generated from coulomb/repo-seed
feat(WARDEN-WP-0014): T1 — structured handoff fields in routing catalog
Adds optional assist-layer fields (auth_method, path_template, fetch_command, exec_capable, policy_ref) to RouteEntry, parsed and secret-screened in catalog.py. Handoff fields are templates/pointers only — _assert_no_secret_material rejects known token prefixes and high-entropy runs, and exec_capable requires a fetch_command. The openbao-api-key entry is populated as the reference example (covers the coulomb_social npm shape). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -110,6 +110,60 @@ def test_missing_catalog_file():
|
||||
load_catalog(Path("/nonexistent/catalog.yaml"))
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Structured handoff fields (WP-0014, T1)
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
def test_handoff_fields_parse_on_routed_entry(tmp_path):
|
||||
entry = dict(ROUTED_ENTRY)
|
||||
entry["auth_method"] = "key-cape OIDC → bao login -method=oidc role=<domain>"
|
||||
entry["path_template"] = "platform/workloads/<domain>/<workload>/<bundle>"
|
||||
entry["fetch_command"] = "bao kv get -field=<FIELD> <path_template>"
|
||||
entry["policy_ref"] = "flex-auth check secret.read:<domain>"
|
||||
entry["exec_capable"] = True
|
||||
catalog = load_catalog(_write_catalog(tmp_path, [entry]))
|
||||
e = catalog.get("openbao-api-key")
|
||||
assert e.has_handoff is True
|
||||
assert e.exec_capable is True
|
||||
assert e.path_template.startswith("platform/workloads/")
|
||||
|
||||
|
||||
def test_real_catalog_openbao_entry_has_handoff():
|
||||
e = load_catalog(_repo_catalog()).get("openbao-api-key")
|
||||
assert e is not None and e.has_handoff and e.exec_capable
|
||||
assert "<" in e.path_template and "<" in e.fetch_command # templates, not values
|
||||
|
||||
|
||||
def test_exec_capable_without_fetch_command_rejected(tmp_path):
|
||||
bad = dict(ROUTED_ENTRY)
|
||||
bad["exec_capable"] = True # no fetch_command
|
||||
with pytest.raises(CatalogError, match="fetch_command"):
|
||||
load_catalog(_write_catalog(tmp_path, [bad]))
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"leaked",
|
||||
[
|
||||
"bao write x token=ghp_abcdef0123456789abcdef0123", # github token prefix
|
||||
"x=AKIAIOSFODNN7EXAMPLE", # aws key id
|
||||
"header=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9", # jwt prefix
|
||||
"val=ZmFrZXNlY3JldDEyMzQ1Njc4OWFiY2RlZmdoaWprbA", # high-entropy run
|
||||
],
|
||||
)
|
||||
def test_handoff_secret_material_rejected(tmp_path, leaked):
|
||||
bad = dict(ROUTED_ENTRY)
|
||||
bad["fetch_command"] = leaked
|
||||
with pytest.raises(CatalogError, match="secret|high-entropy"):
|
||||
load_catalog(_write_catalog(tmp_path, [bad]))
|
||||
|
||||
|
||||
def test_handoff_template_with_placeholders_accepted(tmp_path):
|
||||
ok = dict(ROUTED_ENTRY)
|
||||
ok["fetch_command"] = "bao kv get -field=<FIELD> platform/workloads/<domain>/<bundle>"
|
||||
catalog = load_catalog(_write_catalog(tmp_path, [ok]))
|
||||
assert catalog.get("openbao-api-key").fetch_command.startswith("bao kv get")
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# find ranking
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user