azcomputerguru/guru-connect
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(agent): point Phase B fail-fast guard at SPEC-018
Some checks failed
Build and Test / Build Agent (Windows) (push) Failing after 11m16s
Details
Build and Test / Build Server (Linux) (push) Successful in 12m22s
Details
Build and Test / Security Audit (push) Successful in 8m19s
Details
Build and Test / Build Summary (push) Has been skipped
Details

Browse Source 
The SPEC-016 Phase B credential-store guard referenced "SPEC-017" for the
forthcoming SYSTEM service host, but 017 is now Mike's end-user-access
spec; the service host is SPEC-018. Comment + error-string text only, no
logic change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-02 13:13:13 -07:00
parent 94c07c2431
commit 55b9c97b28
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
agent/src/credential_store.rs
View File

@@ -146,7 +146,7 @@ pub fn store_cak(cak: &str) -> Result<()> {
"[ENROLL] wrote the credential store but cannot read it back in THIS security \
context (access denied). The store is ACL'd to SYSTEM + Administrators by \
design; the managed agent must run as the GuruConnect SYSTEM service (see \
SPEC-017) to read it. Refusing to leave an unreadable store behind."
SPEC-018) to read it. Refusing to leave an unreadable store behind."
)),
Err(e) => Err(anyhow::Error::new(e)
.context("stored the credential but the immediate read-back verification failed")),

4
agent/src/main.rs
View File

@@ -373,7 +373,7 @@ async fn resolve_agent_credential(config: &mut config::Config) -> Result<()> {
// for the target (Option A) and is deliberately kept.
//
// NOTE: this guard is satisfied/removed once the GuruConnect SYSTEM
// service host lands (separate spec, SPEC-017) and the agent always
// service host lands (separate spec, SPEC-018) and the agent always
// runs as SYSTEM — at which point the store is always readable.
Err(LoadCakError::Io {
permission_denied: true,
@@ -382,7 +382,7 @@ async fn resolve_agent_credential(config: &mut config::Config) -> Result<()> {
return Err(anyhow::anyhow!(
"[ENROLL] credential store is not accessible in this context \
({source}) — the managed agent must run as the GuruConnect SYSTEM \
service (see SPEC-017). Refusing to re-enroll."
service (see SPEC-018). Refusing to re-enroll."
));
}
// M1 — other IO error reaching the store (not access-denied): also