Skip to main content

Governed infrastructure-operations profile and RExecOp domain package over GovEngine and SCLite.

Project description

Tecrax

Tecrax is a governed infrastructure-operations profile for RExecOp, using GovEngine governance and SCLite artifact truth.

Current source line: tecrax==0.3.8a0, depending on govengine==0.16.5, sclite-core==1.0.8, and rexecop==0.2.11a0. Latest published PyPI baseline: tecrax==0.3.8a0; it contains the coordinated B2 dependency floor and policy vector.

This package provides:

  • RExecOp domain profile — bundled YAML profile with intents, workflows, connectors, and validation rules (entry point rexecop.profiles:tecrax).
  • Local fixture review — dry-run proof slice without live infrastructure.
  • Read-only host inventory profile — fixed SSH command shapes and bounded normalization for operator-configured Ubuntu inventory, with a sanitized GovEngine B2 policy-control example for receipt, digest, timeout, step and output bounds.
  • Verified read-only service slices — NTP synchronization and Docker systemd service health over fixed SSH commands, plus bounded Zabbix API version health through RExecOp http_api, AdGuard DNS/login reachability, and unauthenticated Portainer status through verified TLS.
  • Read-only network device inventory slice — bounded legacy CLI inventory through an operator-managed local wrapper; target addresses, keys and wrapper implementation stay outside the repository.
  • Monitoring-host reaction pack — deterministic domain findings map only to existing read-only intents; unknown states escalate without a free-form action.
  • Bounded escalation proposal vectorsdiagnose_monitoring_host facts can be projected into untrusted SCLite proposal artifacts that never grant execution.
  • Source-line trigger rules — bounded network.host_observed events can map a known catalog target to collect_basic_host_inventory planning, while unknown hosts escalate without execution.
  • Operator catalog metadata — target kinds, required capabilities, side-effect classes, validation references and runbook references projected by RExecOp from the profile; sanitized target-catalog example included.

It does not execute infrastructure changes or manage credentials. Live SSH execution is performed by RExecOp only from explicit operator configuration outside this package.

Stack ownership:

Tecrax profile -> RExecOp plan -> GovEngine admission -> RExecOp execution -> SCLite evidence
  • SCLite owns canonical evidence, receipts and review artifacts.
  • GovEngine owns governance, PolicyEngine and admission decisions.
  • RExecOp owns domain-neutral lifecycle, execution and deterministic reaction mechanics.
  • Tecrax owns infrastructure intent, connector, normalization, validation and runbook semantics.

RExecOp profile

Install the coordinated published line to register the current domain profile:

pip install "tecrax==0.3.8a0"
tecrax status

For an explicit cross-stack pin, pip install "rexecop[tecrax]==0.2.11a0" resolves the same coordinated release line.

The profile root is exposed via tecrax:profile_root (directory src/tecrax/profile/). For network devices, see docs/network-device-readonly-runbook.md; real target configuration and legacy SSH compatibility wrappers stay outside this repository.

Target and operation catalog

Tecrax intent files contain profile-owned operator catalog metadata. RExecOp derives the operation list from those same intent and workflow files; there is no second manually maintained operation registry.

Use the sanitized template in examples/catalogs/targets.readonly.example.yaml as the shape for an operator-owned catalog outside Git:

rexecop targets list --catalog /path/outside/repo/targets.yaml
rexecop operations list --catalog /path/outside/repo/targets.yaml \
  --target monitoring-host-01

An admission_required result means only that target kind, capabilities and connectors match. GovEngine still decides whether a concrete plan may execute. See docs/operation-catalog.md.

Deterministic reactions

Tecrax owns the monitoring vocabulary and rules in src/tecrax/profile/reactions/reaction_pack.yaml. Build a canonical observation from a bounded diagnose_monitoring_host result, then pass it to RExecOp:

tecrax reaction-observation \
  --input diagnosis.json \
  --operation op-source \
  --target monitoring-host-01 > observation.json

rexecop reaction-plan \
  --profile tecrax \
  --env /path/outside/repo/environment.yaml \
  --observation observation.json \
  --target monitoring-host-01

The first release is deliberately read-only. It can re-run bounded host inventory, NTP, Docker service, Zabbix, AdGuard, Portainer, or network device inventory checks; a healthy observation is no_op, and an unclassified state is escalate. RExecOp owns deterministic mechanics and lifecycle, GovEngine owns admission, and SCLite owns the evidence chain. For operator review, Tecrax can also build a bounded untrusted escalation proposal from the diagnosis facts. Validate it with rexecop reaction-proposal-validate; a valid proposal still has may_execute=false and requires GovEngine admission before any future follow-up. See docs/escalation-proposal-vectors.md.

Trigger rules

Tecrax declares domain trigger mappings in src/tecrax/profile/triggers/trigger_rules.yaml. The initial source-line rule family handles bounded network.host_observed events: a known host subject maps to a dry-run collect_basic_host_inventory plan through an operator-owned target catalog; an unknown host escalates and does not execute anything. RExecOp owns event intake, dedupe, cooldown and planning mechanics. See docs/trigger-rules.md.

Local fixture proof

tecrax fixture-review --service demo-web

The command emits a public-safe fixture review payload. It uses GovEngine profile/planning/supervision/runtime-review contracts and binds its fixture receipt through an SCLite artifact descriptor. It has no live runner, host inventory, credential path, or infrastructure adapter.

The published 0.3.8-alpha line combines the profile-owned read-only reaction pack and B2 policy vector over RExecOp 0.2.11a0, GovEngine 0.16.5, and SCLite 1.0.8. It does not add a second policy engine, lifecycle runner, or truth layer.

The Ubuntu environment example uses profile-owned policy semantics, but GovEngine compiles and admits the controls and RExecOp enforces them. Tecrax does not claim that writing obligations in YAML alone satisfies them.

Validation

python scripts/validate_public_truth.py
python scripts/validate_active_profile.py
python scripts/validate_secret_topology.py
python -m pytest -q

The validator keeps domain semantics in Tecrax and lifecycle/execution in RExecOp. Any future mutation, credential, scheduler, discovery, or carrier-adapter claim must be backed by code and tests before it becomes public truth.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tecrax-0.3.8a0.tar.gz (81.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tecrax-0.3.8a0-py3-none-any.whl (68.8 kB view details)

Uploaded Python 3

File details

Details for the file tecrax-0.3.8a0.tar.gz.

File metadata

  • Download URL: tecrax-0.3.8a0.tar.gz
  • Upload date:
  • Size: 81.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.4

File hashes

Hashes for tecrax-0.3.8a0.tar.gz
Algorithm Hash digest
SHA256 b0171b7a8664970430aaf85cd4b4c35a5197789a0d0e575497d62be5212861d6
MD5 299ca03f26e8d2d9f2e7ee6d878e57e2
BLAKE2b-256 98d7d95ae0ed328469f05becb3a61af337490453144e0c190b0aa60da8ec4ff8

See more details on using hashes here.

File details

Details for the file tecrax-0.3.8a0-py3-none-any.whl.

File metadata

  • Download URL: tecrax-0.3.8a0-py3-none-any.whl
  • Upload date:
  • Size: 68.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.4

File hashes

Hashes for tecrax-0.3.8a0-py3-none-any.whl
Algorithm Hash digest
SHA256 fb25abc4598ac5796555ffc12faf3b77f8fbedd70b9f11d22967afbffc57450e
MD5 010227260ded27dbe9fd5e4963dbc785
BLAKE2b-256 e0a36e5568ee2dc419ccc67bec931e2fdd23f0336bc40aca96190c769d7b7f77

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page