openbao king credential bootstrapping

Makefile

@@ -156,8 +156,46 @@ iam-profile-conformance-test: ## Run IAM Profile v0.2 conformance fixture tests
 playbook-contract-test: ## Run Playbook Capability Contract fixture tests
 	python3 -m pytest tools/playbook-capability-contract/tests
 
+security-bootstrap-console: ## Show guided security bootstrap status and safe actions
+	python3 tools/security-bootstrap-console/security_bootstrap_console.py status
+
+security-bootstrap-king-kit: ## Print the king credential kit checklist
+	python3 tools/security-bootstrap-console/security_bootstrap_console.py king-kit
+
+security-bootstrap-validate-kit: ## Validate non-secret king credential metadata: make security-bootstrap-validate-kit METADATA=/tmp/security-bootstrap.json
+	@[[ -n "$(METADATA)" ]] || (echo "Usage: make security-bootstrap-validate-kit METADATA=/path/to/non-secret.json"; exit 1)
+	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
+	  --metadata "$(METADATA)" \
+	  validate-king-kit
+
+security-bootstrap-approve-custody: ## Approve custody mode metadata: make security-bootstrap-approve-custody METADATA=/tmp/security-bootstrap.json ARGS="--mfa-enrolled-confirmed --mfa-enrollment-source identity-provider --recovery-confirmed --custody-packet-prepared --no-secret-capture-confirmed"
+	@[[ -n "$(METADATA)" ]] || (echo "Usage: make security-bootstrap-approve-custody METADATA=/path/to/non-secret.json ARGS='--mfa-enrolled-confirmed --mfa-enrollment-source identity-provider --recovery-confirmed --custody-packet-prepared --no-secret-capture-confirmed'"; exit 1)
+	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
+	  --metadata "$(METADATA)" \
+	  approve-custody-mode \
+	  --mode "$(if $(MODE),$(MODE),temporary-single-king)" \
+	  $(ARGS)
+
+security-bootstrap-custody-packet: ## Print a blank offline custody packet template
+	python3 tools/security-bootstrap-console/security_bootstrap_console.py custody-packet
+
+security-bootstrap-openbao-preflight: ## Show safe OpenBao preflight commands
+	python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
+	  --railiance-path ../railiance-platform
+
+security-bootstrap-ui: ## Serve local custody approval UI: make security-bootstrap-ui METADATA=/tmp/security-bootstrap.json PORT=8765
+	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
+	  --metadata "$(if $(METADATA),$(METADATA),/tmp/net-kingdom-security-bootstrap.json)" \
+	  web-ui \
+	  --host "$(if $(HOST),$(HOST),127.0.0.1)" \
+	  --port "$(if $(PORT),$(PORT),8765)"
+
 .PHONY: help hooks hooks-test sops-setup sops-edit sops-encrypt sops-decrypt sops-rotate \
         check-secrets creds-init creds-generate creds-bundle creds-apply creds-verify \
         creds-status creds-rotate \
         creds-agent-init creds-agent-status creds-emergency-reprint \
-        iam-profile-conformance-test playbook-contract-test
+        iam-profile-conformance-test playbook-contract-test \
+        security-bootstrap-console security-bootstrap-king-kit \
+        security-bootstrap-validate-kit security-bootstrap-approve-custody \
+        security-bootstrap-custody-packet security-bootstrap-openbao-preflight \
+        security-bootstrap-ui