feat(stage7): broker-server vertical slice + three-role docs

[hanwencheng]

Summary

Resolves #58 phase 1 — the credential broker that lets app developers run daemons against operator infrastructure without holding any AWS keys. Phased per /plan-ceo-review:

• Q1 vertical slice — phase 1 ships POST /v1/mint-aws-creds end-to-end with real auth + audit. OIDC primitives (AssumeRoleWithWebIdentity + JWKS) deferred to phase 2 because they're independently blocked on the public-hosting prereq in docs/stage7-wip.md.
• Q2 separate crate — crates/agentkeys-broker-server/ rather than extending agentkeys-mock-server. Concerns differ; coupling chain-mock to AWS-broker would create an awkward operational surface.
• Q3 doc-first — docs/dev-setup.md rewrite + new docs/operator-runbook.md lead the change so reviewers see the framing before the code.

✅ Phase-1 e2e proven on real AWS

Operator ran the live three-terminal flow from docs/stage7-wip.md end-to-end against the production AWS account. Result of POST /v1/mint-aws-creds:

{
  "access_key_id": "ASIAWHZVNRHP52WKVY63",
  "expiration": 1777268187,
  "wallet": "0xcd6e718c072917b5468157766ad2860944d0120d"
}

ASIA… prefix + future expiration confirm real STS-issued temp credentials (not the long-lived daemon AKIA key, which never leaves the broker process). Audit row written to ~/.agentkeys/broker/audit.sqlite with outcome="ok" and the wallet attribution flowed through correctly.

The broker minted creds are drop-in compatible with the legacy scripts/stage6-demo-env.sh env-var shape, which means the existing OpenRouter scraper consumes them unchanged. Full provisioner-scripts rewiring (so the scraper calls the broker itself instead of a manual export) is the deferred phase-2 item.

Commits in this PR

Commit	Purpose
f4990f4	Initial vertical slice: new agentkeys-broker-server crate + three-role docs + daemon --broker-url flag
aba0dc3	/plan-eng-review follow-ups: mutex poison fix, silent-audit fix, plain-HTTP warn, microsecond suffix, tracing, startup STS check, graceful shutdown
7b0b6f5	Codex review follow-ups: audit column rename (requester_token → requester_token_hash), WAL+FULL pragmas, BackendError outcome variant, config parse strictness, reqwest + drain timeouts, SIGTERM expect()
f0960f6	docs/stage7-wip.md split into phase 1 (shipped) / phase 2 (deferred)
4e974dd	Remove 1Password CLI references from operator-facing docs in favor of ~/.zshenv pattern
ef892b8	Align broker env vars with existing ~/.zshenv convention: read DAEMON_ACCESS_KEY_ID / DAEMON_SECRET_ACCESS_KEY (matching scripts/stage6-demo-env.sh); derive BROKER_AGENT_ROLE_ARN from ACCOUNT_ID; fall back to REGION for AWS region

What's in the diff

docs/dev-setup.md                         | rewrite around 3 roles
docs/operator-runbook.md                  | NEW (start/supervise/rotate/audit, v0.1 scope)
docs/stage7-wip.md                        | restructured: phase 1 (shipped) + phase 2 (deferred)
crates/agentkeys-broker-server/           | NEW crate (axum)
  Cargo.toml                              |   axum 0.7, aws-sdk-sts 1, rusqlite (WAL+FULL), reqwest
  src/lib.rs                              |   create_router(state) → 4 routes
  src/main.rs                             |   --port / --bind / --skip-startup-check, graceful shutdown, non-loopback warn
  src/config.rs                           |   BrokerConfig::from_env() — DAEMON_* + ACCOUNT_ID derivation, REGION fallback
  src/state.rs                            |   AppState { config, http (with timeouts), audit, sts }
  src/error.rs                            |   BrokerError → IntoResponse (5 kinds)
  src/audit.rs                            |   AuditLog (SQLite WAL+FULL, sha256 token hash, last_row inspect API)
  src/auth.rs                             |   validate_bearer_token() → backend /session/validate
  src/sts.rs                              |   StsClient trait + AwsStsClient + StubStsClient (closure-backed, 3 factories)
  src/handlers/health.rs                  |   /healthz, /readyz (backend + STS probes)
  src/handlers/mint.rs                    |   POST /v1/mint-aws-creds (instrumented; record_outcome helper)
  tests/mint_flow.rs                      |   9 broker integration tests (mock-backend + stub STS)
crates/agentkeys-mock-server/             | + GET /session/validate endpoint
crates/agentkeys-daemon/src/main.rs       | + --broker-url / AGENTKEYS_BROKER_URL flag
Cargo.toml                                | + workspace member entry

Tests: 8 broker unit + 9 broker integration + 186 existing = 203 / 203 passing, no regressions.

Architecture (v0.1)

   developer                 operator host
   ─────────                 ──────────────
                           ┌─ agentkeys-broker-server
                           │    │
   agentkeys-daemon ──────────► POST /v1/mint-aws-creds
       (bearer token)      │    │
                           │    ├──► GET backend/session/validate
                           │    │       (validates bearer, returns wallet)
                           │    │
                           │    ├──► sts:AssumeRole
                           │    │     (uses DAEMON_ACCESS_KEY_ID +
                           │    │      DAEMON_SECRET_ACCESS_KEY from
                           │    │      operator's ~/.zshenv)
                           │    │       │
                           │    │       ▼
                           │    │   1h scoped temp creds
                           │    │
                           │    └──► AuditLog::record_mint() → SQLite (WAL+FULL)
                           │
                           └─ daemon AWS key — never leaves this process

The broker is stateless w.r.t. sessions — backend (mock-server in dev, chain in v0.2+) is the single source of truth for which bearer tokens are valid. The new GET /session/validate endpoint on mock-server is the join point. Trade-off: backend outage is transitive to broker (no cache); fine for v0.1 dev loop.

STS is trait-abstracted (StsClient) with an AwsStsClient for production and a StubStsClient (gated behind a test-stub feature) for integration tests. CI never hits AWS. The live test above is what validated the production path.

Operator UX — env var alignment

The operator's existing ~/.zshenv already had DAEMON_ACCESS_KEY_ID, DAEMON_SECRET_ACCESS_KEY, ACCOUNT_ID, and REGION from the Stage 6 setup. Phase-1 makes the broker read those same names so no ~/.zshenv edits are required to start using it. The only per-run env var the operator now needs is BROKER_BACKEND_URL. See docs/operator-runbook.md §3.1.

Acceptance criteria progress (issue #58)

• AC1 — Operator starts broker on a fresh laptop with daemon AWS keys in env. ✓ Verified live.
• AC2 — App developer runs the daemon with AGENTKEYS_BROKER_URL pointing at the operator's broker. The flag is wired; the consumer of the temp creds (provisioner-scripts) lands in phase 2.
• AC3 — End user flow unchanged. ✓ No CLI surface changes.
• AC4 — docs/dev-setup.md has three top-level role sections. ✓
• AC5 — docs/stage6-aws-setup.md no longer asks anyone except the operator to handle AWS keys. ✓ The dev-setup rewrite makes this implicit by routing developers to §4.
• AC6 — bash harness/stage-7-done.sh exits 0. Deferred to phase 4 (the harness file currently has Stage 0 + 5a only; cleaning it up before Stage 7 sign-off is its own piece of work).

Reviews run

• /plan-ceo-review — HOLD SCOPE; identified 3 forks (vertical slice / separate crate / doc-first), all addressed in commit f4990f4.
• /plan-eng-review — 11 findings; load-bearing 4 fixed in commit aba0dc3.
• Codex review — 9 findings; 6 fixed in commit 7b0b6f5, 3 deferred (cached caller_identity_ok for k8s probes, test-broker join-on-teardown, infallible from_keys constructor).
• Codex adversarial review — 9 architectural challenges (separate crate cost, phase-split logic, stateless-broker as SPOF, SQLite as audit store, premature trait abstraction, three-role doc framing, microsecond suffix necessity, FULL sync over-spec, phase-2 hosting drift). Verdict: phase-1 carries its own weight even if phase-2 slips, primary unaddressed concern is the backend-as-SPOF coupling (call out as known gap rather than fix in v0.1).

Test plan

• cargo build --workspace — clean.
• cargo test --workspace — 203 / 203 passing.
• cargo test -p agentkeys-broker-server --features test-stub — 17 broker tests (8 unit + 9 integration) pass against mock backend + stub STS.
• Live three-terminal e2e on real AWS — broker mints temp creds; ASIA prefix + future expiration confirmed; audit row written; wallet attribution correct.
• Operator review: confirm the DAEMON_* env-var alignment + ACCOUNT_ID-derived role ARN match the team's ~/.zshenv convention before merge.

Out of scope (deliberately deferred)

• OIDC half of Stage 7 (/.well-known/openid-configuration, /.well-known/jwks.json, POST /v1/mint-oidc-jwt, sts:AssumeRoleWithWebIdentity). Independently blocked on the public-hosting prereq from docs/stage7-wip.md. Phase 2 PR.
• TS services/oidc-stub/ retirement. Phase 2, once the OIDC half is in Rust.
• Provisioner-scripts integration. The daemon flag is wired; the consumer code that asks the broker for creds before reading from the operator's S3 bucket lands in phase 2 alongside the OIDC work.
• KMS-sealed config source for hosted shape. Interface-only; full implementation is hosted-deploy work.
• Bearer-token validation cache. Backend round-trip on every mint; acceptable for v0.1 dev workload (mints every ~55 min per daemon).
• Harness Stage 7 sign-off. Phase 4 — and the existing harness/features.json needs Stages 1-4+6 entries first.

Security notes

• Audit log stores sha256(bearer_token), never the raw token. Reasoning in docs/operator-runbook.md.
• Threat model — broker holds the long-lived AWS key, so a compromised broker host = unbounded AWS access for that role. v0.1 scope is "run the broker on a host you trust." TEE-backed hosting is the v0.2+ evolution per docs/spec/threat-model-key-custody.md.
• Session duration clamped to [900, 43200] seconds at config load time.
• STS session names sanitized — non-alphanumeric chars stripped, capped at 64 bytes, microsecond-suffixed for CloudTrail readability.
• Plain-HTTP bind to non-loopback emits a startup warning. Operators are expected to terminate TLS at a reverse proxy before exposing the broker beyond the host.

Related

• Issue #58 — Stage 7 broker server (this PR is phase 1).
• Issue #57 — Stage 8 off-chain vault (separate; pairs with this work post-Stage-7).
• PR #59 — threat model + dev-env bootstrap (the doc work this PR builds on).

🤖 Generated with Claude Code