net-kingdom

coulomb/net-kingdom

Fork 0

generated from coulomb/repo-seed

Commit Graph

Author	SHA1	Message	Date
Bernd Worsch	95656f2324	feat(creds): NK-WP-0005 — agent-driven credential bootstrap Implements all 7 tasks from NK-WP-0005: T01: creds-state.yaml → schema_version: 2, agent_mode: true Replaces keepass_confirmed with emergency_bundle_delivered, adds phase tracking fields for fully automated flow. T02: creds-bootstrap-agent.sh — single entrypoint for autonomous bootstrap. 10 phases, idempotent re-runs via state file. Only human touchpoint: emergency bundle confirmation gate. T03: emergency-bundle.sh — assembles and displays emergency bundle (age key + break-glass passwords + ops bundle location). Writes temp file, shreds on confirmation, clears screen. Supports --reprint for re-delivery. T04: ~/.claude/commands/creds-init.md — /creds-init skill replaces /creds-bootstrap. Fully autonomous execution via the agent. T05: Makefile — creds-agent-init, creds-agent-status, creds-emergency-reprint targets. T06: creds-rotate.sh — --non-interactive flag for agent-driven rotation. Auto-confirms all gates; tracks last_rotated_<key> in creds-state.yaml. LLDAP web UI step prints warning in non-interactive mode. T07: canon/standards/credential-management_v0.2.md — updated standard: KeePassXC removed from operational path, agent bootstrap as Phase 0, emergency bundle section, prohibited patterns updated. Also: creds-status.sh handles both schema v1 (legacy) and v2. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 08:38:52 +00:00
Bernd Worsch	c10d7d2f8a	feat(creds): implement NK-WP-0004 Credential Management Foundation - .sops.yaml + keys/age.pub: SOPS age encryption for all secrets/ paths - .gitignore: broad secrets/ catch-all (any depth) - .githooks/pre-commit: blocks unencrypted secrets/, *.env outside bootstrap/, and known plaintext patterns (PI_SECRET_KEY=, LLDAP_JWT_SECRET=, etc.) - Makefile: full credential lifecycle (creds-init/generate/bundle/apply/verify/ status/rotate) + SOPS helpers (sops-setup/edit/encrypt/decrypt/rotate/check-secrets) + hooks/hooks-test - creds-apply.sh: runs create-secrets.sh in dependency order (postgresql → lldap → authelia → privacyidea), skips keycape with printed instructions, updates state - creds-verify.sh: checks all K8s secrets exist, updates creds-state.yaml - creds-status.sh: human-readable state table from creds-state.yaml - creds-rotate.sh: guided rotation for all 9 secret types with impact descriptions and atomic multi-component update sequences - creds-state.yaml: committable state file tracking generation, bundle, KeePassXC confirmation, per-component apply status, enckey and pi-admin bootstrap flags NK-WP-0003-T01 unblocked. /creds-bootstrap skill registered separately. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 23:39:35 +00:00

Author

SHA1

Message

Date

Bernd Worsch

95656f2324

feat(creds): NK-WP-0005 — agent-driven credential bootstrap

Implements all 7 tasks from NK-WP-0005:

T01: creds-state.yaml → schema_version: 2, agent_mode: true
     Replaces keepass_confirmed with emergency_bundle_delivered,
     adds phase tracking fields for fully automated flow.

T02: creds-bootstrap-agent.sh — single entrypoint for autonomous
     bootstrap. 10 phases, idempotent re-runs via state file.
     Only human touchpoint: emergency bundle confirmation gate.

T03: emergency-bundle.sh — assembles and displays emergency bundle
     (age key + break-glass passwords + ops bundle location).
     Writes temp file, shreds on confirmation, clears screen.
     Supports --reprint for re-delivery.

T04: ~/.claude/commands/creds-init.md — /creds-init skill replaces
     /creds-bootstrap. Fully autonomous execution via the agent.

T05: Makefile — creds-agent-init, creds-agent-status,
     creds-emergency-reprint targets.

T06: creds-rotate.sh — --non-interactive flag for agent-driven
     rotation. Auto-confirms all gates; tracks last_rotated_<key>
     in creds-state.yaml. LLDAP web UI step prints warning in
     non-interactive mode.

T07: canon/standards/credential-management_v0.2.md — updated
     standard: KeePassXC removed from operational path, agent
     bootstrap as Phase 0, emergency bundle section, prohibited
     patterns updated.

Also: creds-status.sh handles both schema v1 (legacy) and v2.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-21 08:38:52 +00:00

Bernd Worsch

c10d7d2f8a

feat(creds): implement NK-WP-0004 Credential Management Foundation

- .sops.yaml + keys/age.pub: SOPS age encryption for all secrets/ paths
- .gitignore: broad secrets/ catch-all (any depth)
- .githooks/pre-commit: blocks unencrypted secrets/, *.env outside bootstrap/,
  and known plaintext patterns (PI_SECRET_KEY=, LLDAP_JWT_SECRET=, etc.)
- Makefile: full credential lifecycle (creds-init/generate/bundle/apply/verify/
  status/rotate) + SOPS helpers (sops-setup/edit/encrypt/decrypt/rotate/check-secrets)
  + hooks/hooks-test
- creds-apply.sh: runs create-secrets.sh in dependency order (postgresql → lldap →
  authelia → privacyidea), skips keycape with printed instructions, updates state
- creds-verify.sh: checks all K8s secrets exist, updates creds-state.yaml
- creds-status.sh: human-readable state table from creds-state.yaml
- creds-rotate.sh: guided rotation for all 9 secret types with impact descriptions
  and atomic multi-component update sequences
- creds-state.yaml: committable state file tracking generation, bundle, KeePassXC
  confirmation, per-component apply status, enckey and pi-admin bootstrap flags

NK-WP-0003-T01 unblocked. /creds-bootstrap skill registered separately.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-20 23:39:35 +00:00

2 Commits