generated from coulomb/repo-seed
chore(workplans): sync BRIDGE-WP-0004 and WARDEN-WP-0001 tasks to state hub
Both workplans had been registered as active workstreams but tasks were never ingested — the markdown checkbox format was invisible to the consistency checker, which requires task code blocks. Activated both workplans (draft→active) and added task blocks with state_hub_task_id for all 19 tasks (9 + 10). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -4,7 +4,7 @@ type: workplan
|
||||
title: "AccessManagementDirective Alignment"
|
||||
domain: custodian
|
||||
repo: ops-bridge
|
||||
status: draft
|
||||
status: active
|
||||
owner: Bernd
|
||||
topic_slug: custodian
|
||||
created: "2026-03-28"
|
||||
@@ -118,6 +118,14 @@ SIEM auditability.
|
||||
## Tasks
|
||||
|
||||
### T1 — ActorType enum
|
||||
|
||||
```task
|
||||
id: BRIDGE-WP-0004-T1
|
||||
state_hub_task_id: 40c7f818-8233-4b84-9a0e-5f5359a47504
|
||||
status: todo
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [ ] `models.py`: replace `actor_class: str` in `ActorInfo` with `actor_type: ActorType`
|
||||
- [ ] `config.py`: accept legacy `"human"` → `ActorType.ADM` and `"automation"` →
|
||||
`ActorType.ATM` with a `DeprecationWarning`; reject unknown values
|
||||
@@ -127,12 +135,28 @@ SIEM auditability.
|
||||
- [ ] Update tests
|
||||
|
||||
### T2 — cert_command config field
|
||||
|
||||
```task
|
||||
id: BRIDGE-WP-0004-T2
|
||||
state_hub_task_id: d69ac3b8-6c68-4da0-976f-0cce2ee626d6
|
||||
status: todo
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [ ] `models.py`: add `cert_command: Optional[str] = None` to `TunnelConfig`
|
||||
- [ ] `config.py`: parse `cert_command` from tunnel YAML; no validation of the string
|
||||
content (shell-level freedom intentional)
|
||||
- [ ] Document in config example / SCOPE.md
|
||||
|
||||
### T3 — Cert acquisition in manager
|
||||
|
||||
```task
|
||||
id: BRIDGE-WP-0004-T3
|
||||
state_hub_task_id: b93be1e4-dd32-4e9c-a085-c5bf81108d97
|
||||
status: todo
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [ ] `manager.py`: extract cert acquisition into `_acquire_cert(cfg) -> Optional[Path]`
|
||||
- If `cfg.cert_command` is None: return None (static key mode)
|
||||
- Run `cert_command` via `subprocess.run(shell=True, capture_output=True)`
|
||||
@@ -144,6 +168,14 @@ SIEM auditability.
|
||||
so every reconnect gets a fresh cert
|
||||
|
||||
### T4 — cert_identity in audit log
|
||||
|
||||
```task
|
||||
id: BRIDGE-WP-0004-T4
|
||||
state_hub_task_id: bc29cc2a-1d77-48d8-97d3-54a49de0550e
|
||||
status: todo
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [ ] `manager.py`: after cert acquisition, parse `ssh-keygen -L -f <cert>` output to
|
||||
extract `Key ID` (the `-I` value from signing time)
|
||||
- [ ] Add `cert_identity: Optional[str]` to `AuditLogger.log()` signature; include in
|
||||
@@ -152,6 +184,14 @@ SIEM auditability.
|
||||
- [ ] `AuditEvent`: no new events needed; `cert_identity` is metadata on existing events
|
||||
|
||||
### T5 — TTL-aware cert refresh
|
||||
|
||||
```task
|
||||
id: BRIDGE-WP-0004-T5
|
||||
state_hub_task_id: cc3aee49-7821-4a11-a331-be562aa88d91
|
||||
status: todo
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [ ] `manager.py`: after successful cert acquisition, parse `Valid before:` timestamp
|
||||
from `ssh-keygen -L` output → `cert_expires_at: datetime`
|
||||
- [ ] In the health-check/wait loop, check `datetime.now(utc) >= cert_expires_at - timedelta(minutes=5)`
|
||||
@@ -164,6 +204,14 @@ SIEM auditability.
|
||||
- [ ] If `cert_command` is absent, skip all TTL logic entirely
|
||||
|
||||
### T6 — `bridge cert-status` command
|
||||
|
||||
```task
|
||||
id: BRIDGE-WP-0004-T6
|
||||
state_hub_task_id: b10275fc-bfe2-49a9-a83e-dd0dec796efd
|
||||
status: todo
|
||||
priority: medium
|
||||
```
|
||||
|
||||
- [ ] `cli.py`: add `cert-status [TUNNEL]` subcommand
|
||||
- [ ] For each tunnel (or the named one): read cert file from state dir if present,
|
||||
run `ssh-keygen -L`, display: identity, principals, valid-from, valid-until,
|
||||
@@ -172,6 +220,14 @@ SIEM auditability.
|
||||
- [ ] `--json` flag for machine-readable output
|
||||
|
||||
### T7 — CertAcquisitionError handling
|
||||
|
||||
```task
|
||||
id: BRIDGE-WP-0004-T7
|
||||
state_hub_task_id: de355a7c-f07e-452e-974f-4ddf362b24a6
|
||||
status: todo
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [ ] New exception `CertAcquisitionError` in `models.py`
|
||||
- [ ] In `_run_loop`: catch `CertAcquisitionError`, log `AuditEvent.BRIDGE_DISCONNECTED`
|
||||
with `detail="cert acquisition failed: <stderr>"`, apply normal backoff and retry
|
||||
@@ -179,6 +235,14 @@ SIEM auditability.
|
||||
- [ ] After `max_attempts` consecutive cert failures, transition to `FAILED` state
|
||||
|
||||
### T8 — SCOPE.md and documentation updates
|
||||
|
||||
```task
|
||||
id: BRIDGE-WP-0004-T8
|
||||
state_hub_task_id: 40f5364b-f9e1-41cb-90e5-2b19511108f1
|
||||
status: todo
|
||||
priority: medium
|
||||
```
|
||||
|
||||
- [ ] Update `SCOPE.md`: replace "Identity/credential management (uses existing SSH keys)"
|
||||
with the pluggable cert_command model; add ops-warden as related repo; update
|
||||
actor terminology to adm/agt/atm; update Current State
|
||||
@@ -189,6 +253,14 @@ SIEM auditability.
|
||||
- [ ] Update `.claude/rules/architecture.md`: add cert lifecycle to architecture description
|
||||
|
||||
### T9 — Tests
|
||||
|
||||
```task
|
||||
id: BRIDGE-WP-0004-T9
|
||||
state_hub_task_id: fc1d1321-c1d0-4a0a-ae2e-d9ec9939dd6a
|
||||
status: todo
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [ ] `test_config.py`: actor name prefix validation (adm/agt/atm); legacy class mapping;
|
||||
cert_command parse
|
||||
- [ ] `test_manager.py`: mock `cert_command` subprocess; verify cert path appended to SSH
|
||||
|
||||
Reference in New Issue
Block a user