openbao king credential bootstrapping

tools/security-bootstrap-console/README.md

@@ -0,0 +1,97 @@
+# Security Bootstrap Console
+
+Local console and localhost web UI for the NetKingdom guided security bootstrap
+experience.
+
+The console prints trust stage, gates, checklists, non-secret templates, and can
+write an explicit custody-mode approval record. It does not collect secret
+values and refuses live OpenBao initialization.
+
+Run:
+
+```bash
+python3 tools/security-bootstrap-console/security_bootstrap_console.py status
+```
+
+Print the king credential kit checklist:
+
+```bash
+python3 tools/security-bootstrap-console/security_bootstrap_console.py king-kit
+```
+
+Validate non-secret kit metadata:
+
+```bash
+python3 tools/security-bootstrap-console/security_bootstrap_console.py \
+  --metadata /tmp/security-bootstrap.json \
+  validate-king-kit
+```
+
+Approve custody mode from the CLI:
+
+```bash
+python3 tools/security-bootstrap-console/security_bootstrap_console.py \
+  --metadata /tmp/security-bootstrap.json \
+  approve-custody-mode \
+  --mode temporary-single-king \
+  --mfa-enrolled-confirmed \
+  --mfa-enrollment-source identity-provider \
+  --recovery-confirmed \
+  --custody-packet-prepared \
+  --no-secret-capture-confirmed
+```
+
+The command asks for the phrase `approve custody mode` unless `--yes` is passed.
+`two-of-three-planned` can be recorded in metadata but cannot approve live
+OpenBao init.
+
+For TOTP, use the QR code or setup key from the identity provider or other
+authority that will verify the login. This tool records only the non-secret
+enrollment confirmation and source.
+
+Serve the local approval UI:
+
+```bash
+python3 tools/security-bootstrap-console/security_bootstrap_console.py \
+  --metadata /tmp/security-bootstrap.json \
+  web-ui
+```
+
+Open `http://127.0.0.1:8765`.
+
+Print a blank offline custody packet template:
+
+```bash
+python3 tools/security-bootstrap-console/security_bootstrap_console.py custody-packet
+```
+
+Show safe OpenBao preflight commands:
+
+```bash
+python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
+  --railiance-path ../railiance-platform
+```
+
+Run safe OpenBao preflight targets:
+
+```bash
+python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
+  --railiance-path ../railiance-platform \
+  --run
+```
+
+This still does not run `bao operator init`.
+
+Optional non-secret metadata can be supplied:
+
+```bash
+python3 tools/security-bootstrap-console/security_bootstrap_console.py metadata-template \
+  > /tmp/security-bootstrap.json
+
+python3 tools/security-bootstrap-console/security_bootstrap_console.py \
+  --metadata /tmp/security-bootstrap.json \
+  status
+```
+
+Do not put passwords, OTP seeds, OpenBao root tokens, unseal shares, recovery
+codes, private keys, or screenshots of secret output into the metadata file.