generated from coulomb/repo-seed
WARDEN-WP-0004: repo hygiene and hub sync
Update SCOPE and README to reflect the shipped warden CLI, fill agent rules for stack/architecture/boundary, archive finished workplans 0001–0003, and register WP-0004 in State Hub.
This commit is contained in:
@@ -1,8 +1,63 @@
|
||||
## Architecture
|
||||
|
||||
<!-- TODO: Describe the key design decisions and component structure.
|
||||
Key modules, data flows, external integrations, state machines, etc. -->
|
||||
ops-warden owns **credential issuance only** — CA signing, actor inventory, TTL
|
||||
policy, and cert-side compliance checks. It does not manage tunnels, host SSH
|
||||
config, or long-lived API keys.
|
||||
|
||||
### Module layout
|
||||
|
||||
```
|
||||
src/warden/
|
||||
├── cli.py # Typer commands: sign, issue, status, scorecard, cleanup, log, inventory
|
||||
├── models.py # ActorType, CertSpec, CertRecord, TTL policy
|
||||
├── config.py # ~/.config/warden/warden.yaml loader
|
||||
├── ca.py # LocalCA (ssh-keygen -s), CABackend base, signatures log, eviction
|
||||
├── vault.py # VaultCA — Vault/OpenBao SSH secrets engine API
|
||||
├── inventory.py # inventory.yaml load/save
|
||||
├── scorecard.py # §5 cert-side compliance checks
|
||||
└── scripts/
|
||||
└── ops_ssh_wrapper.py # WARDEN_ACTOR + ssh-add + exec wrapper
|
||||
```
|
||||
|
||||
### Backend selection
|
||||
|
||||
Config key `backend: local | vault` selects the CA implementation. Both expose the
|
||||
same CLI and `cert_command` contract — callers (principally `ops-bridge`) never
|
||||
branch on backend.
|
||||
|
||||
### Signing flow
|
||||
|
||||
```
|
||||
warden sign <actor> --pubkey <path>
|
||||
→ load_config() + load_inventory()
|
||||
→ validate actor name prefix (adm-/agt-/atm-)
|
||||
→ enforce_ttl() against ActorType max
|
||||
→ CABackend.sign(CertSpec)
|
||||
→ evict previous cert for actor
|
||||
→ sign (ssh-keygen -s or Vault API)
|
||||
→ write cert to state_dir (mode 600)
|
||||
→ append signatures.log (JSONL)
|
||||
→ cert text on stdout (cert_command contract)
|
||||
```
|
||||
|
||||
### External integrations
|
||||
|
||||
| Integration | Role |
|
||||
|-------------|------|
|
||||
| `ssh-keygen` | Local CA signing and cert metadata parsing |
|
||||
| Vault/OpenBao SSH engine | Production signing via HTTP API (`vault.py`) |
|
||||
| `ops-bridge` | Primary consumer of `warden sign` via `cert_command` |
|
||||
| `railiance-infra` | Host-side `/etc/ssh/auth_principals/` deployment (out of scope here) |
|
||||
|
||||
### cert_command contract
|
||||
|
||||
```
|
||||
warden sign <actor-name> --pubkey <path>
|
||||
```
|
||||
|
||||
Writes signed certificate to stdout. Non-zero exit on failure. Documented in
|
||||
`wiki/CertCommandInterface.md`.
|
||||
|
||||
## Quick Reference
|
||||
|
||||
`~/state-hub/mcp_server/TOOLS.md` — MCP tool reference
|
||||
`~/state-hub/mcp_server/TOOLS.md` — MCP tool reference
|
||||
@@ -2,7 +2,16 @@
|
||||
|
||||
This repo owns **ops-warden** only. It does not own:
|
||||
|
||||
<!-- TODO: List what belongs in adjacent repos, e.g.:
|
||||
- SSH key management → railiance-infra/
|
||||
- State hub code → state-hub/
|
||||
-->
|
||||
| Concern | Owner |
|
||||
|---------|-------|
|
||||
| Tunnel lifecycle, `cert_command` wiring in tunnels | `ops-bridge` |
|
||||
| Host SSH principal files, force-command wrappers | `railiance-infra` |
|
||||
| Vault/OpenBao cluster deployment and unseal ceremony | `railiance-platform` |
|
||||
| Inter-Hub operator API keys, provider API keys (e.g. OpenRouter) | OpenBao / operator secret store |
|
||||
| State Hub service code and consistency tooling | `state-hub` |
|
||||
| Workstream coordination across custodian domain | `the-custodian` |
|
||||
| Human admin SSH key generation | self-service (`ssh-keygen`) |
|
||||
|
||||
ops-warden issues **short-lived SSH certificates** only. It is not a general
|
||||
secrets manager and must not store long-lived API keys in Git, State Hub, or
|
||||
workplans.
|
||||
@@ -1,19 +1,35 @@
|
||||
## Stack
|
||||
|
||||
<!-- TODO: Fill in language, frameworks, and key dependencies -->
|
||||
- **Language:**
|
||||
- **Key deps:**
|
||||
- **Language:** Python 3.11+
|
||||
- **CLI:** Typer + Rich
|
||||
- **Key deps:** pyyaml, httpx (Vault/OpenBao API); ssh-keygen subprocess (local CA)
|
||||
- **Packaging:** hatchling + uv
|
||||
|
||||
## Dev Commands
|
||||
|
||||
```bash
|
||||
# TODO: Fill in the standard commands for this repo
|
||||
|
||||
# Install dependencies
|
||||
uv sync
|
||||
|
||||
# Run tests
|
||||
# Run unit tests (integration tests excluded by default)
|
||||
uv run pytest
|
||||
|
||||
# Lint / type check
|
||||
# Run real ssh-keygen integration tests
|
||||
uv run pytest -m integration
|
||||
|
||||
# Build / package (if applicable)
|
||||
# Lint
|
||||
uv run ruff check .
|
||||
|
||||
# Install CLI locally
|
||||
uv tool install .
|
||||
|
||||
# CLI help
|
||||
warden --help
|
||||
ops-ssh-wrapper --help # after install
|
||||
```
|
||||
|
||||
Config and state paths:
|
||||
|
||||
- `~/.config/warden/warden.yaml` — backend selection (`local` | `vault`)
|
||||
- `~/.config/warden/inventory.yaml` — actor registry
|
||||
- `~/.local/state/warden/` — certs, keys, `signatures.log`
|
||||
Reference in New Issue
Block a user