generated from coulomb/repo-seed
Add ops-warden-warden-sign-token routing lane for RAILIANCE-WP-0005 T08
Document the railiance-platform credential broker as the owner-native path for scoped VAULT_TOKEN needs. Add catalog entry, playbook, and doc updates so warden route find ranks the broker lane first; manual export remains a documented fallback only.
This commit is contained in:
@@ -76,6 +76,26 @@ def test_real_catalog_has_one_executed_lane():
|
||||
assert [e.id for e in executed] == ["ssh-cert-host-access"]
|
||||
|
||||
|
||||
def test_ops_warden_warden_sign_lane_has_native_exec():
|
||||
"""RAILIANCE-WP-0005 T08 — broker lane routes to railiance-platform credential exec."""
|
||||
catalog = load_catalog(_repo_catalog())
|
||||
e = catalog.get("ops-warden-warden-sign-token")
|
||||
assert e is not None and e.is_active and e.owner_repo == "railiance-platform"
|
||||
assert e.has_native_exec is True
|
||||
assert e.exec_owner == "railiance-platform"
|
||||
assert "credential.py exec" in e.exec_command
|
||||
assert "ops-warden/warden-sign" in e.exec_command
|
||||
assert "credential-exec-ops-warden-smoke" in e.pointer_command
|
||||
assert e.warden_executes is False
|
||||
assert e.resolvable is False # broker lane — owner exec, not warden access --fetch
|
||||
|
||||
|
||||
def test_route_find_vault_token_ops_warden_prefers_broker_lane():
|
||||
catalog = load_catalog(_repo_catalog())
|
||||
matches = catalog.find("VAULT_TOKEN ops-warden warden sign", limit=3)
|
||||
assert matches[0].id == "ops-warden-warden-sign-token"
|
||||
|
||||
|
||||
def test_whynot_design_npm_lane_is_concrete_and_resolvable():
|
||||
"""The provisioned npm publish lane has no placeholders and reports resolvable."""
|
||||
catalog = load_catalog(_repo_catalog())
|
||||
@@ -125,6 +145,16 @@ def test_cli_show_native_exec_json(repo_catalog_env):
|
||||
assert "primary" in data["next_action"] and "secrets-engine" in data["next_action"]
|
||||
|
||||
|
||||
def test_cli_show_warden_sign_broker_json(repo_catalog_env):
|
||||
result = runner.invoke(app, ["route", "show", "ops-warden-warden-sign-token", "--json"])
|
||||
assert result.exit_code == 0
|
||||
data = json.loads(result.stdout)
|
||||
assert data["owner_repo"] == "railiance-platform"
|
||||
assert data["exec_owner"] == "railiance-platform"
|
||||
assert "credential.py exec" in data["exec_command"]
|
||||
assert "primary" in data["next_action"] and "railiance-platform" in data["next_action"]
|
||||
|
||||
|
||||
def test_no_double_source_rule_rejects_routed_steps(tmp_path):
|
||||
bad = dict(ROUTED_ENTRY)
|
||||
bad["steps"] = ["do a thing on OpenBao"] # non-SSH entry must not carry steps
|
||||
|
||||
Reference in New Issue
Block a user