diff --git a/.claude/commands/creds-init.md b/.claude/commands/creds-init.md new file mode 100644 index 0000000..9190086 --- /dev/null +++ b/.claude/commands/creds-init.md @@ -0,0 +1,48 @@ +--- +description: > + Fully automated net-kingdom credential bootstrap. Generates all service + secrets, encrypts and commits via SOPS, injects into cluster, and delivers + a minimal emergency bundle for your personal password manager. No manual + steps required. Run from the net-kingdom repo root. +argument-hint: "[--dry-run] [--resume]" +allowed-tools: + - Bash(make creds-*) + - Bash(bash sso-mfa/bootstrap/creds-bootstrap-agent.sh*) + - Bash(kubectl get*) + - Bash(git status*) + - Bash(git log*) + - Read +--- + +Read `sso-mfa/bootstrap/creds-state.yaml` to determine the current bootstrap +phase, then proceed as follows: + +1. If `bootstrap_complete: true` — report the current state and exit. Nothing + to do. + +2. If the file does not exist or `secrets_generated: false` — run the full + bootstrap from scratch: + ``` + make creds-agent-init $ARGUMENTS + ``` + +3. If some phases are complete (`secrets_generated: true` or later fields are + `true`) but `bootstrap_complete: false` — resume from the current phase by + running: + ``` + bash sso-mfa/bootstrap/creds-bootstrap-agent.sh --resume $ARGUMENTS + ``` + +4. After the script exits successfully, re-read `creds-state.yaml` and confirm + `bootstrap_complete: true`. Report the final state to the user. + +5. Log a progress event to the state-hub: + - workstream: net-kingdom credential bootstrap (NK-WP-0005) + - event: "creds-init completed — bootstrap_complete: true" + +**Emergency bundle gate:** The script will pause and prompt the user to store +the emergency bundle before marking bootstrap complete. Do not skip or +automate this step — it is a deliberate human gate. + +**Dry run:** Pass `--dry-run` to validate all pre-flight checks and print what +would be done without writing secrets or applying K8s changes. diff --git a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md index 46f8e77..06fb2cb 100644 --- a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md +++ b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md @@ -256,7 +256,7 @@ Prove the full auth flow works: Use the KeyCape acceptance test suite: ```bash -cd /home/worsch/key-cape +cd "$(git rev-parse --show-toplevel)/../key-cape" go test ./tests/... -run TestProfileBaseline -v ```