generated from coulomb/repo-seed
fix(workplans): portable key-cape path in NK-WP-0003-T08; add /creds-init skill
- NK-WP-0003 T08: replace hardcoded /home/worsch/key-cape with $(git rev-parse --show-toplevel)/../key-cape so acceptance tests run correctly on any machine - NK-WP-0005 T04: create .claude/commands/creds-init.md — the autonomous credential bootstrap skill (reads creds-state.yaml, resumes from current phase, honours emergency bundle gate) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
48
.claude/commands/creds-init.md
Normal file
48
.claude/commands/creds-init.md
Normal file
@@ -0,0 +1,48 @@
|
|||||||
|
---
|
||||||
|
description: >
|
||||||
|
Fully automated net-kingdom credential bootstrap. Generates all service
|
||||||
|
secrets, encrypts and commits via SOPS, injects into cluster, and delivers
|
||||||
|
a minimal emergency bundle for your personal password manager. No manual
|
||||||
|
steps required. Run from the net-kingdom repo root.
|
||||||
|
argument-hint: "[--dry-run] [--resume]"
|
||||||
|
allowed-tools:
|
||||||
|
- Bash(make creds-*)
|
||||||
|
- Bash(bash sso-mfa/bootstrap/creds-bootstrap-agent.sh*)
|
||||||
|
- Bash(kubectl get*)
|
||||||
|
- Bash(git status*)
|
||||||
|
- Bash(git log*)
|
||||||
|
- Read
|
||||||
|
---
|
||||||
|
|
||||||
|
Read `sso-mfa/bootstrap/creds-state.yaml` to determine the current bootstrap
|
||||||
|
phase, then proceed as follows:
|
||||||
|
|
||||||
|
1. If `bootstrap_complete: true` — report the current state and exit. Nothing
|
||||||
|
to do.
|
||||||
|
|
||||||
|
2. If the file does not exist or `secrets_generated: false` — run the full
|
||||||
|
bootstrap from scratch:
|
||||||
|
```
|
||||||
|
make creds-agent-init $ARGUMENTS
|
||||||
|
```
|
||||||
|
|
||||||
|
3. If some phases are complete (`secrets_generated: true` or later fields are
|
||||||
|
`true`) but `bootstrap_complete: false` — resume from the current phase by
|
||||||
|
running:
|
||||||
|
```
|
||||||
|
bash sso-mfa/bootstrap/creds-bootstrap-agent.sh --resume $ARGUMENTS
|
||||||
|
```
|
||||||
|
|
||||||
|
4. After the script exits successfully, re-read `creds-state.yaml` and confirm
|
||||||
|
`bootstrap_complete: true`. Report the final state to the user.
|
||||||
|
|
||||||
|
5. Log a progress event to the state-hub:
|
||||||
|
- workstream: net-kingdom credential bootstrap (NK-WP-0005)
|
||||||
|
- event: "creds-init completed — bootstrap_complete: true"
|
||||||
|
|
||||||
|
**Emergency bundle gate:** The script will pause and prompt the user to store
|
||||||
|
the emergency bundle before marking bootstrap complete. Do not skip or
|
||||||
|
automate this step — it is a deliberate human gate.
|
||||||
|
|
||||||
|
**Dry run:** Pass `--dry-run` to validate all pre-flight checks and print what
|
||||||
|
would be done without writing secrets or applying K8s changes.
|
||||||
@@ -256,7 +256,7 @@ Prove the full auth flow works:
|
|||||||
|
|
||||||
Use the KeyCape acceptance test suite:
|
Use the KeyCape acceptance test suite:
|
||||||
```bash
|
```bash
|
||||||
cd /home/worsch/key-cape
|
cd "$(git rev-parse --show-toplevel)/../key-cape"
|
||||||
go test ./tests/... -run TestProfileBaseline -v
|
go test ./tests/... -run TestProfileBaseline -v
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user