feat: add plan-to-policy cmd & fix SPIRE model discovery, attestation signing, and verification#11
Conversation
SignCollection now wraps the attestation collection in an in-toto Statement v1 before signing, matching what the verifier expects. Sign now embeds the PEM-encoded leaf certificate in the envelope so the verifier can validate the signature chain to the CA root. Verifier updated to parse leaf certs from the signature field.
Signed-off-by: Rahul Vishwakarma <rahulvs2809@gmail.com>
# Conflicts: # internal/hooks/handler_sublayout_test.go # internal/state/propagation_test.go
Docs Preview
|
Code ReviewCRITICAL: Embedded Certificate Trust Bypass (
|
Signed-off-by: Rahul Vishwakarma <rahulvs2809@gmail.com>
plan-to-policy: New
aflock plan-to-policycommand that converts Claude plan markdown files into.aflockpolicies with deterministic steps and AI evaluators forspec-driven development
claude-opus-4-6to TrustedModels and fixed fallback whensessions-index.jsonis missing — model was showing asunknown@0.0.0SignCollectionnow wraps collections in in-toto Statement v1 (was sending raw collection), andSignembeds the leaf certificateso
verifycan validate the chain to the SPIRE CA rootTest plan
aflock plan-to-policyparses plan markdown and generates valid.aflockpolicyclaude-opus-4-6from session files withoutsessions-index.jsonbash(attest=true, step='lint/test/build')creates properly signed in-toto attestationssign_attestationworks with SPIRE connectedaflock verify --policy .aflockreturnssuccess: truewith all 3 steps verified