feat(directive): implement BRIDGE-WP-0004 AccessManagementDirective alignment

- ActorType enum (adm/agt/atm) replaces actor_class string; config validates naming convention (adm-*/agt-*/atm-*) with hard ConfigError on mismatch; legacy 'human'/'automation' values accepted with DeprecationWarning - cert_command: pluggable shell string run before each SSH launch; cert written to state dir; -i cert appended to SSH command alongside -i key - TTL-aware cert refresh: parses Valid-to via ssh-keygen -L; pre-emptive restart 5 min before expiry (no backoff, no attempt increment); CERT_EXPIRING logged - CertAcquisitionError: cert failures trigger normal backoff/retry loop - cert_identity: Key ID parsed from cert and recorded in BRIDGE_CONNECTED event - bridge cert-status: new CLI command; exit 1 on expired cert; --json flag - 233 tests passing, ruff clean Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-15 09:38:29 +02:00
parent 22601ef3e6
commit bd169a07e2
17 changed files with 730 additions and 145 deletions
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -17,10 +17,10 @@ VALID_CONFIG = textwrap.dedent("""\
        local_port: 8000
        ssh_user: ubuntu
        ssh_key: ~/.ssh/id_ops
-        actor: operator.bernd
+        actor: adm-bernd
    actors:
-      operator.bernd:
-        class: human
+      adm-bernd:
+        class: adm
        description: Bernd
 """)

@@ -285,3 +285,56 @@ class TestRestartCommand:

        assert result.exit_code == 0
        assert call_order == ["stop", "start"]
+
+
+class TestCertStatusCommand:
+    @pytest.mark.capability("bridge_cert_status")
+    @pytest.mark.access_mode("cli")
+    def test_cert_status_no_cert_shows_static_key(self, env, state_dir):
+        result = runner.invoke(app, ["cert-status"], env=env)
+        assert result.exit_code == 0
+        assert "static-key" in result.output
+
+    def test_cert_status_json_no_cert(self, env, state_dir):
+        result = runner.invoke(app, ["cert-status", "--json"], env=env)
+        assert result.exit_code == 0
+        data = json.loads(result.output)
+        assert data[0]["mode"] == "static-key"
+
+    def test_cert_status_exit_1_on_expired(self, env, state_dir, tmp_path):
+        # Write a fake cert file in state dir; mock ssh-keygen to report expired
+        state_dir.mkdir(parents=True, exist_ok=True)
+        cert_file = state_dir / "test-tunnel-cert.pub"
+        cert_file.write_text("fake cert")
+        with patch("subprocess.run") as mock_run:
+            mock_run.return_value = MagicMock(
+                stdout=(
+                    "test-tunnel-cert.pub:\n"
+                    "        Key ID: \"agt-test\"\n"
+                    "        Valid: from 2026-01-01T00:00:00 to 2026-01-02T00:00:00\n"
+                ),
+                returncode=0,
+            )
+            result = runner.invoke(app, ["cert-status"], env=env)
+        assert result.exit_code == 1
+        assert "EXPIRED" in result.output
+
+    def test_cert_status_json_with_cert(self, env, state_dir):
+        state_dir.mkdir(parents=True, exist_ok=True)
+        cert_file = state_dir / "test-tunnel-cert.pub"
+        cert_file.write_text("fake cert")
+        with patch("subprocess.run") as mock_run:
+            mock_run.return_value = MagicMock(
+                stdout=(
+                    "test-tunnel-cert.pub:\n"
+                    "        Key ID: \"agt-test\"\n"
+                    "        Valid: from 2030-01-01T00:00:00 to 2030-01-02T00:00:00\n"
+                ),
+                returncode=0,
+            )
+            result = runner.invoke(app, ["cert-status", "--json"], env=env)
+        assert result.exit_code == 0
+        data = json.loads(result.output)
+        assert data[0]["mode"] == "cert"
+        assert data[0]["key_id"] == "agt-test"
+        assert data[0]["expired"] is False