feat: OpenBao unseal custody models — automation-first with blocked alternatives

Document three init/unseal custody paths; default sops-held-automation for
fast rebuild cycles. Security bootstrap console lists models, blocks planned
attended-ceremony and auto-unseal-transit with hints, and gates init ceremony
on implemented selection. NET-WP-0020 tracks downstream SSH automation.
This commit is contained in:
2026-06-18 00:51:48 +02:00
parent da9debf431
commit f625dd0681
6 changed files with 460 additions and 12 deletions

View File

@@ -296,6 +296,15 @@ security-bootstrap-openbao-preflight: ## Show safe OpenBao preflight commands
python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
--railiance-path ../railiance-platform
security-bootstrap-openbao-unseal-custody-models: ## List OpenBao unseal custody models and implementation status
python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-unseal-custody-models
security-bootstrap-select-openbao-unseal-custody-model: security-bootstrap-metadata-init ## Select implemented unseal model (blocks planned): make ... MODEL=sops-held-automation
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
--metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
select-openbao-unseal-custody-model \
--model "$(if $(MODEL),$(MODEL),sops-held-automation)"
security-bootstrap-metadata-init: ## Create durable local non-secret bootstrap metadata if missing
@mkdir -p "$$(dirname "$(SECURITY_BOOTSTRAP_METADATA)")"
@if [[ -f "$(SECURITY_BOOTSTRAP_METADATA)" ]]; then \