updateStrategyCodeWithPassphrase
Strict / airgapped strictness only. Re-encrypts the supplied code under a freshly-derived KEK and persists it. The dashboard's Save flow (T1.4 PR-5) calls this after re-prompting the user with StrictModeUnlockModal(intent='save').
Same strictness gating as decryptStrategyOnce: convenience and standard mode orgs use the existing updateStrategy mutation.
Audit event: secrets.passphrase.encrypt_with_action.
Scope: code-only for now (matching DecryptedStrategy). Updating encrypted Config / UIBuilderConfig / Analysis follows once the typed-struct decrypt path lands.
updateStrategyCodeWithPassphrase(
strategyID: ID!
code: String!
passphrase: String!
): Strategy!
Arguments
updateStrategyCodeWithPassphrase.strategyID ● ID! non-null scalar
Strategy ID to update.
updateStrategyCodeWithPassphrase.code ● String! non-null scalar
New plaintext code. Encrypted in-process via peraction.EncryptOnce.
updateStrategyCodeWithPassphrase.passphrase ● String! non-null scalar
Plaintext passphrase. Never logged. Zeroed after the operation.