coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
38 Commits 1 Branch 0 Tags
fdc8ecfc8b2e191f71b0035fd6e16807127a99c2
Commit Graph

20 Commits

Author SHA1 Message Date
tegwick
fdc8ecfc8b docs(WP-0008): T2 production sign verification passed (2026-06-18) 
Record live OpenBao SSH engine apply, host CA bootstrap, and warden sign smoke.
 2026-06-18 01:18:57 +02:00
tegwick
2d0f47324d docs(WP-0008): record NET-WP-0020 T5 artifacts and operator apply steps 
T2 remains wait until railiance-platform configure-ssh and railiance-infra
bootstrap-ssh-ca run against the live cluster.
 2026-06-18 01:06:43 +02:00
tegwick
e780af76d2 docs: WP-0008 T2 depends on NET-WP-0020 SSH automation path 2026-06-18 00:51:48 +02:00
tegwick
506963ca7e docs: record OpenBao SSH engine missing as WP-0008 T2 blocker 
Operator confirmed legacy SSH predates OpenBao; ssh/ mount not enabled.
Document migration paths and update workplan wait condition.
 2026-06-18 00:27:25 +02:00
tegwick
e0adc10896 feat(WP-0008): reassessment, task-status canon, archive hygiene 
- Post-WP-0007 reassessment and SCOPE/README updates
- AGENTS.md + workplan-convention task status canon migration
- examples/warden.production.example.yaml for production OpenBao
- Archive WP-0004 through WP-0007 to workplans/archived/260617-*
- WP-0008 T1/T3/T4 done; T2/T5 wait on operator/flex-auth
 2026-06-17 23:51:12 +02:00
tegwick
7e739a426d chore: index WP-0008 workstream in state hub 2026-06-17 23:34:51 +02:00
tegwick
bdd532d835 workplan: add WARDEN-WP-0008 production SSH path and stewardship closeout 
Establish follow-up after WP-0007: E2E OpenBao sign verification, post-policy
reassessment, task-status canon migration, and archive hygiene. Refresh SCOPE
to reflect shipped policy gate and active WP-0008.
 2026-06-17 23:34:13 +02:00
tegwick
64cacedefd chore: index WP-0007 workstream in state hub 2026-06-17 08:37:41 +02:00
tegwick
8e9383a33a feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007) 
Add policy.py client that calls flex-auth /v1/check before sign/issue when
policy.enabled is true. Record policy_decision_id in signatures.log. Default
off preserves existing inventory-only behavior. Document production OpenBao
health probe and update config/wiki references.
 2026-06-17 08:37:14 +02:00
tegwick
1865e0744e WARDEN-WP-0006: NetKingdom stewardship docs and alignment 
Add credential routing, actor patterns, security map, OpenBao SSH
checklist, and policy-gated signing design. Update registry and SCOPE;
record INTENT↔SCOPE reassessment (C3 completeness).
 2026-06-17 08:22:45 +02:00
tegwick
ca1eaf3350 Define INTENT, refresh SCOPE, and plan NetKingdom stewardship 
Add ops-warden INTENT as operational access steward for NetKingdom
security (route credential lanes, align docs, issue SSH certs only).
Refresh SCOPE for stewardship scope, persist INTENT↔SCOPE gap assessment,
and open WARDEN-WP-0006 for routing runbooks and platform alignment.
 2026-06-17 08:20:32 +02:00
tegwick
15bf8cb543 WARDEN-WP-0005: OpenBao-first documentation alignment 
Document OpenBao as the platform production secrets service while keeping
the vault-compatible warden.yaml config shape. Update OpsWardenConfig,
SCOPE, and CertCommandInterface cross-references.
 2026-06-17 07:36:13 +02:00
tegwick
9514ad914e WARDEN-WP-0004: repo hygiene and hub sync 
Update SCOPE and README to reflect the shipped warden CLI, fill agent
rules for stack/architecture/boundary, archive finished workplans
0001–0003, and register WP-0004 in State Hub.
 2026-06-17 07:33:49 +02:00
tegwick
f3547acd0b feat(warden): WARDEN-WP-0003 — test coverage, permissions, status --state-dir 
- File permissions: os.chmod(cert, 0o600) after every sign in LocalCA and
  VaultCA; chmod(privkey, 0o600) and chmod(pubkey, 0o644) after generate_keypair
- Scorecard: add check_file_permissions() that flags world/group-readable
  cert and key files; run_scorecard now returns 6 checks
- warden status --state-dir: bypasses config loading entirely for operators
  who have a cert but no warden.yaml installed
- tests/test_vault.py: 11 VaultCA unit tests covering success, HTTP 403,
  RequestError, missing token, missing role, missing pubkey, TTL enforcement,
  eviction, signatures log, and cert mode 600
- tests/test_ca.py: generate_keypair tests (paths, args, overwrite, error,
  permissions) and cert mode 600 assertion after sign
- tests/test_scorecard.py: file_permissions check tests (pass, fail cert,
  fail keys dir); scorecard count updated to 6
- tests/test_cli.py: covers sign, issue, status, scorecard, inventory, log,
  cleanup commands using CliRunner and tmp config/inventory files
- tests/test_integration.py: @pytest.mark.integration tests against real
  ssh-keygen; excluded from default suite via pyproject addopts
- pyproject.toml: addopts = "-m 'not integration'", integration marker declared

All 100 unit tests pass; 3 integration tests pass; ruff clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-15 17:05:38 +02:00
tegwick
9857ed1424 feat(warden): implement WARDEN-WP-0002 correctness and operational completeness 
T1 — TTL max enforcement:
  - models.py: MAX_TTL_HOURS policy constant
  - ca.py: _enforce_ttl() raises CAError when spec.ttl_hours > type max
  - Called at top of LocalCA.sign() and VaultCA.sign()
  - scorecard.py: check_ttl_policy() — flags certs with issued TTL > type max
  - run_scorecard() now returns 5 checks

T2 — Stale cert cleanup:
  - ca.py: _evict_cert() removes existing cert before writing new one (no accumulation)
  - cli.py: warden cleanup [actor] [--dry-run] command
  - check_no_stale_certs detail suggests 'warden cleanup' when stale certs found

T3 — Outgoing signatures log:
  - ca.py: _append_signature_log() writes JSONL to state_dir/signatures.log
  - Called after every successful sign() in LocalCA and VaultCA
  - cli.py: warden log [actor] [--last N] [--json] command
  - parse_cert_metadata now also returns valid_from (needed for TTL policy check)

61 tests passing, ruff clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-15 15:53:10 +02:00
tegwick
acf566d92e chore(workplans): add planning_priority and planning_order to WP-0002 and WP-0003 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-15 15:32:19 +02:00
tegwick
c66cb1b0fe chore(workplans): add WARDEN-WP-0002 and WARDEN-WP-0003 
WP-0002 — Correctness and Operational Completeness (priority: high)
  T1: TTL max enforcement per ActorType
  T2: Stale cert cleanup command (warden cleanup)
  T3: Outgoing signatures log (warden log)

WP-0003 — Test Coverage and Code Quality (priority: medium)
  T1: VaultCA tests
  T2: LocalCA.generate_keypair tests
  T3: CLI tests (test_cli.py)
  T4: Real ssh-keygen integration test
  T5: File permissions enforcement (mode 600)
  T6: warden status --state-dir override

Both registered in Custodian State Hub under ops-warden repo (74df727e).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-15 15:28:31 +02:00
tegwick
26391b0479 chore(workplan): mark WARDEN-WP-0001 all tasks done 
All 10 tasks complete; 42 tests passing, ruff clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-15 14:33:12 +02:00
tegwick
42ca370085 feat(bootstrap): WARDEN-WP-0001 initial implementation — 42 tests passing 
- LocalCA: ssh-keygen -s signing, keypair generation, cert parsing via ssh-keygen -L
- VaultCA: Vault SSH engine backend via httpx
- Inventory: YAML actor registry with ActorType, principals, TTL policy
- Scorecard: four cert-side compliance checks (prefixes, principals, no expired/stale)
- CLI: sign (cert_command interface), issue, status, scorecard, inventory subcommands
- ops-ssh-wrapper: acquire cert and exec SSH command
- Fix: principal parser stops at section headers containing ':' (Critical Options, Extensions)
- Move WARDEN-WP-0001 workplan from ops-bridge; register repo in state-hub (74df727e)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-15 13:27:49 +02:00
Bernd Worsch
5ae6b988aa Initial Commit 2026-03-28 00:45:43 +00:00