generated from coulomb/repo-seed
NET-WP-0020 finished: attended-ceremony + auto-unseal-transit profiles, greenfield init/unseal proof
T2: greenfield live proof against a fresh uninitialized OpenBao 2.5.5 — caught and fixed 'bao operator unseal -' not reading stdin (now 'bao write sys/unseal key=-'); init and reseal-replay paths proven. T3: attended-ceremony selectable — runbook, non-secret ceremony-record template + validator, and a lab/production deployment profile that blocks sops-held-automation in console selection, gates, and the init script. T4: console gate + evidence flags for auto-unseal-transit (Helm seal stanza prepared in railiance-platform). Also: SCOPE.md refreshed to current repo state; adhoc fix for the broken check-secrets Make target (unescaped $). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
21
Makefile
21
Makefile
@@ -106,7 +106,7 @@ check-secrets: ## Fail if any file under secrets/ is not SOPS-encrypted
|
||||
fi; \
|
||||
case "$$f" in *.age|*.gpg) continue ;; esac; \
|
||||
echo " UNENCRYPTED: $$f"; bad=1; \
|
||||
done < <(git ls-files --others --cached 'secrets' 2>/dev/null | grep -v '/$'); \
|
||||
done < <(git ls-files --others --cached 'secrets' 2>/dev/null | grep -v '/$$'); \
|
||||
if [[ "$$bad" -ne 0 ]]; then \
|
||||
echo ""; \
|
||||
echo "ERROR: Unencrypted secret(s) detected. Encrypt with: sops --encrypt --in-place <file>"; \
|
||||
@@ -311,6 +311,20 @@ security-bootstrap-select-openbao-unseal-custody-model: security-bootstrap-metad
|
||||
select-openbao-unseal-custody-model \
|
||||
--model "$(if $(MODEL),$(MODEL),sops-held-automation)"
|
||||
|
||||
security-bootstrap-select-deployment-profile: security-bootstrap-metadata-init ## Select deployment profile (production blocks sops-held-automation): make ... PROFILE=production
|
||||
@[[ -n "$(PROFILE)" ]] || (echo "Usage: make security-bootstrap-select-deployment-profile PROFILE=lab|production"; exit 1)
|
||||
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
|
||||
--metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
|
||||
select-deployment-profile --profile "$(PROFILE)"
|
||||
|
||||
security-bootstrap-openbao-ceremony-record-template: ## Print non-secret attended OpenBao ceremony record template
|
||||
python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-ceremony-record-template
|
||||
|
||||
security-bootstrap-validate-openbao-ceremony-record: ## Validate non-secret attended ceremony record: make ... [EVIDENCE=.local/openbao-ceremony-record.json]
|
||||
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
|
||||
validate-openbao-ceremony-record \
|
||||
--evidence "$(if $(EVIDENCE),$(EVIDENCE),.local/openbao-ceremony-record.json)"
|
||||
|
||||
security-bootstrap-metadata-init: ## Create durable local non-secret bootstrap metadata if missing
|
||||
@mkdir -p "$$(dirname "$(SECURITY_BOOTSTRAP_METADATA)")"
|
||||
@if [[ -f "$(SECURITY_BOOTSTRAP_METADATA)" ]]; then \
|
||||
@@ -355,6 +369,11 @@ security-bootstrap-ui: security-bootstrap-metadata-init ## Serve local custody a
|
||||
security-bootstrap-sign-custody-roster \
|
||||
security-bootstrap-approve-custody \
|
||||
security-bootstrap-custody-packet security-bootstrap-openbao-preflight \
|
||||
security-bootstrap-openbao-unseal-custody-models \
|
||||
security-bootstrap-select-openbao-unseal-custody-model \
|
||||
security-bootstrap-select-deployment-profile \
|
||||
security-bootstrap-openbao-ceremony-record-template \
|
||||
security-bootstrap-validate-openbao-ceremony-record \
|
||||
security-bootstrap-metadata-init security-bootstrap-ui \
|
||||
security-bootstrap-console-test security-bootstrap-scripts-syntax \
|
||||
security-bootstrap-validate-keycape-client
|
||||
|
||||
Reference in New Issue
Block a user