Governed infrastructure-operations profile and RExecOp domain package over GovEngine and SCLite.
Project description
Tecrax
Governed infrastructure-operations profile for RExecOp, using GovEngine governance and SCLite artifact truth.
Tecrax owns infrastructure intent vocabulary, connector semantics, bounded normalization, validation rules, runbooks, reactions, triggers and operator catalog metadata. RExecOp plans and executes; GovEngine admits; SCLite records evidence. Tecrax does not manage credentials, embed target topology, or accept arbitrary infrastructure commands.
Status
| Item | Value |
|---|---|
| Current source line | 0.3.21a0 (0.3.21-alpha) |
| Maturity | alpha — operator evaluation with documented limits |
| Latest PyPI | tecrax==0.3.21a0 |
| Source dependencies | govengine==0.16.11, sclite-core==1.0.9, rexecop==0.2.24a0 |
| Profile entry point | rexecop.profiles:tecrax |
| Active mutating intent | configure_chrony_ntp_server only |
| Public status | PUBLIC_STATUS.md |
Latest published PyPI baseline: tecrax==0.3.21a0; it contains the coordinated
B2 dependency floor and read-only policy vector.
What Tecrax provides
- RExecOp domain profile — bundled YAML profile with intents, workflows, connectors,
validation rules, finding taxonomy and escalation rules (entry point
rexecop.profiles:tecrax). - Local fixture review — dry-run proof slice without live infrastructure.
- B2 policy vector — profile-owned receipt, output-digest, timeout, step-count and output-size controls compiled and admitted by GovEngine, enforced by RExecOp.
- Operator catalog metadata — target kinds, required capabilities, side-effect classes, validation and runbook references projected by RExecOp from intent files; sanitized target-catalog example included.
- Deterministic reactions — monitoring-host findings map only to existing read-only
intents; healthy state is
no_op, unknown state escalates. - Bounded escalation proposals —
diagnose_monitoring_hostfacts project into untrusted SCLite proposal artifacts withmay_execute=false. - Source-line trigger rules — bounded
network.host_observedevents map known catalog targets to dry-runcollect_basic_host_inventoryplanning; unknown hosts escalate. - Governed mutation slice —
configure_chrony_ntp_serveris the only active apply operation, limited to a managed chrony config file and service restart with GovEngine admission.
Active intents (14)
| Group | Intent | Effect |
|---|---|---|
| Host inventory | collect_basic_host_inventory |
read-only SSH inventory |
| Host security | collect_host_security_posture_readonly |
read-only posture summary |
| NTP health | check_ntp_health, check_ntp_server_health |
read-only chrony/systemd checks |
| Container services | check_docker_services_health |
read-only systemd service state |
| Application health | check_zabbix_container_health, check_adguard_health, check_portainer_health |
read-only API/reachability |
| Zabbix summaries | collect_zabbix_problem_summary_readonly, collect_zabbix_host_availability_summary_readonly |
read-only bounded counts |
| Network devices | collect_network_device_inventory_readonly, assess_network_device_management_posture_readonly |
read-only legacy CLI inventory/posture |
| Diagnosis | diagnose_monitoring_host |
bounded aggregate over component checks |
| Mutation | configure_chrony_ntp_server |
governed chrony/NTP server apply |
Connectors in the active profile: SSH local readonly, Zabbix API, AdGuard, Portainer,
network-device CLI wrapper, and tecrax_chrony_ntp for the mutation slice.
Operator runbooks
Public-safe operator procedures live under docs/runbooks/. They document deployment,
readiness and validation gates; private addresses, credentials and target mappings stay
outside Git. See also docs/operation-catalog.md.
Stack ownership
Tecrax profile -> RExecOp plan -> GovEngine admission -> RExecOp execution -> SCLite evidence
| Layer | Owns |
|---|---|
| SCLite | Canonical evidence, receipts and review artifacts |
| GovEngine | Governance, PolicyEngine and admission decisions |
| RExecOp | Domain-neutral lifecycle, execution and deterministic reaction mechanics |
| Tecrax | Infrastructure intent, connector, normalization, validation and runbook semantics |
Live SSH execution is performed by RExecOp only from explicit operator configuration outside this package.
Install
Install the coordinated published line to register the current domain profile:
pip install "tecrax==0.3.21a0"
tecrax status
For an explicit cross-stack pin:
pip install "rexecop[tecrax]==0.2.24a0"
The profile root is exposed via tecrax:profile_root (directory src/tecrax/profile/).
Target and operation catalog
Tecrax intent files contain profile-owned operator catalog metadata. RExecOp derives the operation list from those same intent and workflow files; there is no second manually maintained operation registry.
Use the sanitized template in examples/catalogs/targets.readonly.example.yaml as
the shape for an operator-owned catalog outside Git:
rexecop targets list --catalog /path/outside/repo/targets.yaml
rexecop operations list --catalog /path/outside/repo/targets.yaml \
--target monitoring-host-01
An admission_required result means only that target kind, capabilities and
connectors match. GovEngine still decides whether a concrete plan may execute.
See docs/operation-catalog.md.
Deterministic reactions
Tecrax owns the monitoring vocabulary and rules in
src/tecrax/profile/reactions/reaction_pack.yaml. Build a canonical observation
from a bounded diagnose_monitoring_host result, then pass it to RExecOp:
tecrax reaction-observation \
--input diagnosis.json \
--operation op-source \
--target monitoring-host-01 > observation.json
rexecop reaction-plan \
--profile tecrax \
--env /path/outside/repo/environment.yaml \
--observation observation.json \
--target monitoring-host-01
The first reaction release is deliberately read-only. It can re-run bounded host inventory,
NTP, Docker service, Zabbix, AdGuard, Portainer, or network device inventory checks; a
healthy observation is no_op, and an unclassified state is escalate. RExecOp owns
deterministic mechanics and lifecycle, GovEngine owns admission, and SCLite owns the
evidence chain.
For operator review, Tecrax can also build a bounded untrusted escalation proposal from
the diagnosis facts. Validate it with rexecop reaction-proposal-validate; a valid proposal
still has may_execute=false and requires GovEngine admission before any future follow-up.
See docs/escalation-proposal-vectors.md.
Trigger rules
Tecrax declares domain trigger mappings in
src/tecrax/profile/triggers/trigger_rules.yaml. The initial source-line rule family
handles bounded network.host_observed events: a known host subject maps to a dry-run
collect_basic_host_inventory plan through an operator-owned target catalog; an unknown
host escalates and does not execute anything. RExecOp owns event intake, dedupe,
cooldown and planning mechanics. See docs/trigger-rules.md.
Local fixture proof
tecrax fixture-review --service demo-web
The command emits a public-safe fixture review payload. It uses GovEngine profile/planning/supervision/runtime-review contracts and binds its fixture receipt through an SCLite artifact descriptor. It has no live runner, host inventory, credential path, or infrastructure adapter.
The source 0.3.21-alpha line combines the profile-owned read-only reaction pack,
B2 policy vector, and the first governed chrony/NTP apply slice over RExecOp
0.2.24a0, GovEngine 0.16.11, and SCLite 1.0.9. It does not add a second
policy engine, lifecycle runner, or truth layer.
The Ubuntu environment example uses profile-owned policy semantics, but GovEngine compiles and admits the controls and RExecOp enforces them. Tecrax does not claim that writing obligations in YAML alone satisfies them.
configure_chrony_ntp_server is the only active mutating intent. It is deterministic,
requires GovEngine admission, uses the tecrax_chrony_ntp connector backend, and is
documented in docs/runbooks/chrony-ntp-server-mutation-runbook.md.
Validation
python scripts/validate_public_truth.py
python scripts/validate_active_profile.py
python scripts/validate_secret_topology.py
python -m pytest -q
The validator keeps domain semantics in Tecrax and lifecycle/execution in RExecOp. Any future mutation, credential, scheduler, discovery, or carrier-adapter claim must be backed by code and tests before it becomes public truth.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tecrax-0.3.21a0.tar.gz.
File metadata
- Download URL: tecrax-0.3.21a0.tar.gz
- Upload date:
- Size: 162.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8eb0338f165a2dc13aaced5a8cd56f3b9a12a2a447b292c060114d4cf29307a1
|
|
| MD5 |
2f87ffcc61efbbbbe5835efc79763e8a
|
|
| BLAKE2b-256 |
1b4f1bf9a1cc7728110cc9f0cca2585d796c13717dbfbb4052be9768108b3641
|
File details
Details for the file tecrax-0.3.21a0-py3-none-any.whl.
File metadata
- Download URL: tecrax-0.3.21a0-py3-none-any.whl
- Upload date:
- Size: 83.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
76ec64f01cef7f7629b1275b81e6f6d4612f9fac1ef137890f8df1fa2428611a
|
|
| MD5 |
fa6541732ff6cdd9f7db68ec2b83bc82
|
|
| BLAKE2b-256 |
26b32dd544aac0b4d67d5801f9e377e877064e5b524e7881c1c4bd610a6c0aab
|