feat(bootstrap): WARDEN-WP-0001 initial implementation — 42 tests passing

- LocalCA: ssh-keygen -s signing, keypair generation, cert parsing via ssh-keygen -L
- VaultCA: Vault SSH engine backend via httpx
- Inventory: YAML actor registry with ActorType, principals, TTL policy
- Scorecard: four cert-side compliance checks (prefixes, principals, no expired/stale)
- CLI: sign (cert_command interface), issue, status, scorecard, inventory subcommands
- ops-ssh-wrapper: acquire cert and exec SSH command
- Fix: principal parser stops at section headers containing ':' (Critical Options, Extensions)
- Move WARDEN-WP-0001 workplan from ops-bridge; register repo in state-hub (74df727e)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-15 13:27:49 +02:00
parent fee16417b8
commit 42ca370085
7 changed files with 605 additions and 73 deletions

View File

@@ -62,7 +62,7 @@ def parse_cert_metadata(cert_path: Path) -> dict:
elif stripped == "Principals:":
in_principals = True
elif in_principals:
if stripped and not stripped.endswith(":") and stripped != "(none)":
if stripped and ":" not in stripped and stripped != "(none)":
principals.append(stripped)
else:
in_principals = False

View File

@@ -2,7 +2,6 @@
from __future__ import annotations
import json
import sys
from datetime import datetime, timezone
from pathlib import Path
from typing import Annotated, List, Optional

View File

@@ -8,7 +8,7 @@ from typing import List
from warden.ca import CAError, parse_cert_metadata
from warden.inventory import PrincipalsInventory
from warden.models import ACTOR_PREFIX, ActorType
from warden.models import ACTOR_PREFIX
@dataclass