Commit Graph

3 Commits

Author SHA1 Message Date
9857ed1424 feat(warden): implement WARDEN-WP-0002 correctness and operational completeness
T1 — TTL max enforcement:
  - models.py: MAX_TTL_HOURS policy constant
  - ca.py: _enforce_ttl() raises CAError when spec.ttl_hours > type max
  - Called at top of LocalCA.sign() and VaultCA.sign()
  - scorecard.py: check_ttl_policy() — flags certs with issued TTL > type max
  - run_scorecard() now returns 5 checks

T2 — Stale cert cleanup:
  - ca.py: _evict_cert() removes existing cert before writing new one (no accumulation)
  - cli.py: warden cleanup [actor] [--dry-run] command
  - check_no_stale_certs detail suggests 'warden cleanup' when stale certs found

T3 — Outgoing signatures log:
  - ca.py: _append_signature_log() writes JSONL to state_dir/signatures.log
  - Called after every successful sign() in LocalCA and VaultCA
  - cli.py: warden log [actor] [--last N] [--json] command
  - parse_cert_metadata now also returns valid_from (needed for TTL policy check)

61 tests passing, ruff clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-15 15:53:10 +02:00
acf566d92e chore(workplans): add planning_priority and planning_order to WP-0002 and WP-0003
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-15 15:32:19 +02:00
c66cb1b0fe chore(workplans): add WARDEN-WP-0002 and WARDEN-WP-0003
WP-0002 — Correctness and Operational Completeness (priority: high)
  T1: TTL max enforcement per ActorType
  T2: Stale cert cleanup command (warden cleanup)
  T3: Outgoing signatures log (warden log)

WP-0003 — Test Coverage and Code Quality (priority: medium)
  T1: VaultCA tests
  T2: LocalCA.generate_keypair tests
  T3: CLI tests (test_cli.py)
  T4: Real ssh-keygen integration test
  T5: File permissions enforcement (mode 600)
  T6: warden status --state-dir override

Both registered in Custodian State Hub under ops-warden repo (74df727e).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-15 15:28:31 +02:00