## Stack

- **Language:** Python 3.11+
- **CLI:** Typer + Rich
- **Key deps:** pyyaml, httpx (Vault/OpenBao API); ssh-keygen subprocess (local CA)
- **Packaging:** hatchling + uv

## Dev Commands

```bash
# Install dependencies
uv sync

# Run unit tests (integration tests excluded by default)
uv run pytest

# Run real ssh-keygen integration tests
uv run pytest -m integration

# Lint
uv run ruff check .

# Install CLI locally
uv tool install .

# CLI help
warden --help
ops-ssh-wrapper --help   # after install
```

Config and state paths:

- `~/.config/warden/warden.yaml` — backend selection (`local` | `vault`)
- `~/.config/warden/inventory.yaml` — actor registry
- `~/.local/state/warden/` — certs, keys, `signatures.log`