coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(WARDEN-WP-0016): ops-bridge cert_command readiness gate + handoff

Browse Source 
Close ops-warden's side of the last Partial INTENT criterion (ops-bridge integrates
via a stable cert_command). The migration playbook and contract already existed; what
was missing was an automated readiness gate before touching tunnel config.

T1 — scripts/check_tunnel_cert_readiness.py: read-only preflight that asserts the
cert_command path is ready without signing — config/backend, actor inventory + TTL
within type max, pubkey exists/parses/not-private, principals present, and optional
host-principal deployment (mirrors check_principals_drift). Exit 0/1/2.

T2 — opt-in --sign-smoke: runs the cert_command against the local backend and validates
identity/principals/TTL of the emitted cert; refuses a vault backend. Window measured
from the cert's own valid_from->valid_before so it's timezone-robust (fixes a CEST
off-by-2h artifact). integration-marked test + a vault-refusal unit test.

T3 — playbook now leads with Step 0 readiness gate; ops-bridge handoff message sent.
T4 — SCOPE INTENT row: Partial -> Pilot-ready; known-gaps + SSH-lane list updated.

9 unit + 1 integration test, 209 default passing, lint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-06-27 19:50:28 +02:00
parent 45c24fba29
commit 8bbd22285e
6 changed files with 523 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
wiki/playbooks/ops-bridge-tunnel-cert.md
View File

@@ -11,6 +11,28 @@ ops-warden documents the migration; **ops-bridge** owns tunnel config changes.
---
## Step 0 — Readiness gate (run this first)
Before editing any tunnel config, run the read-only readiness gate (WARDEN-WP-0016).
It confirms ops-warden's side is set — actor inventory, TTL, public key, and (optionally)
host principals — **without signing anything**:
```bash
python scripts/check_tunnel_cert_readiness.py \
--actor agt-state-hub-bridge \
--pubkey ~/.ssh/agt-state-hub-bridge_ed25519.pub \
--config ~/.config/warden/warden.yaml \
--infra ~/railiance-infra/ansible/inventory/ssh_principals.yaml
```
Exit 0 = ready, 1 = a check failed (fix before proceeding), 2 = bad input. The
Prerequisites and Migration checklist below are the human-readable backing for what the
gate verifies. To additionally prove the `cert_command` contract end to end against a
**local** backend (issues a throwaway cert, validates identity/principals/TTL), add
`--sign-smoke` with a local `warden.yaml`.
---
## Prerequisites
- [ ] Actor registered in `~/.config/warden/inventory.yaml` (see `wiki/ActorInventoryPatterns.md`)