ops-warden

Author	SHA1	Message	Date
tegwick	2d77e3e3e0	Add capability registry scaffold (REUSE-WP-0014-T06 B04)	2026-06-16 01:56:08 +02:00
tegwick	f831d541d5	Refresh agent instruction files	2026-05-18 16:55:47 +02:00
tegwick	f1d17a2fd5	chore(consistency): sync task status from DB [auto] Updated by fix-consistency on 2026-05-15: - update .custodian-brief.md for ops-warden	2026-05-15 17:06:06 +02:00
tegwick	f3547acd0b	feat(warden): WARDEN-WP-0003 — test coverage, permissions, status --state-dir - File permissions: os.chmod(cert, 0o600) after every sign in LocalCA and VaultCA; chmod(privkey, 0o600) and chmod(pubkey, 0o644) after generate_keypair - Scorecard: add check_file_permissions() that flags world/group-readable cert and key files; run_scorecard now returns 6 checks - warden status --state-dir: bypasses config loading entirely for operators who have a cert but no warden.yaml installed - tests/test_vault.py: 11 VaultCA unit tests covering success, HTTP 403, RequestError, missing token, missing role, missing pubkey, TTL enforcement, eviction, signatures log, and cert mode 600 - tests/test_ca.py: generate_keypair tests (paths, args, overwrite, error, permissions) and cert mode 600 assertion after sign - tests/test_scorecard.py: file_permissions check tests (pass, fail cert, fail keys dir); scorecard count updated to 6 - tests/test_cli.py: covers sign, issue, status, scorecard, inventory, log, cleanup commands using CliRunner and tmp config/inventory files - tests/test_integration.py: @pytest.mark.integration tests against real ssh-keygen; excluded from default suite via pyproject addopts - pyproject.toml: addopts = "-m 'not integration'", integration marker declared All 100 unit tests pass; 3 integration tests pass; ruff clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 17:05:38 +02:00
tegwick	cd1e385bc1	chore(consistency): sync task status from DB [auto] Updated by fix-consistency on 2026-05-15: - update .custodian-brief.md for ops-warden	2026-05-15 15:54:34 +02:00
tegwick	1896e2e67c	chore: remove swap file, add *.swp to .gitignore	2026-05-15 15:53:58 +02:00
tegwick	9857ed1424	feat(warden): implement WARDEN-WP-0002 correctness and operational completeness T1 — TTL max enforcement: - models.py: MAX_TTL_HOURS policy constant - ca.py: _enforce_ttl() raises CAError when spec.ttl_hours > type max - Called at top of LocalCA.sign() and VaultCA.sign() - scorecard.py: check_ttl_policy() — flags certs with issued TTL > type max - run_scorecard() now returns 5 checks T2 — Stale cert cleanup: - ca.py: _evict_cert() removes existing cert before writing new one (no accumulation) - cli.py: warden cleanup [actor] [--dry-run] command - check_no_stale_certs detail suggests 'warden cleanup' when stale certs found T3 — Outgoing signatures log: - ca.py: _append_signature_log() writes JSONL to state_dir/signatures.log - Called after every successful sign() in LocalCA and VaultCA - cli.py: warden log [actor] [--last N] [--json] command - parse_cert_metadata now also returns valid_from (needed for TTL policy check) 61 tests passing, ruff clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 15:53:10 +02:00
tegwick	66e93e5e5c	chore(consistency): sync task status from DB [auto] Updated by fix-consistency on 2026-05-15: - update .custodian-brief.md for ops-warden	2026-05-15 15:32:41 +02:00
tegwick	acf566d92e	chore(workplans): add planning_priority and planning_order to WP-0002 and WP-0003 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 15:32:19 +02:00
tegwick	6d51245cbd	chore(consistency): sync task status from DB [auto] Updated by fix-consistency on 2026-05-15: - update .custodian-brief.md for ops-warden	2026-05-15 15:28:56 +02:00
tegwick	c66cb1b0fe	chore(workplans): add WARDEN-WP-0002 and WARDEN-WP-0003 WP-0002 — Correctness and Operational Completeness (priority: high) T1: TTL max enforcement per ActorType T2: Stale cert cleanup command (warden cleanup) T3: Outgoing signatures log (warden log) WP-0003 — Test Coverage and Code Quality (priority: medium) T1: VaultCA tests T2: LocalCA.generate_keypair tests T3: CLI tests (test_cli.py) T4: Real ssh-keygen integration test T5: File permissions enforcement (mode 600) T6: warden status --state-dir override Both registered in Custodian State Hub under ops-warden repo (74df727e). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 15:28:31 +02:00
tegwick	26391b0479	chore(workplan): mark WARDEN-WP-0001 all tasks done All 10 tasks complete; 42 tests passing, ruff clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 14:33:12 +02:00
tegwick	9ae395de68	chore(consistency): sync task status from DB [auto] Updated by fix-consistency on 2026-05-15: - update .custodian-brief.md for ops-warden	2026-05-15 13:50:51 +02:00
tegwick	42ca370085	feat(bootstrap): WARDEN-WP-0001 initial implementation — 42 tests passing - LocalCA: ssh-keygen -s signing, keypair generation, cert parsing via ssh-keygen -L - VaultCA: Vault SSH engine backend via httpx - Inventory: YAML actor registry with ActorType, principals, TTL policy - Scorecard: four cert-side compliance checks (prefixes, principals, no expired/stale) - CLI: sign (cert_command interface), issue, status, scorecard, inventory subcommands - ops-ssh-wrapper: acquire cert and exec SSH command - Fix: principal parser stops at section headers containing ':' (Critical Options, Extensions) - Move WARDEN-WP-0001 workplan from ops-bridge; register repo in state-hub (74df727e) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:27:49 +02:00
tegwick	fee16417b8	chore(consistency): sync task status from DB [auto] Updated by fix-consistency on 2026-05-15: - update .custodian-brief.md for ops-warden	2026-05-15 12:14:32 +02:00
Bernd Worsch	5ae6b988aa	Initial Commit	2026-03-28 00:45:43 +00:00
Coulomb Social	a436a7569d	Initial commit	2026-03-28 00:35:11 +00:00

17 Commits