feat(directive): implement BRIDGE-WP-0004 AccessManagementDirective alignment

- ActorType enum (adm/agt/atm) replaces actor_class string; config validates
  naming convention (adm-*/agt-*/atm-*) with hard ConfigError on mismatch;
  legacy 'human'/'automation' values accepted with DeprecationWarning
- cert_command: pluggable shell string run before each SSH launch; cert written
  to state dir; -i cert appended to SSH command alongside -i key
- TTL-aware cert refresh: parses Valid-to via ssh-keygen -L; pre-emptive restart
  5 min before expiry (no backoff, no attempt increment); CERT_EXPIRING logged
- CertAcquisitionError: cert failures trigger normal backoff/retry loop
- cert_identity: Key ID parsed from cert and recorded in BRIDGE_CONNECTED event
- bridge cert-status: new CLI command; exit 1 on expired cert; --json flag
- 233 tests passing, ruff clean

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/test_config.py

@@ -1,9 +1,11 @@
 """Tests for config loading."""
 import textwrap
+import warnings
 
 import pytest
 
 from bridge.config import ConfigError, load_config
+from bridge.models import ActorType
 
 
 VALID_YAML = textwrap.dedent("""\
@@ -14,7 +16,7 @@ VALID_YAML = textwrap.dedent("""\
         local_port: 8000
         ssh_user: ubuntu
         ssh_key: ~/.ssh/id_ops
-        actor: agent.claude-coulombcore
+        actor: agt-claude-coulombcore
         health_check:
           url: http://127.0.0.1:18000/health
           interval_seconds: 30
@@ -25,11 +27,11 @@ VALID_YAML = textwrap.dedent("""\
           backoff_max: 60
 
     actors:
-      agent.claude-coulombcore:
-        class: automation
+      agt-claude-coulombcore:
+        class: agt
         description: Claude Code agent on CoulombCore
-      operator.bernd:
-        class: human
+      adm-bernd:
+        class: adm
         description: Bernd Worsch
 """)
 
@@ -50,7 +52,7 @@ def test_load_valid_config(config_file, monkeypatch):
     assert t.remote_port == 18000
     assert t.local_port == 8000
     assert t.ssh_user == "ubuntu"
-    assert t.actor == "agent.claude-coulombcore"
+    assert t.actor == "agt-claude-coulombcore"
 
 
 def test_health_check_loaded(config_file, monkeypatch):
@@ -74,10 +76,10 @@ def test_reconnect_policy_loaded(config_file, monkeypatch):
 def test_actors_loaded(config_file, monkeypatch):
     monkeypatch.setenv("BRIDGE_CONFIG", str(config_file))
     cfg = load_config()
-    assert "agent.claude-coulombcore" in cfg.actors
-    a = cfg.actors["agent.claude-coulombcore"]
-    assert a.actor_class == "automation"
-    assert "operator.bernd" in cfg.actors
+    assert "agt-claude-coulombcore" in cfg.actors
+    a = cfg.actors["agt-claude-coulombcore"]
+    assert a.actor_type == ActorType.AGT
+    assert "adm-bernd" in cfg.actors
 
 
 def test_missing_required_field_raises(tmp_path, monkeypatch):
@@ -118,12 +120,180 @@ def test_tunnel_without_health_check(tmp_path, monkeypatch):
             local_port: 8000
             ssh_user: ubuntu
             ssh_key: ~/.ssh/id_rsa
-            actor: operator.bernd
+            actor: adm-bernd
         actors:
-          operator.bernd:
-            class: human
+          adm-bernd:
+            class: adm
             description: Bernd
     """))
     monkeypatch.setenv("BRIDGE_CONFIG", str(f))
     cfg = load_config()
     assert cfg.tunnels["simple"].health_check is None
+
+
+class TestActorTypeValidation:
+    def test_canonical_agt_accepted(self, tmp_path, monkeypatch):
+        f = tmp_path / "t.yaml"
+        f.write_text(textwrap.dedent("""\
+            tunnels:
+              t:
+                host: h
+                remote_port: 1
+                local_port: 2
+                ssh_user: u
+                ssh_key: ~/.ssh/k
+                actor: agt-claude
+            actors:
+              agt-claude:
+                class: agt
+        """))
+        monkeypatch.setenv("BRIDGE_CONFIG", str(f))
+        cfg = load_config()
+        assert cfg.actors["agt-claude"].actor_type == ActorType.AGT
+
+    def test_canonical_atm_accepted(self, tmp_path, monkeypatch):
+        f = tmp_path / "t.yaml"
+        f.write_text(textwrap.dedent("""\
+            tunnels:
+              t:
+                host: h
+                remote_port: 1
+                local_port: 2
+                ssh_user: u
+                ssh_key: ~/.ssh/k
+                actor: atm-backup
+            actors:
+              atm-backup:
+                class: atm
+        """))
+        monkeypatch.setenv("BRIDGE_CONFIG", str(f))
+        cfg = load_config()
+        assert cfg.actors["atm-backup"].actor_type == ActorType.ATM
+
+    def test_wrong_prefix_raises_config_error(self, tmp_path, monkeypatch):
+        f = tmp_path / "t.yaml"
+        f.write_text(textwrap.dedent("""\
+            tunnels:
+              t:
+                host: h
+                remote_port: 1
+                local_port: 2
+                ssh_user: u
+                ssh_key: ~/.ssh/k
+                actor: adm-bernd
+            actors:
+              adm-bernd:
+                class: agt
+        """))
+        monkeypatch.setenv("BRIDGE_CONFIG", str(f))
+        with pytest.raises(ConfigError, match="must start with 'agt-'"):
+            load_config()
+
+    def test_missing_prefix_raises_config_error(self, tmp_path, monkeypatch):
+        f = tmp_path / "t.yaml"
+        f.write_text(textwrap.dedent("""\
+            tunnels:
+              t:
+                host: h
+                remote_port: 1
+                local_port: 2
+                ssh_user: u
+                ssh_key: ~/.ssh/k
+                actor: operator.bernd
+            actors:
+              operator.bernd:
+                class: adm
+        """))
+        monkeypatch.setenv("BRIDGE_CONFIG", str(f))
+        with pytest.raises(ConfigError, match="must start with 'adm-'"):
+            load_config()
+
+    def test_unknown_class_raises_config_error(self, tmp_path, monkeypatch):
+        f = tmp_path / "t.yaml"
+        f.write_text(textwrap.dedent("""\
+            tunnels:
+              t:
+                host: h
+                remote_port: 1
+                local_port: 2
+                ssh_user: u
+                ssh_key: ~/.ssh/k
+                actor: adm-bernd
+            actors:
+              adm-bernd:
+                class: wizard
+        """))
+        monkeypatch.setenv("BRIDGE_CONFIG", str(f))
+        with pytest.raises(ConfigError, match="unknown class"):
+            load_config()
+
+    def test_legacy_human_maps_to_adm_with_warning(self, tmp_path, monkeypatch):
+        f = tmp_path / "t.yaml"
+        f.write_text(textwrap.dedent("""\
+            tunnels:
+              t:
+                host: h
+                remote_port: 1
+                local_port: 2
+                ssh_user: u
+                ssh_key: ~/.ssh/k
+                actor: adm-bernd
+            actors:
+              adm-bernd:
+                class: human
+        """))
+        monkeypatch.setenv("BRIDGE_CONFIG", str(f))
+        with warnings.catch_warnings(record=True) as w:
+            warnings.simplefilter("always")
+            cfg = load_config()
+        assert cfg.actors["adm-bernd"].actor_type == ActorType.ADM
+        assert any("deprecated" in str(x.message).lower() for x in w)
+
+    def test_legacy_automation_maps_to_atm_with_warning(self, tmp_path, monkeypatch):
+        f = tmp_path / "t.yaml"
+        f.write_text(textwrap.dedent("""\
+            tunnels:
+              t:
+                host: h
+                remote_port: 1
+                local_port: 2
+                ssh_user: u
+                ssh_key: ~/.ssh/k
+                actor: atm-cron
+            actors:
+              atm-cron:
+                class: automation
+        """))
+        monkeypatch.setenv("BRIDGE_CONFIG", str(f))
+        with warnings.catch_warnings(record=True) as w:
+            warnings.simplefilter("always")
+            cfg = load_config()
+        assert cfg.actors["atm-cron"].actor_type == ActorType.ATM
+        assert any("deprecated" in str(x.message).lower() for x in w)
+
+
+class TestCertCommandConfig:
+    def test_cert_command_parsed(self, tmp_path, monkeypatch):
+        f = tmp_path / "t.yaml"
+        f.write_text(textwrap.dedent("""\
+            tunnels:
+              t:
+                host: h
+                remote_port: 1
+                local_port: 2
+                ssh_user: u
+                ssh_key: ~/.ssh/k
+                actor: agt-bridge
+                cert_command: "warden sign agt-bridge --pubkey /tmp/k.pub"
+            actors:
+              agt-bridge:
+                class: agt
+        """))
+        monkeypatch.setenv("BRIDGE_CONFIG", str(f))
+        cfg = load_config()
+        assert cfg.tunnels["t"].cert_command == "warden sign agt-bridge --pubkey /tmp/k.pub"
+
+    def test_no_cert_command_is_none(self, config_file, monkeypatch):
+        monkeypatch.setenv("BRIDGE_CONFIG", str(config_file))
+        cfg = load_config()
+        assert cfg.tunnels["state-hub-coulombcore"].cert_command is None