generated from coulomb/repo-seed
feat(creds): NK-WP-0005 — agent-driven credential bootstrap
Implements all 7 tasks from NK-WP-0005:
T01: creds-state.yaml → schema_version: 2, agent_mode: true
Replaces keepass_confirmed with emergency_bundle_delivered,
adds phase tracking fields for fully automated flow.
T02: creds-bootstrap-agent.sh — single entrypoint for autonomous
bootstrap. 10 phases, idempotent re-runs via state file.
Only human touchpoint: emergency bundle confirmation gate.
T03: emergency-bundle.sh — assembles and displays emergency bundle
(age key + break-glass passwords + ops bundle location).
Writes temp file, shreds on confirmation, clears screen.
Supports --reprint for re-delivery.
T04: ~/.claude/commands/creds-init.md — /creds-init skill replaces
/creds-bootstrap. Fully autonomous execution via the agent.
T05: Makefile — creds-agent-init, creds-agent-status,
creds-emergency-reprint targets.
T06: creds-rotate.sh — --non-interactive flag for agent-driven
rotation. Auto-confirms all gates; tracks last_rotated_<key>
in creds-state.yaml. LLDAP web UI step prints warning in
non-interactive mode.
T07: canon/standards/credential-management_v0.2.md — updated
standard: KeePassXC removed from operational path, agent
bootstrap as Phase 0, emergency bundle section, prohibited
patterns updated.
Also: creds-status.sh handles both schema v1 (legacy) and v2.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,26 +1,32 @@
|
||||
# Credential state — net-kingdom SSO/MFA stack
|
||||
# This file is SAFE TO COMMIT. It contains no secrets.
|
||||
# Updated automatically by make creds-* targets and sso-mfa/bootstrap/creds-verify.sh.
|
||||
#
|
||||
# keepass_confirmed is the only field that requires manual operator intervention.
|
||||
# Set it to true after you have entered all generated secrets into KeePassXC.
|
||||
# Safe to commit. Contains no secrets. Updated by agent.
|
||||
# schema_version: 2 = agent-driven model (NK-WP-0005)
|
||||
# schema_version: 1 = human-as-operator model (NK-WP-0004, now retired)
|
||||
|
||||
generated_at: "2026-03-20T02:57:00+00:00"
|
||||
bundle_at: null
|
||||
keepass_confirmed: false
|
||||
schema_version: 2
|
||||
agent_mode: true # NK-WP-0005: fully automated
|
||||
|
||||
# Phase tracking
|
||||
age_key_present: false # ~/.config/sops/age/keys.txt exists
|
||||
secrets_generated: false # gen-secrets.sh ran successfully
|
||||
ops_bundle_created: false # age-encrypted bundle created
|
||||
ops_bundle_location: null # path or storage hint
|
||||
|
||||
# Emergency bundle
|
||||
emergency_bundle_delivered: false # human confirmed receipt
|
||||
emergency_bundle_delivered_at: null
|
||||
|
||||
# Cluster injection (per-component)
|
||||
secrets_applied:
|
||||
postgres: false
|
||||
lldap: false
|
||||
authelia: false
|
||||
postgres: false
|
||||
lldap: false
|
||||
authelia: false
|
||||
privacyidea: false
|
||||
# keycape requires PI_ADMIN_TOKEN from post-privacyIDEA T04 bootstrap.
|
||||
# Run: sso-mfa/k8s/keycape/create-pi-token.sh, then re-run keycape/create-secrets.sh.
|
||||
keycape: false
|
||||
keycape: false
|
||||
|
||||
# enckey_bootstrapped: set by sso-mfa/k8s/privacyidea/enckey-bootstrap.sh
|
||||
# This step is TIME-SENSITIVE — it must run while the privacyIDEA pod is live.
|
||||
enckey_bootstrapped: false
|
||||
# Post-apply bootstrap (agent-run when pod is Ready)
|
||||
enckey_bootstrapped: false
|
||||
pi_admin_created: false
|
||||
|
||||
# pi_admin_created: set after sso-mfa/k8s/privacyidea/bootstrap-admin.sh completes
|
||||
pi_admin_created: false
|
||||
# Derived: all true → bootstrap complete
|
||||
bootstrap_complete: false
|
||||
|
||||
Reference in New Issue
Block a user