Files

tegwick 8bbd22285e feat(WARDEN-WP-0016): ops-bridge cert_command readiness gate + handoff

Close ops-warden's side of the last Partial INTENT criterion (ops-bridge integrates
via a stable cert_command). The migration playbook and contract already existed; what
was missing was an automated readiness gate before touching tunnel config.

T1 — scripts/check_tunnel_cert_readiness.py: read-only preflight that asserts the
cert_command path is ready without signing — config/backend, actor inventory + TTL
within type max, pubkey exists/parses/not-private, principals present, and optional
host-principal deployment (mirrors check_principals_drift). Exit 0/1/2.

T2 — opt-in --sign-smoke: runs the cert_command against the local backend and validates
identity/principals/TTL of the emitted cert; refuses a vault backend. Window measured
from the cert's own valid_from->valid_before so it's timezone-robust (fixes a CEST
off-by-2h artifact). integration-marked test + a vault-refusal unit test.

T3 — playbook now leads with Step 0 readiness gate; ops-bridge handoff message sent.
T4 — SCOPE INTENT row: Partial -> Pilot-ready; known-gaps + SSH-lane list updated.

9 unit + 1 integration test, 209 default passing, lint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-27 19:50:28 +02:00

5.0 KiB

Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id

id	type	title	domain	repo	status	owner	topic_slug	planning_priority	planning_order	created	updated	state_hub_workstream_id
WARDEN-WP-0016	workplan	ops-bridge cert_command pilot — readiness gate + handoff	infotech	ops-warden	finished	claude	custodian	high	16	2026-06-27	2026-06-27	a56da8db-38bc-4bbe-8671-823360ec9245

WARDEN-WP-0016 — ops-bridge cert_command pilot (readiness gate + handoff)

Scope: Close ops-warden's side of the last Partial INTENT criterion — "ops-bridge integrates via a stable cert_command". The migration playbook (wiki/playbooks/ops-bridge-tunnel-cert.md, WP-0013) and the cert_command contract (wiki/CertCommandInterface.md) already exist, but the pilot has never been run because the readiness checks are scattered manual checkboxes across three owners (ops-warden, ops-bridge, railiance-infra). This WP ships the automated readiness gate an operator runs before touching tunnel config, plus an offline cert_command contract smoke, and hands the verified pilot to ops-bridge.

Boundary (unchanged): ops-warden issues certs and verifies its own side is ready. The live tunnel cutover is ops-bridge's to execute — this WP does not (cannot) flip a running tunnel. "Done" here means pilot-ready and handed off, not tunnel migrated.

Out of scope: editing ~/.config/bridge/tunnels.yaml (ops-bridge owns it); deploying host principals (railiance-infra); requiring a live OpenBao token for the contract smoke (use the local backend).

Depends on: WP-0013 (playbook + contract), the SSH lane (prod-verified).

Tasks

T1 — Read-only `cert_command` readiness preflight

id: WARDEN-WP-0016-T01
status: done
priority: high
state_hub_task_id: "fea84495-dbec-480a-b42b-90e39f414b78"

scripts/check_tunnel_cert_readiness.py — given --actor, --pubkey, --config (warden.yaml) and optional --infra (ssh_principals.yaml), asserts the cert_command path is ready without signing anything: config loads + backend known; actor in inventory with a valid type + TTL within the type max; pubkey file exists, parses, and is not a private key; actor principals present; (optional) principals deployed in the infra file (mirrors check_principals_drift._infra_principals). Exit 0/1/2.
Checklist-style report (✓/✗/·); never prints a private key or token.
Tests: tests/test_tunnel_cert_readiness.py (ready, unknown actor, missing/private pubkey, infra present/missing, TTL-over-max, cert_command string). 9 unit cases.

T2 — Offline cert_command contract smoke

id: WARDEN-WP-0016-T02
status: done
priority: medium
state_hub_task_id: "e34ae1a8-2ba9-4324-8d1a-005d61dae478"

Opt-in --sign-smoke mode runs the actual cert_command against the local backend and validates the emitted cert: identity matches the actor, principals match inventory, validity window within the type's max TTL. Refuses a vault backend (must be offline). Proves the contract end to end with no live OpenBao.
Window measured from the cert's own valid_from→valid_before (via parse_cert_metadata) so it is timezone-robust — fixes a CEST off-by-2h artifact where local-time ssh-keygen output was read as UTC.
integration-marked test (needs ssh-keygen, skipped in the default suite) plus a non-integration test that --sign-smoke refuses a vault backend.

T3 — Playbook gate + ops-bridge handoff

id: WARDEN-WP-0016-T03
status: done
priority: medium
state_hub_task_id: "330e01f4-4927-4280-b0e0-49d35b4416d6"

wiki/playbooks/ops-bridge-tunnel-cert.md now leads with Step 0 — Readiness gate (the exact check_tunnel_cert_readiness.py invocation + --sign-smoke note); the manual checklist remains as the human-readable backing.
Sent ops-bridge the coordination handoff (pilot agt-state-hub-bridge, the readiness-gate command, and the cutover steps ops-bridge owns).

T4 — INTENT/SCOPE alignment

id: WARDEN-WP-0016-T04
status: done
priority: low
state_hub_task_id: "4726f5bb-4ffd-484f-8674-91ee5658434f"

SCOPE: INTENT gap row moved from "Partial — tunnels still static-key" to "Pilot-ready — readiness gate shipped; live cutover handed to ops-bridge"; known-gaps row updated; readiness script added to the implemented SSH-lane list.

Acceptance

scripts/check_tunnel_cert_readiness.py gates the pilot read-only and is tested.
The offline contract smoke validates a real cert against the local backend.
The playbook leads with the automated gate; ops-bridge has the handoff with exact steps.
No secret material in any script, test, doc, or log. ops-warden's boundary is intact: it verifies and hands off; ops-bridge executes the cutover.

5.0 KiB Raw Blame History