4.2 KiB
id, type, title, domain, repo, status, owner, topic_slug, created, updated, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | created | updated | state_hub_workstream_id |
|---|---|---|---|---|---|---|---|---|---|---|
| NET-WP-0020 | workplan | OpenBao Unseal Custody Models and SSH Automation Path | infotech | net-kingdom | active | codex | net-kingdom | 2026-06-17 | 2026-07-02 | d6338ac9-797d-4009-8203-4b8dd39010af |
NET-WP-0020 — OpenBao Unseal Custody Models and SSH Automation Path
Scope: Framework for three OpenBao init/unseal custody models; automation-first development path; console decision points; downstream hooks for SSH engine and host CA automation on greenfield 3-node bootstrap.
Strategy: Start with sops-held-automation for fast unattended test cycles;
add attended-ceremony and auto-unseal-transit with blocking gates as
production trust increases.
Tasks
T1 — Custody model canon and console gates
id: NET-WP-0020-T01
status: done
priority: high
state_hub_task_id: "7040f347-d54a-42ba-a14f-5b0a7e691786"
docs/openbao-unseal-custody-models.md- Console: list + select commands; gates block planned models
smooth-bootstrap-guide.mdStep 5 update- Makefile targets
T2 — SOPS-held init/unseal automation hooks
id: NET-WP-0020-T02
status: progress
priority: high
state_hub_task_id: "65407eb1-9d89-4158-aed5-4987badd83fc"
- SOPS-held init/unseal automation:
sso-mfa/bootstrap/openbao-init-unseal.sh(make openbao-init-unseal/openbao-init-unseal-dry-run) - Non-secret evidence flags:
openbao_initialized,openbao_post_unseal_verified(emitted on the script'sEVIDENCEJSON line) - Integrate with
make openbao-configure-initialpost-unseal (OPENBAO_RUN_CONFIGURE_INITIAL=1chains it; default prints the handoff hint) - Wire the helper as an optional phase inside
creds-bootstrap-agent.sh(agent-policy blocked automated edits to the credential bootstrap script on 2026-07-02 — operator should add a phase that calls the helper, sets the two state flags increds-state.yaml, and re-runsencrypt-secrets.sh+ commit whensecrets/openbao/was created) - Greenfield live proof: run against a sealed/uninitialized OpenBao on a
rebuild slate (current cluster is already initialized+unsealed, so only the
status/verify path was live-smoked on 2026-07-02; custody-gate refusal was
proven for
unselectedandattended-ceremony)
2026-07-02: Helper implemented and smoke-tested: dry-run against the live
cluster passed the custody gate (sops-held-automation selected) and read
initialized=true sealed=false; negative tests proved refusal for unselected
and attended-ceremony models. Init material is written only into
secrets/openbao/ for age custody; unseal shares travel stdin-to-stdin and
never appear in argv or logs.
T3 — Attended ceremony automation profile
id: NET-WP-0020-T03
status: wait
priority: medium
state_hub_task_id: "34f3d979-a040-49ca-bfcb-35cf17473a06"
- Implement
attended-ceremonyselection path (runbooks + evidence validators) - Production profile blocks
sops-held-automationdefault
Blocked until: T2 automation path proven on greenfield rebuild.
T4 — Auto-unseal transit profile
id: NET-WP-0020-T04
status: wait
priority: medium
state_hub_task_id: "54ab6505-c13b-4f63-8c94-07dd202de90a"
railiance-platformHelm seal stanza for transit/KMS- Console gate + evidence for
auto-unseal-transit
T5 — SSH engine + host CA automation (cross-repo)
id: NET-WP-0020-T05
status: done
priority: high
state_hub_task_id: "399e82ca-6551-4020-8db5-c78076e75cfc"
railiance-platform:openbao-configure-sshdeclarative script + Makefile targetsrailiance-infra:bootstrap-ssh-carole +ssh_principals.yamlinventory- Live apply: OpenBao SSH engine + roles +
warden-signon Railiance (2026-06-18) - Live apply:
bootstrap-ssh-caon CoulombCore + Railiance01 - Close
ops-wardenWP-0008 T2 verification gate
See also
history/2026-06-17-openbao-ssh-custody-and-bootstrap-assessment.md— state + concepts (read before T5)ops-warden/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.mdrailiance-platform/docs/openbao.md