chore(workplans): sync BRIDGE-WP-0004 and WARDEN-WP-0001 tasks to state hub

Both workplans had been registered as active workstreams but tasks were
never ingested — the markdown checkbox format was invisible to the
consistency checker, which requires task code blocks. Activated both
workplans (draft→active) and added task blocks with state_hub_task_id
for all 19 tasks (9 + 10).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-15 00:29:51 +02:00
parent 569de1497c
commit 22601ef3e6
2 changed files with 154 additions and 2 deletions

View File

@@ -4,7 +4,7 @@ type: workplan
title: "AccessManagementDirective Alignment"
domain: custodian
repo: ops-bridge
status: draft
status: active
owner: Bernd
topic_slug: custodian
created: "2026-03-28"
@@ -118,6 +118,14 @@ SIEM auditability.
## Tasks
### T1 — ActorType enum
```task
id: BRIDGE-WP-0004-T1
state_hub_task_id: 40c7f818-8233-4b84-9a0e-5f5359a47504
status: todo
priority: high
```
- [ ] `models.py`: replace `actor_class: str` in `ActorInfo` with `actor_type: ActorType`
- [ ] `config.py`: accept legacy `"human"``ActorType.ADM` and `"automation"`
`ActorType.ATM` with a `DeprecationWarning`; reject unknown values
@@ -127,12 +135,28 @@ SIEM auditability.
- [ ] Update tests
### T2 — cert_command config field
```task
id: BRIDGE-WP-0004-T2
state_hub_task_id: d69ac3b8-6c68-4da0-976f-0cce2ee626d6
status: todo
priority: high
```
- [ ] `models.py`: add `cert_command: Optional[str] = None` to `TunnelConfig`
- [ ] `config.py`: parse `cert_command` from tunnel YAML; no validation of the string
content (shell-level freedom intentional)
- [ ] Document in config example / SCOPE.md
### T3 — Cert acquisition in manager
```task
id: BRIDGE-WP-0004-T3
state_hub_task_id: b93be1e4-dd32-4e9c-a085-c5bf81108d97
status: todo
priority: high
```
- [ ] `manager.py`: extract cert acquisition into `_acquire_cert(cfg) -> Optional[Path]`
- If `cfg.cert_command` is None: return None (static key mode)
- Run `cert_command` via `subprocess.run(shell=True, capture_output=True)`
@@ -144,6 +168,14 @@ SIEM auditability.
so every reconnect gets a fresh cert
### T4 — cert_identity in audit log
```task
id: BRIDGE-WP-0004-T4
state_hub_task_id: bc29cc2a-1d77-48d8-97d3-54a49de0550e
status: todo
priority: high
```
- [ ] `manager.py`: after cert acquisition, parse `ssh-keygen -L -f <cert>` output to
extract `Key ID` (the `-I` value from signing time)
- [ ] Add `cert_identity: Optional[str]` to `AuditLogger.log()` signature; include in
@@ -152,6 +184,14 @@ SIEM auditability.
- [ ] `AuditEvent`: no new events needed; `cert_identity` is metadata on existing events
### T5 — TTL-aware cert refresh
```task
id: BRIDGE-WP-0004-T5
state_hub_task_id: cc3aee49-7821-4a11-a331-be562aa88d91
status: todo
priority: high
```
- [ ] `manager.py`: after successful cert acquisition, parse `Valid before:` timestamp
from `ssh-keygen -L` output → `cert_expires_at: datetime`
- [ ] In the health-check/wait loop, check `datetime.now(utc) >= cert_expires_at - timedelta(minutes=5)`
@@ -164,6 +204,14 @@ SIEM auditability.
- [ ] If `cert_command` is absent, skip all TTL logic entirely
### T6 — `bridge cert-status` command
```task
id: BRIDGE-WP-0004-T6
state_hub_task_id: b10275fc-bfe2-49a9-a83e-dd0dec796efd
status: todo
priority: medium
```
- [ ] `cli.py`: add `cert-status [TUNNEL]` subcommand
- [ ] For each tunnel (or the named one): read cert file from state dir if present,
run `ssh-keygen -L`, display: identity, principals, valid-from, valid-until,
@@ -172,6 +220,14 @@ SIEM auditability.
- [ ] `--json` flag for machine-readable output
### T7 — CertAcquisitionError handling
```task
id: BRIDGE-WP-0004-T7
state_hub_task_id: de355a7c-f07e-452e-974f-4ddf362b24a6
status: todo
priority: high
```
- [ ] New exception `CertAcquisitionError` in `models.py`
- [ ] In `_run_loop`: catch `CertAcquisitionError`, log `AuditEvent.BRIDGE_DISCONNECTED`
with `detail="cert acquisition failed: <stderr>"`, apply normal backoff and retry
@@ -179,6 +235,14 @@ SIEM auditability.
- [ ] After `max_attempts` consecutive cert failures, transition to `FAILED` state
### T8 — SCOPE.md and documentation updates
```task
id: BRIDGE-WP-0004-T8
state_hub_task_id: 40f5364b-f9e1-41cb-90e5-2b19511108f1
status: todo
priority: medium
```
- [ ] Update `SCOPE.md`: replace "Identity/credential management (uses existing SSH keys)"
with the pluggable cert_command model; add ops-warden as related repo; update
actor terminology to adm/agt/atm; update Current State
@@ -189,6 +253,14 @@ SIEM auditability.
- [ ] Update `.claude/rules/architecture.md`: add cert lifecycle to architecture description
### T9 — Tests
```task
id: BRIDGE-WP-0004-T9
state_hub_task_id: fc1d1321-c1d0-4a0a-ae2e-d9ec9939dd6a
status: todo
priority: high
```
- [ ] `test_config.py`: actor name prefix validation (adm/agt/atm); legacy class mapping;
cert_command parse
- [ ] `test_manager.py`: mock `cert_command` subprocess; verify cert path appended to SSH