feat(swarm): PKI module — self-managed CA for master/worker mTLS

decnet.swarm.pki provides: - generate_ca() / ensure_ca() — self-signed root, PKCS8 PEM, 4096-bit. - issue_worker_cert() — per-worker keypair + cert signed by the CA with serverAuth + clientAuth EKU so the same identity backs the agent's HTTPS endpoint AND the syslog-over-TLS upstream. - write_worker_bundle() / load_worker_bundle() — persist with 0600 on private keys. - fingerprint() — SHA-256 DER hex for master-side pinning. tests/swarm/test_pki.py covers: - CA idempotency on disk. - Signed chain validates against CA subject. - SAN population (DNS + IP). - Bundle roundtrip with 0600 key perms. - End-to-end mTLS handshake between two CA-issued peers. - Cross-CA client rejection (handshake fails).
2026-04-18 07:09:58 -04:00
parent 6657d3e097
commit d3b90679c5
4 changed files with 471 additions and 0 deletions
--- a/decnet/swarm/init.py
+++ b/decnet/swarm/init.py
@@ -0,0 +1,7 @@
+"""DECNET SWARM — multihost deployment subsystem.
+
+Components:
+* ``pki``          — X.509 CA + CSR signing used by all swarm mTLS channels
+* ``client``       — master-side HTTP client that talks to remote workers
+* ``log_forwarder``— worker-side syslog-over-TLS (RFC 5425) forwarder
+"""