generated from coulomb/repo-seed
Implement WP-0022 audit trail and WP-0023 INTENT–SCOPE closeout
Add unified metadata-only audit.jsonl with secret-material guard, instrument sign/access/worker paths, and expose warden activity CLI. Surface broker hint when VAULT_TOKEN is unset, refresh INTENT/SCOPE docs, and add production integration checklists plus catalog lane promotion playbook.
This commit is contained in:
@@ -165,6 +165,21 @@ def test_vault_ca_sign_missing_token(tmp_path, monkeypatch):
|
||||
ca.sign(spec)
|
||||
|
||||
|
||||
def test_vault_ca_sign_missing_token_shows_broker_hint(tmp_path, monkeypatch):
|
||||
monkeypatch.delenv("VAULT_TOKEN", raising=False)
|
||||
spec = _make_spec(tmp_path)
|
||||
ca = VaultCA(_make_cfg(), tmp_path / "state")
|
||||
|
||||
with pytest.raises(CAError) as exc:
|
||||
ca.sign(spec)
|
||||
|
||||
msg = str(exc.value)
|
||||
assert "ops-warden-warden-sign-token" in msg
|
||||
assert "credential.py exec" in msg
|
||||
assert "ops-warden/warden-sign" in msg
|
||||
assert "hvs." not in msg
|
||||
|
||||
|
||||
def test_vault_ca_sign_missing_role(tmp_path, monkeypatch):
|
||||
monkeypatch.setenv("VAULT_TOKEN", "fake-token")
|
||||
cfg = _make_cfg(role_map={}) # no roles mapped
|
||||
|
||||
Reference in New Issue
Block a user