autonomy ros2 keystore

Manage SROS 2 keystores for the governed bridge (#938 Phase 3-A)

Synopsis

Manage SROS 2 keystores that anchor DDS-Security identities for the
governed bridge (#938 Phase 3 defense-in-depth on top of the application-layer
per-message governance from #913 Phase 2 / #939 4-A).

Two subcommands:

  init <dir>
      Create a keystore root at <dir> containing the trusted CA cert,
      its private key, and the governance.xml/governance.p7s that bind
      the keystore's policy scope. Wraps "ros2 security create_keystore".

  mint --keystore <dir> <node-name>
      Mint a per-node enclave (identity cert + key + permissions stub)
      under <dir>/enclaves/<node-name>/. The cert chains to the
      keystore's CA. Use this to provision the bridge's real-domain
      identity, the bridge's agent-domain identity, and each launched
      node's identity. Wraps "ros2 security create_enclave".

This PR lands ONLY the keystore tooling. Wiring the keystore into the
bridge spawn + RunGoverned (ROS_SECURITY_KEYSTORE, ROS_SECURITY_ENABLE,
ROS_SECURITY_STRATEGY) is the next phase (3-B). Permissions XML
synthesis from the policy bundle is 3-C.

Subcommands

• autonomy ros2 keystore init — Create an SROS 2 keystore root at

• autonomy ros2 keystore mint — Mint a per-node SROS 2 enclave under –keystore

• autonomy ros2 keystore permissions — Generate + sign DDS permissions for an existing SROS 2 enclave (#938 Phase 3-C / 3-C.2)

See also

• autonomy ros2 — Execute governed ROS2 commands under AutonomyOps policy