From bcae4bc6dde910820ff27e726c51581d7c74e400 Mon Sep 17 00:00:00 2001 From: tegwick Date: Sat, 21 Mar 2026 10:01:14 +0100 Subject: [PATCH] fix(workplans): portable key-cape path in NK-WP-0003-T08; add /creds-init skill MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - NK-WP-0003 T08: replace hardcoded /home/worsch/key-cape with $(git rev-parse --show-toplevel)/../key-cape so acceptance tests run correctly on any machine - NK-WP-0005 T04: create .claude/commands/creds-init.md — the autonomous credential bootstrap skill (reads creds-state.yaml, resumes from current phase, honours emergency bundle gate) Co-Authored-By: Claude Sonnet 4.6 --- .claude/commands/creds-init.md | 48 +++++++++++++++++++ ...-keycape-privacyidea-cluster-deployment.md | 2 +- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 .claude/commands/creds-init.md diff --git a/.claude/commands/creds-init.md b/.claude/commands/creds-init.md new file mode 100644 index 0000000..9190086 --- /dev/null +++ b/.claude/commands/creds-init.md @@ -0,0 +1,48 @@ +--- +description: > + Fully automated net-kingdom credential bootstrap. Generates all service + secrets, encrypts and commits via SOPS, injects into cluster, and delivers + a minimal emergency bundle for your personal password manager. No manual + steps required. Run from the net-kingdom repo root. +argument-hint: "[--dry-run] [--resume]" +allowed-tools: + - Bash(make creds-*) + - Bash(bash sso-mfa/bootstrap/creds-bootstrap-agent.sh*) + - Bash(kubectl get*) + - Bash(git status*) + - Bash(git log*) + - Read +--- + +Read `sso-mfa/bootstrap/creds-state.yaml` to determine the current bootstrap +phase, then proceed as follows: + +1. If `bootstrap_complete: true` — report the current state and exit. Nothing + to do. + +2. If the file does not exist or `secrets_generated: false` — run the full + bootstrap from scratch: + ``` + make creds-agent-init $ARGUMENTS + ``` + +3. If some phases are complete (`secrets_generated: true` or later fields are + `true`) but `bootstrap_complete: false` — resume from the current phase by + running: + ``` + bash sso-mfa/bootstrap/creds-bootstrap-agent.sh --resume $ARGUMENTS + ``` + +4. After the script exits successfully, re-read `creds-state.yaml` and confirm + `bootstrap_complete: true`. Report the final state to the user. + +5. Log a progress event to the state-hub: + - workstream: net-kingdom credential bootstrap (NK-WP-0005) + - event: "creds-init completed — bootstrap_complete: true" + +**Emergency bundle gate:** The script will pause and prompt the user to store +the emergency bundle before marking bootstrap complete. Do not skip or +automate this step — it is a deliberate human gate. + +**Dry run:** Pass `--dry-run` to validate all pre-flight checks and print what +would be done without writing secrets or applying K8s changes. diff --git a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md index 46f8e77..06fb2cb 100644 --- a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md +++ b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md @@ -256,7 +256,7 @@ Prove the full auth flow works: Use the KeyCape acceptance test suite: ```bash -cd /home/worsch/key-cape +cd "$(git rev-parse --show-toplevel)/../key-cape" go test ./tests/... -run TestProfileBaseline -v ```