coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
46b340f45feb5b654ae46e736e937abceb5b7806
ops-warden/tests/test_access.py
tegwick 46b340f45f feat(WARDEN-WP-0017): make the access front door discoverable (not SSH-only) 
WP-0014 made ops-warden the operator access front door (warden access --fetch/--exec
proxies an exec_capable secret as the caller), but every discovery surface still told
the pre-WP-0014 "SSH certs only, pointer not key" story — so agents like whynot-design
never found the proxy and concluded they had to message ops-warden for a token value.

Messaging/discoverability only; the conduit security model is unchanged (no custody,
no broker).

T1 — CLI: `warden route` table warden column is now three-valued (issue/assist/route);
route + access JSON gain warden_role + exec_capable and a proxy-aware next_action;
`warden access` closing line leads with "ops-warden can fetch this for you as the
caller" for exec_capable lanes (route-only lanes keep "owner vends").

T2 — .claude/rules/credential-routing.md reframed (lead + routing table role column);
SCOPE one-liner + a second capability block for the access front door.

T3 — registered the State Hub capability "Operator access front door (caller-identity
fetch proxy)" (the hub had no ops-warden security capability at all); messaged
whynot-design the corrected `warden access "npm auth token" --fetch/--exec` path.

210 tests pass, lint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 21:02:46 +02:00

112 lines
4.2 KiB
Python
Raw Blame History

"""Tests for the `warden access` operator front door (WP-0014 T2)."""
from __future__ import annotations
import json
from pathlib import Path
from typer.testing import CliRunner
from warden.access import expand_handoff, policy_gate_status
from warden.cli import app
from warden.routing.models import RouteEntry
runner = CliRunner()
def _repo_catalog() -> Path:
return Path(__file__).resolve().parents[1] / "registry" / "routing" / "catalog.yaml"
def _openbao_entry() -> RouteEntry:
return RouteEntry(
id="openbao-api-key",
title="API key, DB credential, or dynamic lease",
need_keywords=["api", "key", "npm", "token"],
owner_repo="railiance-platform",
subsystem="OpenBao",
warden_executes=False,
wiki_ref="wiki/CredentialRouting.md#routing-table",
canon_ref="net-kingdom/docs/x.md",
reviewed="2026-06-27",
status="active",
auth_method="key-cape OIDC → bao login -method=oidc role=<domain>",
path_template="platform/workloads/<domain>/<workload>/<bundle>",
fetch_command="bao kv get -field=<FIELD> <path_template>",
policy_ref="flex-auth check secret.read:<domain>",
exec_capable=True,
)
# --- pure expansion --------------------------------------------------------
def test_expand_inlines_path_template_token():
e = expand_handoff(_openbao_entry())
assert "<path_template>" not in e.fetch_command
assert e.fetch_command.startswith("bao kv get -field=<FIELD> platform/workloads/")
def test_expand_substitutes_domain():
e = expand_handoff(_openbao_entry(), domain="coulomb_social")
assert "coulomb_social" in e.path_template
assert "<domain>" not in e.path_template
assert "<domain>" not in e.auth_method
# owner-side names stay as placeholders — warden does not invent them
assert "<workload>" in e.path_template and "<bundle>" in e.path_template
def test_expand_without_domain_keeps_placeholder():
e = expand_handoff(_openbao_entry())
assert "<domain>" in e.path_template
def test_policy_gate_status_no_config(monkeypatch, tmp_path):
monkeypatch.setenv("WARDEN_CONFIG", str(tmp_path / "nope.yaml"))
assert "advisory" in policy_gate_status()
# --- CLI -------------------------------------------------------------------
def test_access_advisory_output(monkeypatch):
monkeypatch.setenv("WARDEN_ROUTING_CATALOG", str(_repo_catalog()))
r = runner.invoke(app, ["access", "npm token", "--domain", "coulomb_social"])
assert r.exit_code == 0
assert "railiance-platform" in r.stdout
assert "platform/workloads/coulomb_social/" in r.stdout
# npm is an exec_capable lane → the front door leads with the proxy, not "owner vends".
assert "can fetch this for you" in r.stdout
assert "never holds" in r.stdout
def test_access_route_only_lane_says_owner_vends(monkeypatch):
"""A non-exec lane (host principal deploy) keeps the advise-only framing."""
monkeypatch.setenv("WARDEN_ROUTING_CATALOG", str(_repo_catalog()))
r = runner.invoke(app, ["access", "host principal deploy"])
assert r.exit_code == 0
assert "warden advises, the owner vends" in r.stdout
def test_access_json_shape_is_secret_free(monkeypatch):
monkeypatch.setenv("WARDEN_ROUTING_CATALOG", str(_repo_catalog()))
r = runner.invoke(app, ["access", "npm token", "--domain", "coulomb_social", "--json"])
assert r.exit_code == 0
payload = json.loads(r.stdout)
assert payload["id"] == "openbao-api-key"
assert payload["domain"] == "coulomb_social"
assert payload["handoff"]["exec_capable"] is True
# only placeholders/templates — never a concrete credential
assert "<FIELD>" in payload["handoff"]["fetch_command"]
def test_access_ssh_lane_points_to_sign(monkeypatch):
monkeypatch.setenv("WARDEN_ROUTING_CATALOG", str(_repo_catalog()))
r = runner.invoke(app, ["access", "ssh cert for host access"])
assert r.exit_code == 0
assert "issues this directly" in r.stdout
assert "warden sign" in r.stdout
def test_access_no_match_exits_nonzero(monkeypatch):
monkeypatch.setenv("WARDEN_ROUTING_CATALOG", str(_repo_catalog()))
r = runner.invoke(app, ["access", "zzzz-no-such-need-xyzzy"])
assert r.exit_code == 1
Reference in New Issue View Git Blame Copy Permalink