feat: close WP-0009/WP-0013 production integration stewardship strand

Ship flex-auth policy gate registry and smoke evidence, archive WP-0009
through WP-0013, and add integration docs: ops-bridge cert_command
migration playbook, operator OpenBao token hygiene, principals drift
check script, and 2026-06-24 INTENT/SCOPE gap analysis.
This commit is contained in:
2026-06-24 12:44:32 +02:00
parent 1778b169da
commit 90007c2cda
24 changed files with 2192 additions and 121 deletions

View File

@@ -0,0 +1,34 @@
"""Tests for scripts/build_flex_auth_registry.py."""
import json
import subprocess
import sys
from pathlib import Path
import yaml
ROOT = Path(__file__).resolve().parents[1]
SCRIPT = ROOT / "scripts" / "build_flex_auth_registry.py"
INVENTORY = ROOT / "examples" / "inventory.seed.yaml"
def test_build_registry_from_inventory_seed(tmp_path):
out = tmp_path / "registry.json"
subprocess.run(
[sys.executable, str(SCRIPT), str(INVENTORY), "-o", str(out)],
check=True,
cwd=ROOT,
)
registry = json.loads(out.read_text())
actors = yaml.safe_load(INVENTORY.read_text())["actors"]
assert len(registry["subjects"]) == len(actors)
assert len(registry["resource_manifests"][0]["resources"]) == len(actors)
bridge = next(
r
for r in registry["resource_manifests"][0]["resources"]
if r["id"] == "ssh-cert:actor/agt-state-hub-bridge"
)
assert bridge["attributes"]["actor_type"] == "agt"
assert bridge["attributes"]["max_ttl_hours"] == 24
assert "agt-task-bridge" in bridge["attributes"]["allowed_principals"]

View File

@@ -0,0 +1,48 @@
"""Tests for scripts/check_principals_drift.py."""
import subprocess
import sys
from pathlib import Path
import yaml
ROOT = Path(__file__).resolve().parents[1]
SCRIPT = ROOT / "scripts" / "check_principals_drift.py"
def test_no_drift_when_aligned(tmp_path):
inv = tmp_path / "inventory.yaml"
infra = tmp_path / "ssh_principals.yaml"
inv.write_text(yaml.dump({
"actors": {"agt-test": {"type": "agt", "principals": ["agt-task-bridge"], "ttl_hours": 24}},
"hosts": {"host1": {"allowed_principals": {"agt": ["agt-task-bridge"]}}},
}))
infra.write_text(yaml.dump({
"ssh_principals": {"Host1": {"users": {"user1": ["agt-task-bridge"]}}},
}))
result = subprocess.run(
[sys.executable, str(SCRIPT), "--inventory", str(inv), "--infra", str(infra)],
cwd=ROOT,
capture_output=True,
text=True,
)
assert result.returncode == 0
assert "OK" in result.stdout
def test_drift_detected(tmp_path):
inv = tmp_path / "inventory.yaml"
infra = tmp_path / "ssh_principals.yaml"
inv.write_text(yaml.dump({
"hosts": {"host1": {"allowed_principals": {"agt": ["agt-missing"]}}},
}))
infra.write_text(yaml.dump({
"ssh_principals": {"Host1": {"users": {"user1": ["agt-other"]}}},
}))
result = subprocess.run(
[sys.executable, str(SCRIPT), "--inventory", str(inv), "--infra", str(infra)],
cwd=ROOT,
capture_output=True,
text=True,
)
assert result.returncode == 1
assert "DRIFT" in result.stdout