# Security Bootstrap Console

Local console and localhost web UI for the NetKingdom guided security bootstrap
experience.

The console prints trust stage, gates, checklists, non-secret templates, and can
write an explicit custody-mode approval record. It does not collect secret
values and refuses live OpenBao initialization.

Run:

```bash
python3 tools/security-bootstrap-console/security_bootstrap_console.py status
```

Print the king credential kit checklist:

```bash
python3 tools/security-bootstrap-console/security_bootstrap_console.py king-kit
```

Validate non-secret kit metadata:

```bash
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
  --metadata /tmp/security-bootstrap.json \
  validate-king-kit
```

Approve custody mode from the CLI:

```bash
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
  --metadata /tmp/security-bootstrap.json \
  approve-custody-mode \
  --mode temporary-single-king \
  --mfa-enrolled-confirmed \
  --mfa-enrollment-source identity-provider \
  --recovery-confirmed \
  --custody-packet-prepared \
  --no-secret-capture-confirmed
```

The command asks for the phrase `approve custody mode` unless `--yes` is passed.
`two-of-three-planned` can be recorded in metadata but cannot approve live
OpenBao init.

For TOTP, use the QR code or setup key from the identity provider or other
authority that will verify the login. This tool records only the non-secret
enrollment confirmation and source.

Serve the local approval UI:

```bash
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
  --metadata /tmp/security-bootstrap.json \
  web-ui
```

Open `http://127.0.0.1:8765`.

Print a blank offline custody packet template:

```bash
python3 tools/security-bootstrap-console/security_bootstrap_console.py custody-packet
```

Show safe OpenBao preflight commands:

```bash
python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
  --railiance-path ../railiance-platform
```

Run safe OpenBao preflight targets:

```bash
python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
  --railiance-path ../railiance-platform \
  --run
```

This still does not run `bao operator init`.

Optional non-secret metadata can be supplied:

```bash
python3 tools/security-bootstrap-console/security_bootstrap_console.py metadata-template \
  > /tmp/security-bootstrap.json

python3 tools/security-bootstrap-console/security_bootstrap_console.py \
  --metadata /tmp/security-bootstrap.json \
  status
```

Do not put passwords, OTP seeds, OpenBao root tokens, unseal shares, recovery
codes, private keys, or screenshots of secret output into the metadata file.