tecrax 0.2.2a0__tar.gz → 0.3.2a0__tar.gz

{tecrax-0.2.2a0 → tecrax-0.3.2a0}/.github/workflows/ci.yml

@@ -20,6 +20,10 @@ jobs:
         python-version: ['3.11', '3.12']
     steps:
       - uses: actions/checkout@v6
+      - uses: actions/checkout@v6
+        with:
+          repository: rozmiarD/RExecOP
+          path: rexecop
       - uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
@@ -28,6 +32,7 @@ jobs:
           python -m pip install --upgrade pip
           python -m pip install "sclite-core @ git+https://github.com/rozmiarD/SCLite.git@main"
           python -m pip install "govengine @ git+https://github.com/rozmiarD/GovEngine.git@main"
+          python -m pip install -e ./rexecop
           python -m pip install -e '.[dev]'
       - name: Validate public truth
         run: python scripts/validate_public_truth.py

{tecrax-0.2.2a0 → tecrax-0.3.2a0}/PKG-INFO

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: tecrax
-Version: 0.2.2a0
-Summary: Dry-run local-fixture infrastructure-operations profile over GovEngine and SCLite.
+Version: 0.3.2a0
+Summary: Governed infrastructure-operations profile and RExecOp domain package over GovEngine and SCLite.
 Project-URL: Homepage, https://github.com/rozmiarD/tecrax
 Project-URL: Repository, https://github.com/rozmiarD/tecrax
 Author: Krzysztof Probola
@@ -17,22 +17,30 @@ Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Topic :: System :: Systems Administration
 Requires-Python: >=3.11
-Requires-Dist: govengine<0.12,>=0.11.0a0
-Requires-Dist: sclite-core<0.9,>=0.8.0a0
+Requires-Dist: govengine<0.15,>=0.12.2a0
+Requires-Dist: rexecop<0.3,>=0.2.2a0
+Requires-Dist: sclite-core<1.1,>=1.0.1
 Provides-Extra: dev
 Requires-Dist: pytest<9,>=8; extra == 'dev'
+Provides-Extra: fixture
+Requires-Dist: rexecop<0.2,>=0.1.2a0; extra == 'fixture'
 Description-Content-Type: text/markdown
 
 # Tecrax
 
 Tecrax is a governed infrastructure-operations runtime/profile built on GovEngine and SCLite.
 
-Current source/package baseline: `tecrax==0.2.2a0`, depending on
-`govengine>=0.11.0a0,<0.12` and `sclite-core>=0.8.0a0,<0.9`.
+Current published baseline: `tecrax==0.3.2a0`, depending on
+`govengine>=0.12.2a0,<0.15`, `sclite-core>=1.0.1,<1.1`, and `rexecop>=0.2.2a0,<0.3`.
 
-This repository/package contains a dry-run/local-fixture profile slice. It still
-does not execute infrastructure changes, connect to hosts, manage credentials,
-or provide production operational capability.
+This package provides:
+
+- **RExecOp domain profile** — bundled YAML profile with intents, workflows, connectors,
+  and validation rules (entry point `rexecop.profiles:tecrax`).
+- **Local fixture review** — dry-run proof slice without live infrastructure.
+
+It does not execute infrastructure changes, connect to hosts, manage credentials,
+or provide production operational capability without explicit operator configuration.
 
 Planned foundation:
 
@@ -45,7 +53,18 @@ Tecrax -> GovEngine -> SCLite
 - Tecrax owns the infrastructure-operations profile semantics, fixture review
   payloads, UX, and future host integrations when those boundaries are mature.
 
-Current local fixture proof:
+## RExecOp profile
+
+Install `tecrax` alongside `rexecop` to register the domain profile:
+
+```bash
+pip install rexecop tecrax
+rexecop profile list
+```
+
+The profile root is exposed via `tecrax:profile_root` (directory `src/tecrax/profile/`).
+
+## Local fixture proof
 
 ```bash
 tecrax fixture-review --service demo-web
@@ -56,9 +75,9 @@ profile/planning/supervision/runtime-review contracts and binds its fixture
 receipt through an SCLite artifact descriptor. It has no live runner, host
 inventory, credential path, or infrastructure adapter.
 
-The `0.2.2-alpha` patch only aligns this fixture consumer with the curated
-SCLite/GovEngine package chain. It does not add an infrastructure runtime or a
-new contract surface.
+The `0.3.1-alpha` release consolidates the RExecOp domain profile into this
+package and aligns dependencies with RExecOp `0.1.x`. It does not add an
+infrastructure runtime or a new contract surface beyond the bundled profile.
 
 ## Validation
 

tecrax-0.3.2a0/PUBLIC_STATUS.md

@@ -0,0 +1,7 @@
+# Tecrax Public Status
+
+- **Package version:** `0.3.2a0` (`0.3.1-alpha`)
+- **Dependencies:** `govengine>=0.12.2a0,<0.15`, `sclite-core>=1.0.1,<1.1`, `rexecop>=0.2.2a0,<0.3`
+- **RExecOp profile:** bundled at `src/tecrax/profile/` via `rexecop.profiles:tecrax`
+- **Local fixture:** `tecrax fixture-review` — dry-run GovEngine/SCLite proof only
+- **Not claimed:** live infrastructure runner, host inventory, credentials, carrier adapters, scheduler/storage, production readiness

{tecrax-0.2.2a0 → tecrax-0.3.2a0}/README.md

@@ -2,12 +2,17 @@
 
 Tecrax is a governed infrastructure-operations runtime/profile built on GovEngine and SCLite.
 
-Current source/package baseline: `tecrax==0.2.2a0`, depending on
-`govengine>=0.11.0a0,<0.12` and `sclite-core>=0.8.0a0,<0.9`.
+Current published baseline: `tecrax==0.3.2a0`, depending on
+`govengine>=0.12.2a0,<0.15`, `sclite-core>=1.0.1,<1.1`, and `rexecop>=0.2.2a0,<0.3`.
 
-This repository/package contains a dry-run/local-fixture profile slice. It still
-does not execute infrastructure changes, connect to hosts, manage credentials,
-or provide production operational capability.
+This package provides:
+
+- **RExecOp domain profile** — bundled YAML profile with intents, workflows, connectors,
+  and validation rules (entry point `rexecop.profiles:tecrax`).
+- **Local fixture review** — dry-run proof slice without live infrastructure.
+
+It does not execute infrastructure changes, connect to hosts, manage credentials,
+or provide production operational capability without explicit operator configuration.
 
 Planned foundation:
 
@@ -20,7 +25,18 @@ Tecrax -> GovEngine -> SCLite
 - Tecrax owns the infrastructure-operations profile semantics, fixture review
   payloads, UX, and future host integrations when those boundaries are mature.
 
-Current local fixture proof:
+## RExecOp profile
+
+Install `tecrax` alongside `rexecop` to register the domain profile:
+
+```bash
+pip install rexecop tecrax
+rexecop profile list
+```
+
+The profile root is exposed via `tecrax:profile_root` (directory `src/tecrax/profile/`).
+
+## Local fixture proof
 
 ```bash
 tecrax fixture-review --service demo-web
@@ -31,9 +47,9 @@ profile/planning/supervision/runtime-review contracts and binds its fixture
 receipt through an SCLite artifact descriptor. It has no live runner, host
 inventory, credential path, or infrastructure adapter.
 
-The `0.2.2-alpha` patch only aligns this fixture consumer with the curated
-SCLite/GovEngine package chain. It does not add an infrastructure runtime or a
-new contract surface.
+The `0.3.1-alpha` release consolidates the RExecOp domain profile into this
+package and aligns dependencies with RExecOp `0.1.x`. It does not add an
+infrastructure runtime or a new contract surface beyond the bundled profile.
 
 ## Validation
 

{tecrax-0.2.2a0 → tecrax-0.3.2a0}/VALIDATION.md

@@ -9,10 +9,12 @@ python -m pytest -q
 tecrax fixture-review --service demo-web
 ```
 
-Expected result for `0.2.2a0`:
+Expected result for `0.3.2a0`:
 
-- `pyproject.toml`, `tecrax.__version__`, README, public status, and validators agree on `0.2.2a0` / `0.2.2-alpha`;
-- dependency truth is `govengine>=0.11.0a0,<0.12` and `sclite-core>=0.8.0a0,<0.9`;
+- `pyproject.toml`, `tecrax.__version__`, README, public status, and validators agree on `0.3.2a0` / `0.3.1-alpha`;
+- PyPI publication remains a fixture-only alpha package claim, not an infrastructure runtime claim;
+- dependency truth is `govengine>=0.12.2a0,<0.15`, `sclite-core>=1.0.1,<1.1`, and `rexecop>=0.2.2a0,<0.3`;
+- RExecOp profile entry point `tecrax:profile_root` resolves to a valid profile bundle;
 - fixture review output validates GovEngine profile, planning, supervision, runtime snapshot, review result, and runtime contract proof objects;
 - SCLite is used only for local artifact descriptors;
 - non-claims remain explicit for live infrastructure, credentials, adapters, scheduler/storage, and production readiness.

{tecrax-0.2.2a0 → tecrax-0.3.2a0}/pyproject.toml

@@ -4,8 +4,8 @@ build-backend = "hatchling.build"
 
 [project]
 name = "tecrax"
-version = "0.2.2a0"
-description = "Dry-run local-fixture infrastructure-operations profile over GovEngine and SCLite."
+version = "0.3.2a0"
+description = "Governed infrastructure-operations profile and RExecOp domain package over GovEngine and SCLite."
 readme = "README.md"
 requires-python = ">=3.11"
 license = { text = "MIT" }
@@ -22,10 +22,21 @@ classifiers = [
   "Topic :: System :: Systems Administration",
 ]
 dependencies = [
-  "govengine>=0.11.0a0,<0.12",
-  "sclite-core>=0.8.0a0,<0.9",
+  "govengine>=0.12.2a0,<0.15",
+  "sclite-core>=1.0.1,<1.1",
+  "rexecop>=0.2.2a0,<0.3",
 ]
 
+[project.entry-points."rexecop.profiles"]
+tecrax = "tecrax:profile_root"
+
+[project.entry-points."rexecop.internal_actions"]
+tecrax = "tecrax.internal_actions:register_handlers"
+
+[project.entry-points."rexecop.connector_backends"]
+tecrax_fixture = "tecrax.fixture.mock_runtime:build_runtime"
+tecrax_proxmox = "tecrax.connectors.proxmox_runtime:build_connector_runtime"
+
 [project.urls]
 Homepage = "https://github.com/rozmiarD/tecrax"
 Repository = "https://github.com/rozmiarD/tecrax"
@@ -37,6 +48,9 @@ tecrax = "tecrax.cli:main"
 dev = [
   "pytest>=8,<9",
 ]
+fixture = [
+  "rexecop>=0.1.2a0,<0.2",
+]
 
 [tool.hatch.build.targets.wheel]
 packages = ["src/tecrax"]

{tecrax-0.2.2a0 → tecrax-0.3.2a0}/scripts/validate_public_truth.py

@@ -14,10 +14,11 @@ import tecrax  # noqa: E402
 from tecrax.local_fixture import build_local_fixture_review  # noqa: E402
 
 
-EXPECTED_VERSION = '0.2.2a0'
-EXPECTED_RELEASE_LABEL = '0.2.2-alpha'
-EXPECTED_GOVENGINE = 'govengine>=0.11.0a0,<0.12'
-EXPECTED_SCLITE = 'sclite-core>=0.8.0a0,<0.9'
+EXPECTED_VERSION = '0.3.2a0'
+EXPECTED_RELEASE_LABEL = '0.3.1-alpha'
+EXPECTED_GOVENGINE = 'govengine>=0.12.2a0,<0.15'
+EXPECTED_SCLITE = 'sclite-core>=1.0.1,<1.1'
+EXPECTED_REXECOP = 'rexecop>=0.2.2a0,<0.3'
 PUBLIC_DOCS = (
     'README.md',
     'PUBLIC_STATUS.md',
@@ -65,6 +66,7 @@ def collect_errors() -> list[str]:
     version = str(project['version'])
     govengine_dep = _dependency(project, 'govengine')
     sclite_dep = _dependency(project, 'sclite-core')
+    rexecop_dep = _dependency(project, 'rexecop')
 
     if project['name'] != 'tecrax':
         errors.append(f'distribution_name_mismatch:{project["name"]}')
@@ -76,13 +78,22 @@ def collect_errors() -> list[str]:
         errors.append(f'govengine_dependency_mismatch:{govengine_dep}!={EXPECTED_GOVENGINE}')
     if sclite_dep != EXPECTED_SCLITE:
         errors.append(f'sclite_dependency_mismatch:{sclite_dep}!={EXPECTED_SCLITE}')
+    if rexecop_dep != EXPECTED_REXECOP:
+        errors.append(f'rexecop_dependency_mismatch:{rexecop_dep}!={EXPECTED_REXECOP}')
 
     for path in PUBLIC_DOCS:
         _require(errors, path, EXPECTED_VERSION)
         _require(errors, path, EXPECTED_GOVENGINE)
         _require(errors, path, EXPECTED_SCLITE)
+        _require(errors, path, EXPECTED_REXECOP)
     _require(errors, 'PUBLIC_STATUS.md', EXPECTED_RELEASE_LABEL)
     _require(errors, 'README.md', 'tecrax fixture-review --service demo-web')
+    _require(errors, 'README.md', 'rexecop.profiles:tecrax')
+    _require(errors, 'pyproject.toml', 'rexecop.profiles')
+    _require(errors, 'pyproject.toml', 'tecrax:profile_root')
+    profile_root = Path(tecrax.profile_root())
+    if not (profile_root / 'profile.yaml').is_file():
+        errors.append('profile_bundle_missing:profile.yaml')
     _require(errors, 'VALIDATION.md', 'python scripts/validate_public_truth.py')
     _require(errors, '.github/workflows/ci.yml', 'actions/checkout@v6')
     _require(errors, '.github/workflows/ci.yml', 'actions/setup-python@v6')
@@ -94,6 +105,8 @@ def collect_errors() -> list[str]:
     _require(errors, '.github/workflows/ci.yml', 'python -m pip check')
     _require(errors, '.github/workflows/ci.yml', 'sclite-core @ git+https://github.com/rozmiarD/SCLite.git@main')
     _require(errors, '.github/workflows/ci.yml', 'govengine @ git+https://github.com/rozmiarD/GovEngine.git@main')
+    _require(errors, '.github/workflows/ci.yml', 'repository: rozmiarD/RExecOP')
+    _require(errors, '.github/workflows/ci.yml', 'pip install -e ./rexecop')
 
     review = build_local_fixture_review('truth-fixture')
     if review.get('artifact_type') != 'tecrax_local_fixture_review':
@@ -111,6 +124,11 @@ def collect_errors() -> list[str]:
         errors.append('fixture_claims_credentials')
     if not review.get('sclite_fixture_receipt_descriptor', {}).get('digest'):
         errors.append('fixture_missing_sclite_descriptor_digest')
+    cli_text = _read('src/tecrax/cli.py')
+    if EXPECTED_RELEASE_LABEL not in cli_text:
+        errors.append(f'src/tecrax/cli.py:missing_current_release_label:{EXPECTED_RELEASE_LABEL}')
+    if '0.2.0-alpha' in cli_text or '0.2.1-alpha' in cli_text:
+        errors.append('src/tecrax/cli.py:stale_cli_status_release_label')
 
     for path in PUBLIC_DOCS:
         lowered = _read(path).lower()
@@ -128,7 +146,7 @@ def main() -> int:
         for error in errors:
             print(error, file=sys.stderr)
         return 1
-    print(f'public_truth_ok:tecrax=={EXPECTED_VERSION}:{EXPECTED_GOVENGINE}:{EXPECTED_SCLITE}')
+    print(f'public_truth_ok:tecrax=={EXPECTED_VERSION}:{EXPECTED_GOVENGINE}:{EXPECTED_SCLITE}:{EXPECTED_REXECOP}')
     return 0
 
 

tecrax-0.3.2a0/src/tecrax/__init__.py

@@ -0,0 +1,16 @@
+"""Tecrax governed infrastructure-operations profile and local-fixture runtime."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+from .local_fixture import build_local_fixture_review
+
+__version__ = "0.3.2a0"
+
+__all__ = ["__version__", "build_local_fixture_review", "profile_root"]
+
+
+def profile_root() -> str:
+    """Entry point for rexecop.profiles — returns bundled RExecOp profile directory."""
+    return str(Path(__file__).resolve().parent / "profile")

{tecrax-0.2.2a0 → tecrax-0.3.2a0}/src/tecrax/cli.py

@@ -28,7 +28,7 @@ def main(argv: list[str] | None = None) -> int:
         return 0
 
     print(
-        "Tecrax 0.2.0-alpha local-fixture profile: no live infrastructure "
+        "Tecrax 0.3.1-alpha local-fixture profile: no live infrastructure "
         "connections, credentials, or operational changes are enabled."
     )
     return 0

tecrax-0.3.2a0/src/tecrax/connectors/__init__.py

@@ -0,0 +1 @@
+"""Domain connector helpers for Tecrax profiles."""

tecrax-0.3.2a0/src/tecrax/connectors/proxmox.py

@@ -0,0 +1,90 @@
+from __future__ import annotations
+
+from typing import Any
+
+
+def build_http_api_connector_config(
+    *,
+    staging_paths: bool = False,
+    base_url_secret_ref: str = "proxmox_base_url",
+    api_token_secret_ref: str = "proxmox_api_token",
+    timeout_seconds: int = 10,
+    max_retry_attempts: int = 2,
+) -> dict[str, Any]:
+    """Build environment YAML connector config for Proxmox over generic http_api."""
+    if staging_paths:
+        list_action: dict[str, Any] = {
+            "method": "GET",
+            "path": "/proxmox/vms/paged",
+            "pagination": {
+                "items_path": "data.vms",
+                "next_path": "data.next",
+                "max_pages": 5,
+            },
+        }
+        restart_path = "/proxmox/restart"
+    else:
+        list_action = {
+            "method": "GET",
+            "path": "/api2/json/cluster/resources",
+            "unwrap": "data",
+        }
+        restart_path = "/api2/json/nodes/{node}/qemu/{vmid}/status/restart"
+
+    actions: dict[str, Any] = {
+        "list_vms": list_action,
+        "restart": {
+            "method": "POST",
+            "path": restart_path,
+            "mutating": True,
+            "body": {"target": "{target}"},
+        },
+    }
+
+    return {
+        "enabled": True,
+        "backend": "http_api",
+        "base_url_secret_ref": base_url_secret_ref,
+        "auth": {
+            "secret_ref": api_token_secret_ref,
+            "header": "Authorization",
+            "prefix": "PVEAPIToken=",
+        },
+        "timeout_seconds": timeout_seconds,
+        "retry": {
+            "max_attempts": max_retry_attempts,
+            "base_delay": 0.2,
+            "max_delay": 2.0,
+            "on": ["timeout", "transient_connector_error"],
+        },
+        "actions": actions,
+    }
+
+
+def merge_http_api_connector_config(
+    template: dict[str, Any],
+    overrides: dict[str, Any],
+) -> dict[str, Any]:
+    """Merge operator overrides into a Proxmox http_api template."""
+    merged: dict[str, Any] = dict(template)
+    skip_keys = {"backend", "plugin", "staging_paths"}
+    for key, value in overrides.items():
+        if key in skip_keys:
+            continue
+        if isinstance(value, dict) and isinstance(merged.get(key), dict):
+            nested = dict(merged[key])
+            nested.update(value)
+            merged[key] = nested
+        else:
+            merged[key] = value
+    merged["backend"] = "http_api"
+    if "base_url" in overrides:
+        merged.pop("base_url_secret_ref", None)
+        if "auth" not in overrides:
+            merged.pop("auth", None)
+    auth = overrides.get("auth")
+    if isinstance(auth, dict) and auth.get("secret_ref"):
+        merged_auth = dict(merged.get("auth") or {})
+        merged_auth.update(auth)
+        merged["auth"] = merged_auth
+    return merged

tecrax-0.3.2a0/src/tecrax/connectors/proxmox_runtime.py

@@ -0,0 +1,38 @@
+from __future__ import annotations
+
+from typing import Any
+
+from rexecop.connectors.base import ConnectorRuntime
+from rexecop.connectors.http_api import HttpApiConnectorRuntime
+from rexecop.secrets.port import SecretResolver
+from rexecop.secrets.resolver import default_secret_resolver
+
+from tecrax.connectors.proxmox import build_http_api_connector_config, merge_http_api_connector_config
+
+
+def build_connector_runtime(
+    *,
+    connector_name: str,
+    config: dict[str, Any],
+    profile_root: str | None,
+    mutating_allowed: bool,
+    secret_resolver: SecretResolver | None = None,
+) -> ConnectorRuntime:
+    """Domain connector backend: Proxmox over generic http_api with Tecrax templates."""
+    template = build_http_api_connector_config(
+        staging_paths=bool(config.get("staging_paths")),
+        base_url_secret_ref=str(config.get("base_url_secret_ref") or "proxmox_base_url"),
+        api_token_secret_ref=str(config.get("api_token_secret_ref") or "proxmox_api_token"),
+        timeout_seconds=int(config.get("timeout_seconds") or 10),
+        max_retry_attempts=int((config.get("retry") or {}).get("max_attempts") or 2)
+        if isinstance(config.get("retry"), dict)
+        else int(config.get("max_retry_attempts") or 2),
+    )
+    merged = merge_http_api_connector_config(template, config)
+    return HttpApiConnectorRuntime(
+        connector_name=connector_name,
+        config=merged,
+        profile_root=profile_root,
+        mutating_allowed=mutating_allowed,
+        secret_resolver=secret_resolver or default_secret_resolver(),
+    )

tecrax-0.3.2a0/src/tecrax/fixture/mock_runtime.py

@@ -0,0 +1,67 @@
+from __future__ import annotations
+
+from rexecop.connectors.base import ConnectorRequest, ConnectorResponse
+from rexecop.connectors.mock_runtime import MockConnectorRuntime
+
+
+class TecraxFixtureConnectorRuntime(MockConnectorRuntime):
+    """Domain fixture mock for Tecrax offline/bootstrap workflows."""
+
+    def invoke(self, request: ConnectorRequest) -> ConnectorResponse:
+        base = super().invoke(request)
+        if base.error and "unsupported mock" not in base.error:
+            return base
+
+        if request.connector == "proxmox" and request.action == "list_vms":
+            return ConnectorResponse(
+                connector=request.connector,
+                action=request.action,
+                success=True,
+                data={
+                    "vms": [
+                        {"id": "vm-101", "name": "zabbix-proxy", "critical": True},
+                        {"id": "vm-102", "name": "backup-gateway", "critical": True},
+                    ]
+                },
+            )
+
+        if request.connector == "proxmox" and request.action == "restart":
+            before_state = {
+                "vm_id": "vm-101",
+                "agent_status": "running",
+                "target": request.target,
+            }
+            after_state = {
+                "vm_id": "vm-101",
+                "agent_status": "restarted",
+                "target": request.target,
+            }
+            return ConnectorResponse(
+                connector=request.connector,
+                action=request.action,
+                success=True,
+                data={
+                    "before_state": before_state,
+                    "after_state": after_state,
+                    "mutation": "restart_zabbix_agent",
+                },
+            )
+
+        if request.connector == "pbs" and request.action == "list_snapshots":
+            return ConnectorResponse(
+                connector=request.connector,
+                action=request.action,
+                success=True,
+                data={
+                    "snapshots": [
+                        {"vm_id": "vm-101", "status": "ok"},
+                        {"vm_id": "vm-102", "status": "ok"},
+                    ]
+                },
+            )
+
+        return base
+
+
+def build_runtime() -> TecraxFixtureConnectorRuntime:
+    return TecraxFixtureConnectorRuntime()

tecrax-0.3.2a0/src/tecrax/internal_actions.py

@@ -0,0 +1,75 @@
+from __future__ import annotations
+
+from collections.abc import Mapping
+from typing import Any
+
+from rexecop.execution.backend import StepExecutionContext
+
+
+def register_handlers() -> Mapping[str, Any]:
+    return {
+        "environment.resolve_targets": resolve_targets,
+        "correlate_vm_backup_coverage": correlate_vm_backup_coverage,
+        "capture_agent_state": capture_agent_state,
+        "verify_agent_state": verify_agent_state,
+    }
+
+
+def resolve_targets(context: StepExecutionContext) -> dict[str, Any]:
+    return {
+        "target": context.target,
+        "resolved_targets": ["vm-101", "vm-102"],
+    }
+
+
+def correlate_vm_backup_coverage(context: StepExecutionContext) -> dict[str, Any]:
+    connector_results = context.shared_state.get("connector_results", {})
+    vms: list[dict[str, Any]] = []
+    snapshots: list[dict[str, Any]] = []
+    for payload in connector_results.values():
+        if isinstance(payload, dict):
+            vms.extend(payload.get("vms", []))
+            snapshots.extend(payload.get("snapshots", []))
+    covered = {item.get("vm_id") for item in snapshots}
+    rows = []
+    for vm in vms:
+        vm_id = vm.get("id")
+        rows.append(
+            {
+                "vm_id": vm_id,
+                "name": vm.get("name"),
+                "backup_status": "ok" if vm_id in covered else "missing",
+            }
+        )
+    result = {
+        "rows": rows,
+        "all_critical_covered": all(row["backup_status"] == "ok" for row in rows),
+    }
+    context.shared_state["correlation"] = result
+    return result
+
+
+def capture_agent_state(context: StepExecutionContext) -> dict[str, Any]:
+    state = {
+        "target": context.target,
+        "agent_status": "running",
+        "vm_id": "vm-101",
+    }
+    context.shared_state["agent_before_state"] = dict(state)
+    return {"before_state": state}
+
+
+def verify_agent_state(context: StepExecutionContext) -> dict[str, Any]:
+    mutation = context.shared_state.get("mutation_states", {}).get("restart_agent", {})
+    after_state = mutation.get("after_state") if isinstance(mutation, dict) else None
+    if not isinstance(after_state, dict):
+        return {
+            "verified": False,
+            "reason": "missing restart mutation after_state",
+        }
+    context.shared_state["agent_after_state"] = dict(after_state)
+    return {
+        "verified": after_state.get("agent_status") == "restarted",
+        "after_state": after_state,
+        "before_state": context.shared_state.get("agent_before_state"),
+    }

tecrax-0.3.2a0/src/tecrax/profile/connectors/pbs.yaml

@@ -0,0 +1,7 @@
+connector:
+  name: pbs
+  capabilities:
+    - list_snapshots
+  modes:
+    - read_only
+  timeout_default: 20s

tecrax-0.3.2a0/src/tecrax/profile/connectors/proxmox.yaml

@@ -0,0 +1,9 @@
+connector:
+  name: proxmox
+  capabilities:
+    - list_vms
+    - restart
+  modes:
+    - read_only
+    - apply
+  timeout_default: 10s

tecrax-0.3.2a0/src/tecrax/profile/intents/check_backup_status.yaml

@@ -0,0 +1,7 @@
+intent:
+  id: check_backup_status
+  workflow: workflows/check_backup_status.yaml
+  risk: low
+  modes:
+    - read_only
+    - dry_run

tecrax-0.3.2a0/src/tecrax/profile/intents/restart_zabbix_agent.yaml

@@ -0,0 +1,6 @@
+intent:
+  id: restart_zabbix_agent
+  workflow: workflows/restart_zabbix_agent.yaml
+  risk: medium
+  modes:
+    - apply

tecrax-0.3.2a0/src/tecrax/profile/profile.yaml

@@ -0,0 +1,30 @@
+profile_contract:
+  name: tecrax
+  version: "0.3.1"
+
+  intents:
+    required: true
+
+  workflows:
+    required: true
+
+  connector_requirements:
+    required: true
+
+  risk_classes:
+    required: true
+
+  evidence_requirements:
+    required: true
+
+  governance_expectations:
+    required: true
+
+  validation_rules:
+    required: true
+
+  rollback_rules:
+    optional: true
+
+  escalation_rules:
+    required: true

tecrax-0.3.2a0/src/tecrax/profile/validation_rules/check_backup_status.yaml

@@ -0,0 +1,13 @@
+validation_rule:
+  intent: check_backup_status
+  steps:
+    - type: require_mapping
+      key: correlation
+      fail:
+        rule: check_backup_status.correlation_required
+        details:
+          reason: missing correlation result
+    - type: require_truthy_path
+      path: correlation.all_critical_covered
+      pass_rule: check_backup_status.all_critical_covered
+      details_from: correlation

tecrax-0.3.2a0/src/tecrax/profile/validation_rules/restart_zabbix_agent.yaml

@@ -0,0 +1,18 @@
+validation_rule:
+  intent: restart_zabbix_agent
+  steps:
+    - type: require_mapping
+      key: agent_after_state
+      fail:
+        rule: restart_zabbix_agent.after_state_required
+        details:
+          reason: missing agent_after_state
+    - type: require_equals
+      path: agent_after_state.agent_status
+      value: restarted
+      pass_rule: restart_zabbix_agent.agent_restarted
+      details:
+        agent_after_state: $agent_after_state
+        mutation_states: $mutation_states.restart_agent
+        before_state: $mutation_states.restart_agent.before_state
+        after_state: $mutation_states.restart_agent.after_state

tecrax-0.3.2a0/src/tecrax/profile/workflows/check_backup_status.yaml

@@ -0,0 +1,42 @@
+workflow:
+  id: tecrax.check_backup_status
+  intent: check_backup_status
+  mode: read_only
+  risk: low
+  description: Check backup coverage for critical VMs using profile-defined connectors.
+
+  steps:
+    - id: resolve_inventory
+      type: internal
+      action: environment.resolve_targets
+      pause_safe: true
+
+    - id: query_proxmox
+      type: connector
+      connector: proxmox
+      action: list_vms
+      timeout: 10s
+      pause_safe: false
+
+    - id: query_pbs
+      type: connector
+      connector: pbs
+      action: list_snapshots
+      timeout: 20s
+      pause_safe: false
+
+    - id: correlate
+      type: internal
+      action: correlate_vm_backup_coverage
+      pause_safe: true
+
+    - id: produce_receipt
+      type: evidence
+      action: produce_receipt
+      pause_safe: true
+
+  retry:
+    max_attempts: 2
+    allowed_on:
+      - timeout
+      - transient_connector_error

tecrax-0.3.2a0/src/tecrax/profile/workflows/restart_zabbix_agent.yaml

@@ -0,0 +1,45 @@
+workflow:
+  id: tecrax.restart_zabbix_agent
+  intent: restart_zabbix_agent
+  mode: apply
+  risk: medium
+  description: Restart Zabbix agent on a target VM using mock Proxmox connector.
+
+  steps:
+    - id: capture_state
+      type: internal
+      action: capture_agent_state
+      pause_safe: true
+
+    - id: restart_agent
+      type: connector
+      connector: proxmox
+      action: restart
+      timeout: 30s
+      pause_safe: false
+
+    - id: verify_state
+      type: internal
+      action: verify_agent_state
+      pause_safe: true
+
+    - id: produce_receipt
+      type: evidence
+      action: produce_receipt
+      pause_safe: true
+
+  retry:
+    max_attempts: 2
+    allowed_on:
+      - timeout
+      - transient_connector_error
+    blocked_on:
+      - policy_denied
+
+  rollback:
+    mode: dry_run
+    steps:
+      - id: rollback_marker
+        type: internal
+        action: record_rollback_marker
+        pause_safe: true

{tecrax-0.2.2a0 → tecrax-0.3.2a0}/tests/test_local_fixture.py

@@ -29,12 +29,13 @@ def test_cli_status_keeps_local_fixture_posture(capsys) -> None:
     assert main(['status']) == 0
 
     stdout = capsys.readouterr().out
+    assert '0.3.1-alpha' in stdout
     assert 'local-fixture profile' in stdout
     assert 'no live infrastructure' in stdout
 
 
 def test_version_and_public_truth_validator_agree() -> None:
-    assert __version__ == '0.2.2a0'
+    assert __version__ == '0.3.2a0'
     result = subprocess.run(
         [sys.executable, str(ROOT / 'scripts' / 'validate_public_truth.py')],
         cwd=ROOT,
@@ -43,6 +44,8 @@ def test_version_and_public_truth_validator_agree() -> None:
         check=True,
     )
     assert result.stdout.strip() == (
-        'public_truth_ok:tecrax==0.2.2a0:'
-        'govengine>=0.11.0a0,<0.12:sclite-core>=0.8.0a0,<0.9'
+        'public_truth_ok:tecrax==0.3.2a0:'
+        'govengine>=0.12.2a0,<0.15:'
+        'sclite-core>=1.0.1,<1.1:'
+        'rexecop>=0.2.2a0,<0.3'
     )

tecrax-0.3.2a0/tests/test_proxmox_connector_backend.py

@@ -0,0 +1,32 @@
+from __future__ import annotations
+
+from importlib.metadata import entry_points
+
+from tecrax.connectors.proxmox import build_http_api_connector_config, merge_http_api_connector_config
+from tecrax.connectors.proxmox_runtime import build_connector_runtime
+
+
+def test_tecrax_proxmox_connector_backend_entry_point() -> None:
+    eps = entry_points(group="rexecop.connector_backends")
+    names = {ep.name for ep in eps}
+    assert "tecrax_proxmox" in names
+
+
+def test_merge_http_api_connector_config_drops_secret_ref_when_base_url_set() -> None:
+    template = build_http_api_connector_config(staging_paths=True)
+    merged = merge_http_api_connector_config(
+        template,
+        {"base_url": "http://example.test"},
+    )
+    assert merged["base_url"] == "http://example.test"
+    assert "base_url_secret_ref" not in merged
+
+
+def test_build_connector_runtime_returns_invokeable_backend() -> None:
+    runtime = build_connector_runtime(
+        connector_name="proxmox",
+        config={"staging_paths": True, "base_url": "http://127.0.0.1:9"},
+        profile_root=None,
+        mutating_allowed=False,
+    )
+    assert hasattr(runtime, "invoke")

tecrax-0.3.2a0/tests/test_proxmox_connector_templates.py

@@ -0,0 +1,16 @@
+from __future__ import annotations
+
+from tecrax.connectors.proxmox import build_http_api_connector_config
+
+
+def test_build_proxmox_http_api_config_staging_paths() -> None:
+    config = build_http_api_connector_config(staging_paths=True)
+    assert config["backend"] == "http_api"
+    assert config["actions"]["list_vms"]["pagination"]["items_path"] == "data.vms"
+    assert config["retry"]["base_delay"] == 0.2
+
+
+def test_build_proxmox_http_api_config_production_paths() -> None:
+    config = build_http_api_connector_config(staging_paths=False)
+    assert "/api2/json/cluster/resources" in config["actions"]["list_vms"]["path"]
+    assert config["actions"]["list_vms"]["unwrap"] == "data"

tecrax-0.3.2a0/tests/test_rexecop_profile.py

@@ -0,0 +1,35 @@
+from __future__ import annotations
+
+from importlib.metadata import entry_points
+from pathlib import Path
+
+import tecrax
+from tecrax import profile_root
+
+
+def test_profile_root_points_to_bundled_directory() -> None:
+    root = Path(profile_root())
+    assert root.is_dir()
+    assert (root / "profile.yaml").is_file()
+    assert (root / "intents").is_dir()
+    assert (root / "workflows").is_dir()
+
+
+def test_profile_yaml_loads_with_expected_contract() -> None:
+    profile_path = Path(profile_root()) / "profile.yaml"
+    text = profile_path.read_text(encoding="utf-8")
+    assert "name: tecrax" in text
+    assert 'version: "0.3.1"' in text
+
+
+def test_rexecop_profiles_entry_point_registered() -> None:
+    eps = entry_points(group="rexecop.profiles")
+    names = {ep.name for ep in eps}
+    assert "tecrax" in names
+    tecrax_ep = next(ep for ep in eps if ep.name == "tecrax")
+    assert tecrax_ep.value == "tecrax:profile_root"
+    assert Path(tecrax_ep.load()()).is_dir()
+
+
+def test_package_version_matches_profile_bundle() -> None:
+    assert tecrax.__version__ == "0.3.2a0"

tecrax-0.2.2a0/PUBLIC_STATUS.md

@@ -1,23 +0,0 @@
-# Tecrax Public Status
-
-Tecrax is an **alpha local-fixture infrastructure-operations profile package** over GovEngine and SCLite.
-
-## Current Truth
-
-- Source version: `0.2.2a0`.
-- Public release label: `0.2.2-alpha`.
-- Dependency chain: `tecrax -> govengine>=0.11.0a0,<0.12 -> sclite-core>=0.8.0a0,<0.9`.
-- Runtime posture: dry-run/local-fixture only.
-- Public surface: `tecrax fixture-review --service demo-web`.
-
-The `0.2.2-alpha` line is dependency/conformance synchronization only; it
-keeps the fixture-only posture unchanged.
-
-## Non-Claims
-
-- no live infrastructure connection;
-- no host inventory ownership;
-- no credential, key-store, PKI, or KMS ownership;
-- no carrier adapter implementation;
-- no scheduler/storage/queue persistence ownership;
-- no production operational readiness.

tecrax-0.2.2a0/src/tecrax/__init__.py

@@ -1,7 +0,0 @@
-"""Tecrax dry-run local-fixture infrastructure-operations profile."""
-
-from .local_fixture import build_local_fixture_review
-
-__version__ = "0.2.2a0"
-
-__all__ = ['__version__', 'build_local_fixture_review']