autonomy ros2 keystore mint

Mint a per-node SROS 2 enclave under –keystore

Synopsis

Mint a per-node enclave (identity cert + key + permissions stub) under
the keystore root specified by --keystore. Wraps:
  ros2 security create_enclave <keystore-root> <node-name>

The enclave directory lands at <keystore-root>/enclaves/<node-name>/ and
contains:
  cert.pem           identity cert (chains to the keystore CA)
  key.pem            identity private key — secret material
  permissions.xml    permissions stub; 3-C will synthesize the real
                     permissions from the policy bundle
  permissions.p7s    signed permissions blob (matches permissions.xml)

The <node-name> MUST start with '/' per the SROS 2 convention; an
illegal name returns ErrInvalidEnclaveName before any ros2 invocation
so the failure surfaces here, not as a cryptic DDS error later.

Canonical names this fleet uses (for orientation; not enforced here):
  /governed_ros2_bridge_real    bridge identity on the real domain
  /governed_ros2_bridge_agent   bridge identity on the agent domain
  /<workload_node>              one per launched node (3-B will inject
                                ROS_SECURITY_KEYSTORE so the launched
                                subprocess picks up its enclave)

Prereq: ros-humble-ros-base on the host (see init --help for why
keystore commands run native).

Example:
  autonomy ros2 keystore mint --keystore /var/lib/autonomyops/ros2-keystore \
      /governed_ros2_bridge_real

Usage

autonomy ros2 keystore mint <node-name> [flags]

Options

      --keystore dir   dir path to the keystore root (created by "autonomy ros2 keystore init")

See also

• autonomy ros2 keystore — Manage SROS 2 keystores for the governed bridge (#938 Phase 3-A)