ops-warden

coulomb/ops-warden

Fork 0

generated from coulomb/repo-seed

Commit Graph

Author	SHA1	Message	Date
tegwick	9857ed1424	feat(warden): implement WARDEN-WP-0002 correctness and operational completeness T1 — TTL max enforcement: - models.py: MAX_TTL_HOURS policy constant - ca.py: _enforce_ttl() raises CAError when spec.ttl_hours > type max - Called at top of LocalCA.sign() and VaultCA.sign() - scorecard.py: check_ttl_policy() — flags certs with issued TTL > type max - run_scorecard() now returns 5 checks T2 — Stale cert cleanup: - ca.py: _evict_cert() removes existing cert before writing new one (no accumulation) - cli.py: warden cleanup [actor] [--dry-run] command - check_no_stale_certs detail suggests 'warden cleanup' when stale certs found T3 — Outgoing signatures log: - ca.py: _append_signature_log() writes JSONL to state_dir/signatures.log - Called after every successful sign() in LocalCA and VaultCA - cli.py: warden log [actor] [--last N] [--json] command - parse_cert_metadata now also returns valid_from (needed for TTL policy check) 61 tests passing, ruff clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 15:53:10 +02:00
tegwick	42ca370085	feat(bootstrap): WARDEN-WP-0001 initial implementation — 42 tests passing - LocalCA: ssh-keygen -s signing, keypair generation, cert parsing via ssh-keygen -L - VaultCA: Vault SSH engine backend via httpx - Inventory: YAML actor registry with ActorType, principals, TTL policy - Scorecard: four cert-side compliance checks (prefixes, principals, no expired/stale) - CLI: sign (cert_command interface), issue, status, scorecard, inventory subcommands - ops-ssh-wrapper: acquire cert and exec SSH command - Fix: principal parser stops at section headers containing ':' (Critical Options, Extensions) - Move WARDEN-WP-0001 workplan from ops-bridge; register repo in state-hub (74df727e) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:27:49 +02:00
Bernd Worsch	5ae6b988aa	Initial Commit	2026-03-28 00:45:43 +00:00

Author

SHA1

Message

Date

tegwick

9857ed1424

feat(warden): implement WARDEN-WP-0002 correctness and operational completeness

T1 — TTL max enforcement:
  - models.py: MAX_TTL_HOURS policy constant
  - ca.py: _enforce_ttl() raises CAError when spec.ttl_hours > type max
  - Called at top of LocalCA.sign() and VaultCA.sign()
  - scorecard.py: check_ttl_policy() — flags certs with issued TTL > type max
  - run_scorecard() now returns 5 checks

T2 — Stale cert cleanup:
  - ca.py: _evict_cert() removes existing cert before writing new one (no accumulation)
  - cli.py: warden cleanup [actor] [--dry-run] command
  - check_no_stale_certs detail suggests 'warden cleanup' when stale certs found

T3 — Outgoing signatures log:
  - ca.py: _append_signature_log() writes JSONL to state_dir/signatures.log
  - Called after every successful sign() in LocalCA and VaultCA
  - cli.py: warden log [actor] [--last N] [--json] command
  - parse_cert_metadata now also returns valid_from (needed for TTL policy check)

61 tests passing, ruff clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-15 15:53:10 +02:00

tegwick

42ca370085

feat(bootstrap): WARDEN-WP-0001 initial implementation — 42 tests passing

- LocalCA: ssh-keygen -s signing, keypair generation, cert parsing via ssh-keygen -L
- VaultCA: Vault SSH engine backend via httpx
- Inventory: YAML actor registry with ActorType, principals, TTL policy
- Scorecard: four cert-side compliance checks (prefixes, principals, no expired/stale)
- CLI: sign (cert_command interface), issue, status, scorecard, inventory subcommands
- ops-ssh-wrapper: acquire cert and exec SSH command
- Fix: principal parser stops at section headers containing ':' (Critical Options, Extensions)
- Move WARDEN-WP-0001 workplan from ops-bridge; register repo in state-hub (74df727e)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-15 13:27:49 +02:00

Bernd Worsch

5ae6b988aa

Initial Commit

2026-03-28 00:45:43 +00:00

3 Commits