guildhouse-spire-plugins/cmd/ssh-credential-composer/main.go

// SSH Credential Composer — SPIRE CredentialComposer plugin.
//
// Runs in SPIRE Server. Intercepts SVID minting to generate SSH certificates
// with Shellstream governance extensions. Handles both SSH certificate creation
// and governance metadata injection in a single plugin.
package main

import (
	"context"
	"log"

	"github.com/hashicorp/go-plugin"
	"google.golang.org/grpc"
)

var handshakeConfig = plugin.HandshakeConfig{
	ProtocolVersion:  1,
	MagicCookieKey:   "ServerAgent",
	MagicCookieValue: "GuildhouseSpire",
}

// SSHCredentialComposerPlugin implements plugin.GRPCPlugin for the credential composer.
type SSHCredentialComposerPlugin struct {
	plugin.Plugin
	Impl *SSHCredentialComposer
}

func (p *SSHCredentialComposerPlugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Server) error {
	log.Println("ssh-credential-composer: gRPC server registered")
	return nil
}

func (p *SSHCredentialComposerPlugin) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) {
	return nil, nil
}

func main() {
	composer := &SSHCredentialComposer{}

	plugin.Serve(&plugin.ServeConfig{
		HandshakeConfig: handshakeConfig,
		Plugins: map[string]plugin.Plugin{
			"credential_composer": &SSHCredentialComposerPlugin{Impl: composer},
		},
		GRPCServer: plugin.DefaultGRPCServer,
	})
}