net-kingdom/tools/security-bootstrap-console

Security Bootstrap Console

Local console and localhost web UI for the NetKingdom guided security bootstrap experience.

The console prints trust stage, gates, checklists, non-secret templates, and can write an explicit custody-mode approval record. It does not collect secret values and refuses live OpenBao initialization.

Run:

python3 tools/security-bootstrap-console/security_bootstrap_console.py status

Print the king credential kit checklist:

python3 tools/security-bootstrap-console/security_bootstrap_console.py king-kit

Validate non-secret kit metadata:

python3 tools/security-bootstrap-console/security_bootstrap_console.py \
  --metadata /tmp/security-bootstrap.json \
  validate-king-kit

Approve custody mode from the CLI:

python3 tools/security-bootstrap-console/security_bootstrap_console.py \
  --metadata /tmp/security-bootstrap.json \
  approve-custody-mode \
  --mode temporary-single-king \
  --mfa-enrolled-confirmed \
  --mfa-enrollment-source identity-provider \
  --recovery-confirmed \
  --custody-packet-prepared \
  --no-secret-capture-confirmed

The command asks for the phrase approve custody mode unless --yes is passed. two-of-three-planned can be recorded in metadata but cannot approve live OpenBao init.

For TOTP, use the QR code or setup key from the identity provider or other authority that will verify the login. This tool records only the non-secret enrollment confirmation and source.

Serve the local approval UI:

python3 tools/security-bootstrap-console/security_bootstrap_console.py \
  --metadata /tmp/security-bootstrap.json \
  web-ui

Open http://127.0.0.1:8765.

Print a blank offline custody packet template:

python3 tools/security-bootstrap-console/security_bootstrap_console.py custody-packet

Show safe OpenBao preflight commands:

python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
  --railiance-path ../railiance-platform

Run safe OpenBao preflight targets:

python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
  --railiance-path ../railiance-platform \
  --run

This still does not run bao operator init.

Optional non-secret metadata can be supplied:

python3 tools/security-bootstrap-console/security_bootstrap_console.py metadata-template \
  > /tmp/security-bootstrap.json

python3 tools/security-bootstrap-console/security_bootstrap_console.py \
  --metadata /tmp/security-bootstrap.json \
  status

Do not put passwords, OTP seeds, OpenBao root tokens, unseal shares, recovery codes, private keys, or screenshots of secret output into the metadata file.