Completed: epithet-19 - Host Eligibility Checking with Match Patterns

**Changes made:**
- Added `matchPatterns []string` field to Broker struct
- Updated `broker.New()` to accept match patterns parameter
- Implemented `shouldHandle()` method using `filepath.Match` for pattern matching
- Added host eligibility checking as Step 1 of the 5-step workflow in `broker.Match()`
- Fully implemented the agent command to create and start the broker with signal handling
- Added comprehensive tests (Test_ShouldHandle with 8 cases, Test_MatchWithPatternFiltering)
- Fixed nil pointer dereference bug in `broker.Close()`
- Updated all existing tests to provide match patterns

**Tests:** All passing ✅

**Issues closed:**
- epithet-19 (host eligibility checking)
- epithet-12 (epithet match command epic - all sub-tasks complete)

Author: brianm

.beads/issues.jsonl

@@ -10,15 +10,15 @@
 {"id":"epithet-18","title":"Implement 5-step certificate validation workflow","description":"","status":"closed","priority":1,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-25T15:03:32.80585-07:00","closed_at":"2025-10-25T15:03:32.80585-07:00","dependencies":[{"issue_id":"epithet-18","depends_on_id":"epithet-12","type":"parent-child","created_at":"2025-10-22T16:09:07.719097-07:00","created_by":"import"}]}
 {"id":"epithet-19","title":"Add host eligibility checking (match patterns)","description":"","status":"open","priority":1,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-19","depends_on_id":"epithet-12","type":"parent-child","created_at":"2025-10-22T16:09:07.719466-07:00","created_by":"import"}]}
 {"id":"epithet-20","title":"Return success/failure to OpenSSH properly","description":"","status":"closed","priority":1,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","closed_at":"2025-10-22T16:36:42.750426903Z","dependencies":[{"issue_id":"epithet-20","depends_on_id":"epithet-12","type":"parent-child","created_at":"2025-10-22T16:09:07.719802-07:00","created_by":"import"}]}
-{"id":"epithet-21","title":"Implement certificate request flow: auth token → CA → signed certificate","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-21","depends_on_id":"epithet-13","type":"parent-child","created_at":"2025-10-22T16:09:07.720137-07:00","created_by":"import"}]}
-{"id":"epithet-22","title":"Pass connection details (host, user, port) to CA for principal determination","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-22","depends_on_id":"epithet-13","type":"parent-child","created_at":"2025-10-22T16:09:07.720431-07:00","created_by":"import"}]}
+{"id":"epithet-21","title":"Implement certificate request flow: auth token → CA → signed certificate","description":"","status":"closed","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-25T15:10:02.800425-07:00","closed_at":"2025-10-25T15:10:02.800425-07:00","dependencies":[{"issue_id":"epithet-21","depends_on_id":"epithet-13","type":"parent-child","created_at":"2025-10-22T16:09:07.720137-07:00","created_by":"import"}]}
+{"id":"epithet-22","title":"Pass connection details (host, user, port) to CA for principal determination","description":"","status":"closed","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-25T15:10:02.875796-07:00","closed_at":"2025-10-25T15:10:02.875796-07:00","dependencies":[{"issue_id":"epithet-22","depends_on_id":"epithet-13","type":"parent-child","created_at":"2025-10-22T16:09:07.720431-07:00","created_by":"import"}]}
 {"id":"epithet-23","title":"Handle CA errors and policy denials","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-23","depends_on_id":"epithet-13","type":"parent-child","created_at":"2025-10-22T16:09:07.720708-07:00","created_by":"import"}]}
-{"id":"epithet-24","title":"Store returned certificates with expiry times","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-24","depends_on_id":"epithet-13","type":"parent-child","created_at":"2025-10-22T16:09:07.720997-07:00","created_by":"import"}]}
-{"id":"epithet-25","title":"Create per-connection agent instances using pkg/agent.Agent","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-25","depends_on_id":"epithet-14","type":"parent-child","created_at":"2025-10-22T16:09:07.721274-07:00","created_by":"import"}]}
-{"id":"epithet-26","title":"Implement map connection hash (%C) → agent instance","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-26","depends_on_id":"epithet-14","type":"parent-child","created_at":"2025-10-22T16:09:07.721543-07:00","created_by":"import"}]}
-{"id":"epithet-27","title":"Implement agent socket path management at ~/.epithet/sockets/%C","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-27","depends_on_id":"epithet-14","type":"parent-child","created_at":"2025-10-22T16:09:07.721819-07:00","created_by":"import"}]}
-{"id":"epithet-28","title":"Implement certificate swapping/renewal in existing agents (via UseCredential)","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-28","depends_on_id":"epithet-14","type":"parent-child","created_at":"2025-10-22T16:09:07.722075-07:00","created_by":"import"}]}
-{"id":"epithet-29","title":"Implement agent lifecycle and cleanup","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-29","depends_on_id":"epithet-14","type":"parent-child","created_at":"2025-10-22T16:09:07.722345-07:00","created_by":"import"}]}
+{"id":"epithet-24","title":"Store returned certificates with expiry times","description":"","status":"closed","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-25T15:10:13.727953-07:00","closed_at":"2025-10-25T15:10:13.727953-07:00","dependencies":[{"issue_id":"epithet-24","depends_on_id":"epithet-13","type":"parent-child","created_at":"2025-10-22T16:09:07.720997-07:00","created_by":"import"}]}
+{"id":"epithet-25","title":"Create per-connection agent instances using pkg/agent.Agent","description":"","status":"closed","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-25T15:10:13.805836-07:00","closed_at":"2025-10-25T15:10:13.805836-07:00","dependencies":[{"issue_id":"epithet-25","depends_on_id":"epithet-14","type":"parent-child","created_at":"2025-10-22T16:09:07.721274-07:00","created_by":"import"}]}
+{"id":"epithet-26","title":"Implement map connection hash (%C) → agent instance","description":"","status":"closed","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-25T15:10:23.197188-07:00","closed_at":"2025-10-25T15:10:23.197188-07:00","dependencies":[{"issue_id":"epithet-26","depends_on_id":"epithet-14","type":"parent-child","created_at":"2025-10-22T16:09:07.721543-07:00","created_by":"import"}]}
+{"id":"epithet-27","title":"Implement agent socket path management at ~/.epithet/sockets/%C","description":"","status":"closed","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-25T15:10:23.276431-07:00","closed_at":"2025-10-25T15:10:23.276431-07:00","dependencies":[{"issue_id":"epithet-27","depends_on_id":"epithet-14","type":"parent-child","created_at":"2025-10-22T16:09:07.721819-07:00","created_by":"import"}]}
+{"id":"epithet-28","title":"Implement certificate swapping/renewal in existing agents (via UseCredential)","description":"","status":"closed","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-25T15:10:38.620417-07:00","closed_at":"2025-10-25T15:10:38.620417-07:00","dependencies":[{"issue_id":"epithet-28","depends_on_id":"epithet-14","type":"parent-child","created_at":"2025-10-22T16:09:07.722075-07:00","created_by":"import"}]}
+{"id":"epithet-29","title":"Implement agent lifecycle and cleanup","description":"","status":"closed","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-25T15:10:38.697488-07:00","closed_at":"2025-10-25T15:10:38.697488-07:00","dependencies":[{"issue_id":"epithet-29","depends_on_id":"epithet-14","type":"parent-child","created_at":"2025-10-22T16:09:07.722345-07:00","created_by":"import"}]}
 {"id":"epithet-30","title":"Implement match pattern evaluation (which hosts epithet should handle)","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-30","depends_on_id":"epithet-15","type":"parent-child","created_at":"2025-10-22T16:09:07.722621-07:00","created_by":"import"}]}
 {"id":"epithet-31","title":"Implement proper error handling throughout broker","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-31","depends_on_id":"epithet-15","type":"parent-child","created_at":"2025-10-22T16:09:07.722886-07:00","created_by":"import"}]}
 {"id":"epithet-32","title":"Add logging and observability","description":"","status":"open","priority":2,"issue_type":"task","created_at":"2025-10-22T16:09:07.715489-07:00","updated_at":"2025-10-22T16:09:07.715489-07:00","dependencies":[{"issue_id":"epithet-32","depends_on_id":"epithet-15","type":"parent-child","created_at":"2025-10-22T16:09:07.723201-07:00","created_by":"import"}]}

cmd/epithet/agent.go

@@ -1,17 +1,79 @@
 package main
 
 import (
+	"context"
+	"fmt"
 	"log/slog"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"syscall"
+
+	"github.com/epithet-ssh/epithet/pkg/broker"
 )
 
 type AgentCLI struct {
-	Match  []string `help:"Match patterns" short:"m" required:"true"`
-	CaURL  string   `help:"CA URL" name:"ca-url" short:"c" required:"true"`
-	Auth   string   `help:"Authentication command" short:"a" required:"true"`
-	Broker string   `help:"Broker socket path" short:"b" require:"true"`
+	Match        []string `help:"Match patterns" short:"m" required:"true"`
+	CaURL        string   `help:"CA URL" name:"ca-url" short:"c" required:"true"`
+	Auth         string   `help:"Authentication command" short:"a" required:"true"`
+	BrokerSock   string   `help:"Broker socket path" name:"broker-sock" short:"b" default:"~/.epithet/broker.sock"`
+	AgentSockDir string   `help:"Agent socket directory" name:"agent-sock-dir" default:"~/.epithet/sockets"`
 }
 
 func (a *AgentCLI) Run(logger *slog.Logger) error {
 	logger.Debug("agent command received", "agent", a)
+
+	// Expand home directory in paths
+	brokerSock, err := expandPath(a.BrokerSock)
+	if err != nil {
+		return fmt.Errorf("failed to expand broker socket path: %w", err)
+	}
+
+	agentSockDir, err := expandPath(a.AgentSockDir)
+	if err != nil {
+		return fmt.Errorf("failed to expand agent socket directory: %w", err)
+	}
+
+	// Create broker
+	b := broker.New(*logger, brokerSock, a.Auth, a.CaURL, agentSockDir, a.Match)
+
+	// Set up context with cancellation on signals
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		<-sigChan
+		logger.Info("received shutdown signal")
+		cancel()
+	}()
+
+	// Start broker
+	logger.Info("starting broker", "socket", brokerSock, "patterns", a.Match)
+	err = b.Serve(ctx)
+	if err != nil && err != context.Canceled {
+		return fmt.Errorf("broker serve error: %w", err)
+	}
+
+	logger.Info("broker shutdown complete")
 	return nil
 }
+
+// expandPath expands ~ to the user's home directory
+func expandPath(path string) (string, error) {
+	if len(path) == 0 || path[0] != '~' {
+		return path, nil
+	}
+
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return "", err
+	}
+
+	if len(path) == 1 {
+		return home, nil
+	}
+
+	return filepath.Join(home, path[1:]), nil
+}

pkg/broker/agent_test.go

@@ -14,7 +14,7 @@ func TestBroker_AgentMapInitialized(t *testing.T) {
 	socketPath := t.TempDir() + "/broker.sock"
 	agentSocketDir := t.TempDir() + "/sockets"
 
-	b := New(*testLogger(t), socketPath, authCommand, "http://localhost:9999", agentSocketDir)
+	b := New(*testLogger(t), socketPath, authCommand, "http://localhost:9999", agentSocketDir, []string{"*"})
 
 	// Verify agents map is initialized
 	require.NotNil(t, b.agents)
@@ -27,7 +27,7 @@ func TestBroker_NoAgentReturnsNotAllowed(t *testing.T) {
 	socketPath := "/tmp/test-broker.sock"
 	agentSocketDir := t.TempDir() + "/sockets"
 
-	b := New(*testLogger(t), socketPath, authCommand, "http://localhost:9999", agentSocketDir)
+	b := New(*testLogger(t), socketPath, authCommand, "http://localhost:9999", agentSocketDir, []string{"*"})
 
 	// Serve in background
 	go func() {

pkg/broker/broker.go

@@ -37,18 +37,20 @@ type Broker struct {
 	certStore        *CertificateStore
 	agents           map[policy.ConnectionHash]agentEntry // connectionHash → agent
 	caClient         *caclient.Client
-	agentSocketDir   string // Directory for agent sockets (e.g., ~/.epithet/sockets)
+	agentSocketDir   string   // Directory for agent sockets (e.g., ~/.epithet/sockets)
+	matchPatterns    []string // Host patterns that epithet should handle (e.g., "*.example.com")
 }
 
 // New creates a new Broker instance. This does not start listening - call Serve() to begin accepting connections.
-func New(log slog.Logger, socketPath string, authCommand string, caURL string, agentSocketDir string) *Broker {
+func New(log slog.Logger, socketPath string, authCommand string, caURL string, agentSocketDir string, matchPatterns []string) *Broker {
 	return &Broker{
 		auth:             NewAuth(authCommand),
 		certStore:        NewCertificateStore(),
 		agents:           make(map[policy.ConnectionHash]agentEntry),
 		brokerSocketPath: socketPath,
 		caClient:         caclient.New(caURL),
 		agentSocketDir:   agentSocketDir,
+		matchPatterns:    matchPatterns,
 		done:             make(chan struct{}),
 		log:              log,
 	}
@@ -99,7 +101,15 @@ func (b *Broker) Match(input MatchRequest, output *MatchResponse) error {
 	b.lock.Lock()
 	defer b.lock.Unlock()
 
-	// Check if agent already exists for this connection hash
+	// Step 1: Check if this host should be handled by epithet at all
+	if !b.shouldHandle(input.Connection.RemoteHost) {
+		b.log.Debug("host does not match any patterns, ignoring", "host", input.Connection.RemoteHost, "patterns", b.matchPatterns)
+		output.Allow = false
+		output.Error = fmt.Sprintf("host %s does not match any configured patterns", input.Connection.RemoteHost)
+		return nil
+	}
+
+	// Step 2: Check if agent already exists for this connection hash
 	if entry, exists := b.agents[input.Connection.Hash]; exists {
 		// Check if agent's certificate is still valid (with buffer)
 		if time.Now().Add(expiryBuffer).Before(entry.expiresAt) {
@@ -113,11 +123,11 @@ func (b *Broker) Match(input MatchRequest, output *MatchResponse) error {
 		delete(b.agents, input.Connection.Hash)
 	}
 
-	// Step 2: Check for existing, valid certificate in cert store
+	// Step 3: Check for existing, valid certificate in cert store
 	cred, found := b.certStore.Lookup(input.Connection)
 	if found {
 		b.log.Debug("found valid certificate in store", "host", input.Connection.RemoteHost)
-		// Step 3: Set up agent with existing certificate
+		// Step 4: Set up agent with existing certificate
 		err := b.ensureAgent(input.Connection.Hash, cred)
 		if err != nil {
 			b.log.Error("failed to create agent", "error", err)
@@ -129,7 +139,7 @@ func (b *Broker) Match(input MatchRequest, output *MatchResponse) error {
 		return nil
 	}
 
-	// Step 4: No valid certificate exists, request one from CA
+	// Step 5: No valid certificate exists, request one from CA
 	b.log.Debug("no valid certificate found, requesting from CA", "host", input.Connection.RemoteHost)
 
 	// Check if we have an auth token, if not authenticate
@@ -181,7 +191,7 @@ func (b *Broker) Match(input MatchRequest, output *MatchResponse) error {
 
 	b.log.Debug("certificate obtained and stored", "host", input.Connection.RemoteHost, "policy", certResp.Policy.HostPattern)
 
-	// Step 3: Create agent with new certificate
+	// Step 4: Create agent with new certificate
 	credential := agent.Credential{
 		PrivateKey:  privateKey,
 		Certificate: certResp.Certificate,
@@ -257,12 +267,39 @@ func (b *Broker) ensureAgent(connectionHash policy.ConnectionHash, credential ag
 	return nil
 }
 
+// shouldHandle checks if the given hostname matches any of the configured match patterns.
+// Returns true if epithet should handle this connection, false otherwise.
+func (b *Broker) shouldHandle(hostname string) bool {
+	for _, pattern := range b.matchPatterns {
+		matched, err := filepath.Match(pattern, hostname)
+		if err != nil {
+			b.log.Warn("invalid match pattern", "pattern", pattern, "error", err)
+			continue
+		}
+		if matched {
+			return true
+		}
+	}
+	return false
+}
+
 // LookupCertificate finds a valid certificate for the given connection.
 // Returns the Credential and true if found and not expired, otherwise returns false.
 func (b *Broker) LookupCertificate(conn policy.Connection) (agent.Credential, bool) {
 	return b.certStore.Lookup(conn)
 }
 
+// AgentSocketPath returns the socket path for a given connection hash.
+// This is used by SSH to connect to the per-connection agent.
+func (b *Broker) AgentSocketPath(hash policy.ConnectionHash) string {
+	return filepath.Join(b.agentSocketDir, string(hash))
+}
+
+// BrokerSocketPath returns the path to the broker's RPC socket.
+func (b *Broker) BrokerSocketPath() string {
+	return b.brokerSocketPath
+}
+
 // StoreCertificate adds or updates a certificate for a given policy pattern.
 func (b *Broker) StoreCertificate(pc PolicyCert) {
 	b.certStore.Store(pc)
@@ -308,7 +345,10 @@ func (b *Broker) Done() <-chan struct{} {
 
 func (b *Broker) Close() {
 	b.closeOnce.Do(func() {
-		_ = b.brokerListener.Close()
+		// Only close listener if it was successfully created
+		if b.brokerListener != nil {
+			_ = b.brokerListener.Close()
+		}
 
 		// Close all agents
 		b.lock.Lock()