Skip to main content

createStrategyWithPassphrase

Strict / airgapped strictness only. Companion to updateStrategyCodeWithPassphrase for the create path — without this, users in strict-mode orgs cannot create encrypted strategies at all (the standard createStrategy fails with ErrPassphraseLocked because the encrypt hook has no cached KEK and strict mode forbids session-style caching).

Mechanism: derives a KEK from the supplied passphrase in-process, injects it as a single-use ephemeral cache on ctx (peraction.WithEphemeralKEK), runs the standard ent Strategy.Create — the existing encrypt hooks pick up the KEK and produce passphrase-v1 envelopes on every encrypted column (code String, config Map, uiBuilderConfig struct). The cache is zeroed and detached as soon as Save returns.

Returns the freshly-created Strategy. The strategy's IP fields come back encrypted on the response shape (the decrypt path on the same connection won't have the KEK any more); the dashboard's load flow routes through decryptStrategyOnce + StrictModeUnlockModal on the next view, identical to the rest of strict mode.

Audit event: secrets.passphrase.encrypt_with_action keyed on resourceType="Strategy" + resourceID=<newID>.

createStrategyWithPassphrase(
input: CreateStrategyInput!
passphrase: String!
): Strategy!

Arguments

createStrategyWithPassphrase.input ● CreateStrategyInput! non-null input

Same shape as CreateStrategyInput on the regular mutation.

createStrategyWithPassphrase.passphrase ● String! non-null scalar

Plaintext passphrase. Never logged. Zeroed after the operation.

Type

Strategy object