tking/guildhouse-spire-plugins
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
13 commits 1 branch 0 tags 404 KiB
Commit graph

8 commits

Author SHA256 Message Date
Tyler J King
f4f02b0e2e debug(gsap-attestor): include raw input and both parse errors in diagnostics 
Temporary diagnostic commit — surfaces the exact data SPIRE sends to
the Configure RPC so we can determine why JSON decode fails.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-05-13 08:32:16 -04:00
Tyler J King
646944ab2a fix(gsap-attestor): use HCL JSON mode for SPIRE plugin_data parsing 
SPIRE's chart renders plugin_data as JSON via reformat-and-yaml2json,
so hclsimple.Decode with "plugin.json" filename triggers HCL v2 JSON
mode. Falls back to native HCL for direct testing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-05-13 06:49:15 -04:00
Tyler J King
490c813586 fix(gsap-attestor): use spire-plugin-sdk for SPIRE compatibility 
The original implementation used hashicorp/go-plugin directly with a
custom handshake, which SPIRE rejected. Switch to spire-plugin-sdk's
pluginmain.Serve() for correct WorkloadAttestor protocol negotiation,
implement ConfigServer for plugin_data parsing, and return selector
values in key:value format (SPIRE infers the type prefix from the
plugin name). Config decoding tries JSON first (chart renders YAML
as JSON) then falls back to HCL.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-05-13 06:37:37 -04:00
Tyler J King
fe5e2cf3c6 feat(spire): gsap-attestor WorkloadAttestor plugin 
SPIRE WorkloadAttestor that reads governance env vars from /proc/{pid}/environ
(walking up the process tree to find gsh) and emits gsap: selectors on workload
SVIDs. Maps BASCULE_* vars set by bascule-shell and future GSH_* vars to the
11-selector vocabulary defined in gsap-types/src/selectors.rs.

- pkg/gsap/selectors.go: shared Go constants mirroring Rust vocabulary
- cmd/gsap-attestor/: plugin implementation with /proc reading, process tree
  walking, capability ceiling translation, and fail-open for non-governed processes
- 28 tests covering selector extraction, proc parsing, tree walking, and depth limits
- Makefile, Dockerfile, deploy config updated

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-05-13 03:59:08 -04:00
Tyler J King
5f62da6ca9 feat(spire): Keylime node attestor plugin — single TPM authority 
Custom SPIRE NodeAttestor that queries Keylime attestation status
instead of performing independent TPM attestation. Keylime remains
the single TPM authority in the stack.

Two data source strategies:
- ConfigMap (default): reads posture-current ConfigMap (recommended,
  consistent with single-consumer principle)
- Verifier: queries Keylime verifier REST API directly (for
  out-of-cluster SPIRE servers)

Fail-closed: unknown nodes, unreachable sources, degraded posture
all result in non-attested verdict — no SVID issued.

Maps posture level to attestation verdict:
  Normal(5)/Elevated(4) → Attested
  Restricted(3) → Pending
  Critical(2)/Lockdown(1) → Failed

8 unit tests covering ConfigMap source, verifier mapping, edge cases.

Signed-off-by: Tyler King <tking@guildhouse.dev>
Signed-off-by: Tyler J King <tking727@gmail.com>
 2026-04-15 20:35:45 -04:00
Tyler King
a58d548518 feat: network-policy extension, governance lifecycle, audit remediation 
- Network-policy SPIRE plugin extension
- Governance event notification with merkle anchoring
- Shellstream specs for consent channels + HFL embedded ABI
- All 17 audit findings from AUDIT.md remediated
- SSH credential composer + substrate key manager updates
- Test coverage for config + sshcert packages

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-18 15:54:46 -04:00
Tyler King
420a4e2ea0 Remediate all 17 audit findings from AUDIT.md 
Critical fixes:
- F-01: SatScope array form support (single pointer → slice with polymorphic JSON)
- F-02: Add governance-intent@guildhouse.dev as 10th Shellstream extension
- F-06: Replace os.Exit(1) stubs with go-plugin Serve() boilerplate in all cmd/
- F-13: Validate SatScope.ResourcePattern is non-empty

High priority:
- F-03: Add normative Accord policy syntax note to credential-governance.md §8.2
- F-04: Replace OID XXXXX placeholder with explicit PEN reference and IANA TODO
- F-05: Document CredentialComposer hook mapping in spec and plugin-types.md
- F-07/F-08: Commit CI pipeline (.github/workflows/ci.yaml)
- F-09: Add hashicorp/go-plugin v1.6.3 to go.mod

Medium priority:
- F-10: Wire sample-ssh-cert-extensions.json fixture into shellstream tests
- F-11: Cross-reference merkle proof depth limit (256 leaves) in governance spec
- F-12: Add YAML format clarification headers to deploy configs
- F-14: Expand README with project status, docs links, and quick-start

Low priority:
- F-15: Standardize "SSH SVID" → "SSH-SVID" terminology across docs
- F-16: Add GovernanceEpochSeconds to PluginConfig and deploy configs
- F-17: Add troubleshooting section to deployment.md, error handling to OIDC docs

Global: Rename all extension keys from @guildhouse.io to @guildhouse.dev

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 11:45:33 -05:00
Tyler King
3dc3e9ee37 Initial scaffolding: specs, plugins, pkg/shellstream 2026-02-18 10:47:09 -05:00