PATTERN Cited by 1 source

Wrapper-script arg injection

Shape

A caller tool with a pluggable-program interface invokes your program with statically-configured arguments (a key id, a path, a profile name). You need dynamic values at invocation time but can't modify the caller. The fix: interpose a tiny wrapper script that is registered as the pluggable program, ignores the args the caller passes, and invokes the real program with args it computed itself.

caller ──(static args S)──▶ wrapper ──(ignores S, computes D)──▶ real program

Why it works

• Leaves the caller unchanged — no fork, no patch to upstream.
• Encapsulates the dynamic-lookup logic in one place (the wrapper), typically one shell line.
• The real program still sees a well-formed invocation, because the wrapper composes a valid argument list itself.

Trade-offs / watch-outs

• Discarding caller args is by design but easy to miss in code review; the wrapper script should have a big comment explaining the substitution.
• The static caller config becomes misleading or blank — e.g. Figma's user.signingkey is left blank on purpose because Git's value is ignored. Documentation overhead to prevent future confusion.
• If the caller starts passing functionally required args later (a new version of the protocol), the wrapper silently breaks.
• Platform-specific — the wrapper bash script assumes a shell is available.

Canonical instantiation — Figma smimesign-figma-wrapper

Git invokes its configured gpg.x509.program as:

<program> --status-fd=2 -bsau <user.signingkey>

where <user.signingkey> is a static value from git config. But Figma's device-trust X.509 certs rotate every 15 days, so a static key id is wrong by design.

The fix: configure gpg.x509.program to smimesign-figma-wrapper, a one-line script:

smimesign-figma --status-fd=2 -bsau smimesign-figma --get-figmate-key-id

which ignores everything Git passes and substitutes --get-figmate-key-id — a new flag in systems/smimesign-figma that walks the macOS Keychain and returns the current device-trust cert key id. Git's user.signingkey is left blank, documented as intentional, to prevent engineer confusion about a config that doesn't matter.

Source: sources/2026-04-21-figma-enforcing-device-trust-on-code-changes

Related

• systems/smimesign-figma — the real program the wrapper calls; adds --get-figmate-key-id so the wrapper has a dynamic-lookup primitive to invoke.
• patterns/signed-commit-as-device-attestation — the higher-level pattern that forces this shape (short-lived device certs incompatible with static signer-key config).