Add signed custody roster workflow

This commit is contained in:
2026-06-02 01:11:42 +02:00
parent 31e6d6660f
commit 0ab7c14ec9
5 changed files with 406 additions and 12 deletions

View File

@@ -239,6 +239,24 @@ are missing, the emergency drill is not recorded, no independent future quorum
holder is recorded, and the temporary Audit Core risk posture has not yet been
accepted or replaced by a production sink.
**2026-06-02:** Replaced the loose single escrow-holder planning gate with a
signed two-of-three custody roster. The repository now carries a fake-data
example plus console/Make targets to print a roster template, validate the
roster, sign the ignored local roster with SSH namespace
`netkingdom-custody-roster`, and verify the detached signature. Real holder
contact records belong only in `.local/custody-roster.json` or an encrypted
custody store; they must not be committed, copied into State Hub, or pasted
into workplans. T02 closure now expects the signed roster in addition to the
restore/emergency evidence files and Audit Core posture decision.
**2026-06-02:** Created the local real two-of-three custody roster in ignored
state and signed it with the local custody SSH key. `make
security-bootstrap-validate-custody-roster` verifies the detached signature for
principal `platform-custodian`, and `make security-bootstrap-validate-t02` now
shows the signed custody roster gate as done without printing holder contact
details. T02 remains open for emergency seal/unseal drill metadata, the Audit
Core retention/risk decision, and the real restore/emergency evidence files.
### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
```task