---
description: >
  Fully automated net-kingdom credential bootstrap. Generates all service
  secrets, encrypts and commits via SOPS, injects into cluster, and delivers
  a minimal emergency bundle for your personal password manager. No manual
  steps required. Run from the net-kingdom repo root.
argument-hint: "[--dry-run] [--resume]"
allowed-tools:
  - Bash(make creds-*)
  - Bash(bash sso-mfa/bootstrap/creds-bootstrap-agent.sh*)
  - Bash(kubectl get*)
  - Bash(git status*)
  - Bash(git log*)
  - Read
---

Read `sso-mfa/bootstrap/creds-state.yaml` to determine the current bootstrap
phase, then proceed as follows:

1. If `bootstrap_complete: true` — report the current state and exit. Nothing
   to do.

2. If the file does not exist or `secrets_generated: false` — run the full
   bootstrap from scratch:
   ```
   make creds-agent-init $ARGUMENTS
   ```

3. If some phases are complete (`secrets_generated: true` or later fields are
   `true`) but `bootstrap_complete: false` — resume from the current phase by
   running:
   ```
   bash sso-mfa/bootstrap/creds-bootstrap-agent.sh --resume $ARGUMENTS
   ```

4. After the script exits successfully, re-read `creds-state.yaml` and confirm
   `bootstrap_complete: true`. Report the final state to the user.

5. Log a progress event to the state-hub:
   - workstream: net-kingdom credential bootstrap (NK-WP-0005)
   - event: "creds-init completed — bootstrap_complete: true"

**Emergency bundle gate:** The script will pause and prompt the user to store
the emergency bundle before marking bootstrap complete. Do not skip or
automate this step — it is a deliberate human gate.

**Dry run:** Pass `--dry-run` to validate all pre-flight checks and print what
would be done without writing secrets or applying K8s changes.