres://***@resource.database/app.

Confirms wiring without leaking secrets.
Blocked from outputsecret / internal host / console

Do not print passwords, tokens, access keys, private console URLs, internal IPs, or provider resource IDs.

Handoffs stay product-safe.
Failure wordingmissing / denied / disabled

Name the missing reference or disabled mode, then point to the workspace binding instead of dumping provider error payloads.

Operators get a fix path without a leak.