WARDEN-WP-0004: repo hygiene and hub sync

Update SCOPE and README to reflect the shipped warden CLI, fill agent
rules for stack/architecture/boundary, archive finished workplans
0001–0003, and register WP-0004 in State Hub.
This commit is contained in:
2026-06-17 07:33:49 +02:00
parent 3b951e8139
commit 9514ad914e
9 changed files with 260 additions and 23 deletions

View File

@@ -1,8 +1,63 @@
## Architecture
<!-- TODO: Describe the key design decisions and component structure.
Key modules, data flows, external integrations, state machines, etc. -->
ops-warden owns **credential issuance only** — CA signing, actor inventory, TTL
policy, and cert-side compliance checks. It does not manage tunnels, host SSH
config, or long-lived API keys.
### Module layout
```
src/warden/
├── cli.py # Typer commands: sign, issue, status, scorecard, cleanup, log, inventory
├── models.py # ActorType, CertSpec, CertRecord, TTL policy
├── config.py # ~/.config/warden/warden.yaml loader
├── ca.py # LocalCA (ssh-keygen -s), CABackend base, signatures log, eviction
├── vault.py # VaultCA — Vault/OpenBao SSH secrets engine API
├── inventory.py # inventory.yaml load/save
├── scorecard.py # §5 cert-side compliance checks
└── scripts/
└── ops_ssh_wrapper.py # WARDEN_ACTOR + ssh-add + exec wrapper
```
### Backend selection
Config key `backend: local | vault` selects the CA implementation. Both expose the
same CLI and `cert_command` contract — callers (principally `ops-bridge`) never
branch on backend.
### Signing flow
```
warden sign <actor> --pubkey <path>
→ load_config() + load_inventory()
→ validate actor name prefix (adm-/agt-/atm-)
→ enforce_ttl() against ActorType max
→ CABackend.sign(CertSpec)
→ evict previous cert for actor
→ sign (ssh-keygen -s or Vault API)
→ write cert to state_dir (mode 600)
→ append signatures.log (JSONL)
→ cert text on stdout (cert_command contract)
```
### External integrations
| Integration | Role |
|-------------|------|
| `ssh-keygen` | Local CA signing and cert metadata parsing |
| Vault/OpenBao SSH engine | Production signing via HTTP API (`vault.py`) |
| `ops-bridge` | Primary consumer of `warden sign` via `cert_command` |
| `railiance-infra` | Host-side `/etc/ssh/auth_principals/` deployment (out of scope here) |
### cert_command contract
```
warden sign <actor-name> --pubkey <path>
```
Writes signed certificate to stdout. Non-zero exit on failure. Documented in
`wiki/CertCommandInterface.md`.
## Quick Reference
`~/state-hub/mcp_server/TOOLS.md` — MCP tool reference
`~/state-hub/mcp_server/TOOLS.md` — MCP tool reference

View File

@@ -2,7 +2,16 @@
This repo owns **ops-warden** only. It does not own:
<!-- TODO: List what belongs in adjacent repos, e.g.:
- SSH key management → railiance-infra/
- State hub code → state-hub/
-->
| Concern | Owner |
|---------|-------|
| Tunnel lifecycle, `cert_command` wiring in tunnels | `ops-bridge` |
| Host SSH principal files, force-command wrappers | `railiance-infra` |
| Vault/OpenBao cluster deployment and unseal ceremony | `railiance-platform` |
| Inter-Hub operator API keys, provider API keys (e.g. OpenRouter) | OpenBao / operator secret store |
| State Hub service code and consistency tooling | `state-hub` |
| Workstream coordination across custodian domain | `the-custodian` |
| Human admin SSH key generation | self-service (`ssh-keygen`) |
ops-warden issues **short-lived SSH certificates** only. It is not a general
secrets manager and must not store long-lived API keys in Git, State Hub, or
workplans.

View File

@@ -1,19 +1,35 @@
## Stack
<!-- TODO: Fill in language, frameworks, and key dependencies -->
- **Language:**
- **Key deps:**
- **Language:** Python 3.11+
- **CLI:** Typer + Rich
- **Key deps:** pyyaml, httpx (Vault/OpenBao API); ssh-keygen subprocess (local CA)
- **Packaging:** hatchling + uv
## Dev Commands
```bash
# TODO: Fill in the standard commands for this repo
# Install dependencies
uv sync
# Run tests
# Run unit tests (integration tests excluded by default)
uv run pytest
# Lint / type check
# Run real ssh-keygen integration tests
uv run pytest -m integration
# Build / package (if applicable)
# Lint
uv run ruff check .
# Install CLI locally
uv tool install .
# CLI help
warden --help
ops-ssh-wrapper --help # after install
```
Config and state paths:
- `~/.config/warden/warden.yaml` — backend selection (`local` | `vault`)
- `~/.config/warden/inventory.yaml` — actor registry
- `~/.local/state/warden/` — certs, keys, `signatures.log`