Add secrets and environment variable gate demo

[safal207]

Goal

Add a ProofPath demo for secrets, environment variables, and production configuration changes.

Why this matters

Valid repository access, CI access, or cloud access does not automatically mean a valid secret or environment change.

AI coding agents and DevOps assistants can accidentally or maliciously:

• expose secrets;
• overwrite production environment variables;
• disable security flags;
• change API endpoints;
• modify payment/provider keys;
• rotate credentials without approval;
• change observability or incident-response configuration.

Core line:

Valid repo or CI access should not automatically mean valid secret/config change.

Demo concept

Create examples/secrets-env-gate/ with three scenarios:

1. Read safe config metadata

   • Expected decision: ACCEPT.

2. Production secret/env change without approval

   • Expected decision: BLOCK.

3. Approved secret rotation

   • Expected decision: ACCEPT.

Suggested action scopes

secrets.metadata.read
secrets.value.read
secrets.value.rotate
secrets.value.overwrite
env.staging.modify
env.production.modify
env.security_flag.disable
config.provider_endpoint.change

Deliverables

• Add examples/secrets-env-gate/README.md.
• Add safe metadata/read-only scenario.
• Add blocked production secret/env change scenario.
• Add approved secret rotation scenario.
• Add expected outputs and audit shape.
• Add row to README execution-boundary demo matrix.

Acceptance criteria

• The demo does not include real secrets.
• The demo is safe and simulated.
• The repo does not claim ProofPath replaces vaults, secret managers, IAM, or CI/CD environment protections.

Related

• Prepare ProofPath for external reviewers #32
• Add audit-log verification note and hash-chain checker #50
• Add policy configuration for scopes and approval rules #53