Tyler King
420a4e2ea0
Critical fixes: - F-01: SatScope array form support (single pointer → slice with polymorphic JSON) - F-02: Add governance-intent@guildhouse.dev as 10th Shellstream extension - F-06: Replace os.Exit(1) stubs with go-plugin Serve() boilerplate in all cmd/ - F-13: Validate SatScope.ResourcePattern is non-empty High priority: - F-03: Add normative Accord policy syntax note to credential-governance.md §8.2 - F-04: Replace OID XXXXX placeholder with explicit PEN reference and IANA TODO - F-05: Document CredentialComposer hook mapping in spec and plugin-types.md - F-07/F-08: Commit CI pipeline (.github/workflows/ci.yaml) - F-09: Add hashicorp/go-plugin v1.6.3 to go.mod Medium priority: - F-10: Wire sample-ssh-cert-extensions.json fixture into shellstream tests - F-11: Cross-reference merkle proof depth limit (256 leaves) in governance spec - F-12: Add YAML format clarification headers to deploy configs - F-14: Expand README with project status, docs links, and quick-start Low priority: - F-15: Standardize "SSH SVID" → "SSH-SVID" terminology across docs - F-16: Add GovernanceEpochSeconds to PluginConfig and deploy configs - F-17: Add troubleshooting section to deployment.md, error handling to OIDC docs Global: Rename all extension keys from @guildhouse.io to @guildhouse.dev Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
23 lines
1 KiB
Go
23 lines
1 KiB
Go
package main
|
|
|
|
// SSHCredentialComposer implements the SPIRE CredentialComposer plugin interface.
|
|
//
|
|
// This is a merged plugin that handles both SSH certificate generation and
|
|
// Shellstream extension injection. In SPIRE's model, CredentialComposer plugins
|
|
// can modify credentials during the minting pipeline.
|
|
//
|
|
// The plugin:
|
|
// - Creates an SSH user certificate with the SPIFFE ID as the primary principal
|
|
// - Embeds Shellstream @guildhouse.dev extensions carrying governance metadata
|
|
// - Signs the certificate using the SSH CA key (from KeyManager)
|
|
// - Returns the certificate as part of the composed credential bundle
|
|
//
|
|
// This was originally designed as two separate plugins (ssh-svid-handler and
|
|
// shellstream-composer) but merged because both are CredentialComposer plugins
|
|
// performing conceptually one operation.
|
|
type SSHCredentialComposer struct {
|
|
// TODO: add fields
|
|
// - sshcert.Builder for certificate construction
|
|
// - governance.Client for fetching current governance state
|
|
// - config for trust domain, default TTL, etc.
|
|
}
|