Add ops-warden-warden-sign-token routing lane for RAILIANCE-WP-0005 T08

Document the railiance-platform credential broker as the owner-native path
for scoped VAULT_TOKEN needs. Add catalog entry, playbook, and doc updates
so warden route find ranks the broker lane first; manual export remains a
documented fallback only.
This commit is contained in:
2026-07-01 23:16:38 +02:00
parent c96b27051f
commit 0c1082059b
7 changed files with 217 additions and 16 deletions

View File

@@ -76,6 +76,26 @@ def test_real_catalog_has_one_executed_lane():
assert [e.id for e in executed] == ["ssh-cert-host-access"]
def test_ops_warden_warden_sign_lane_has_native_exec():
"""RAILIANCE-WP-0005 T08 — broker lane routes to railiance-platform credential exec."""
catalog = load_catalog(_repo_catalog())
e = catalog.get("ops-warden-warden-sign-token")
assert e is not None and e.is_active and e.owner_repo == "railiance-platform"
assert e.has_native_exec is True
assert e.exec_owner == "railiance-platform"
assert "credential.py exec" in e.exec_command
assert "ops-warden/warden-sign" in e.exec_command
assert "credential-exec-ops-warden-smoke" in e.pointer_command
assert e.warden_executes is False
assert e.resolvable is False # broker lane — owner exec, not warden access --fetch
def test_route_find_vault_token_ops_warden_prefers_broker_lane():
catalog = load_catalog(_repo_catalog())
matches = catalog.find("VAULT_TOKEN ops-warden warden sign", limit=3)
assert matches[0].id == "ops-warden-warden-sign-token"
def test_whynot_design_npm_lane_is_concrete_and_resolvable():
"""The provisioned npm publish lane has no placeholders and reports resolvable."""
catalog = load_catalog(_repo_catalog())
@@ -125,6 +145,16 @@ def test_cli_show_native_exec_json(repo_catalog_env):
assert "primary" in data["next_action"] and "secrets-engine" in data["next_action"]
def test_cli_show_warden_sign_broker_json(repo_catalog_env):
result = runner.invoke(app, ["route", "show", "ops-warden-warden-sign-token", "--json"])
assert result.exit_code == 0
data = json.loads(result.stdout)
assert data["owner_repo"] == "railiance-platform"
assert data["exec_owner"] == "railiance-platform"
assert "credential.py exec" in data["exec_command"]
assert "primary" in data["next_action"] and "railiance-platform" in data["next_action"]
def test_no_double_source_rule_rejects_routed_steps(tmp_path):
bad = dict(ROUTED_ENTRY)
bad["steps"] = ["do a thing on OpenBao"] # non-SSH entry must not carry steps