diff --git a/agent/src/credential_store.rs b/agent/src/credential_store.rs index 8dd0420..574fb12 100644 --- a/agent/src/credential_store.rs +++ b/agent/src/credential_store.rs @@ -146,7 +146,7 @@ pub fn store_cak(cak: &str) -> Result<()> { "[ENROLL] wrote the credential store but cannot read it back in THIS security \ context (access denied). The store is ACL'd to SYSTEM + Administrators by \ design; the managed agent must run as the GuruConnect SYSTEM service (see \ - SPEC-017) to read it. Refusing to leave an unreadable store behind." + SPEC-018) to read it. Refusing to leave an unreadable store behind." )), Err(e) => Err(anyhow::Error::new(e) .context("stored the credential but the immediate read-back verification failed")), diff --git a/agent/src/main.rs b/agent/src/main.rs index fe6dc2d..5c2fb55 100644 --- a/agent/src/main.rs +++ b/agent/src/main.rs @@ -373,7 +373,7 @@ async fn resolve_agent_credential(config: &mut config::Config) -> Result<()> { // for the target (Option A) and is deliberately kept. // // NOTE: this guard is satisfied/removed once the GuruConnect SYSTEM - // service host lands (separate spec, SPEC-017) and the agent always + // service host lands (separate spec, SPEC-018) and the agent always // runs as SYSTEM — at which point the store is always readable. Err(LoadCakError::Io { permission_denied: true, @@ -382,7 +382,7 @@ async fn resolve_agent_credential(config: &mut config::Config) -> Result<()> { return Err(anyhow::anyhow!( "[ENROLL] credential store is not accessible in this context \ ({source}) — the managed agent must run as the GuruConnect SYSTEM \ - service (see SPEC-017). Refusing to re-enroll." + service (see SPEC-018). Refusing to re-enroll." )); } // M1 — other IO error reaching the store (not access-denied): also