createStrategyWithPassphrase
Strict / airgapped strictness only. Companion to updateStrategyCodeWithPassphrase for the create path — without this, users in strict-mode orgs cannot create encrypted strategies at all (the standard createStrategy fails with ErrPassphraseLocked because the encrypt hook has no cached KEK and strict mode forbids session-style caching).
Mechanism: derives a KEK from the supplied passphrase in-process, injects it as a single-use ephemeral cache on ctx (peraction.WithEphemeralKEK), runs the standard ent Strategy.Create — the existing encrypt hooks pick up the KEK and produce passphrase-v1 envelopes on every encrypted column (code String, config Map, uiBuilderConfig struct). The cache is zeroed and detached as soon as Save returns.
Returns the freshly-created Strategy. The strategy's IP fields come back encrypted on the response shape (the decrypt path on the same connection won't have the KEK any more); the dashboard's load flow routes through decryptStrategyOnce + StrictModeUnlockModal on the next view, identical to the rest of strict mode.
Audit event: secrets.passphrase.encrypt_with_action keyed on resourceType="Strategy" + resourceID=<newID>.
createStrategyWithPassphrase(
input: CreateStrategyInput!
passphrase: String!
): Strategy!
Arguments
createStrategyWithPassphrase.input ● CreateStrategyInput! non-null input
Same shape as CreateStrategyInput on the regular mutation.
createStrategyWithPassphrase.passphrase ● String! non-null scalar
Plaintext passphrase. Never logged. Zeroed after the operation.