Files
net-kingdom/workplans/ADHOC-2026-07-02.md
tegwick 85a781b7a4 NET-WP-0020 finished: attended-ceremony + auto-unseal-transit profiles, greenfield init/unseal proof
T2: greenfield live proof against a fresh uninitialized OpenBao 2.5.5 —
caught and fixed 'bao operator unseal -' not reading stdin (now
'bao write sys/unseal key=-'); init and reseal-replay paths proven.
T3: attended-ceremony selectable — runbook, non-secret ceremony-record
template + validator, and a lab/production deployment profile that blocks
sops-held-automation in console selection, gates, and the init script.
T4: console gate + evidence flags for auto-unseal-transit (Helm seal stanza
prepared in railiance-platform).
Also: SCOPE.md refreshed to current repo state; adhoc fix for the broken
check-secrets Make target (unescaped $).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 22:08:33 +02:00

1.6 KiB

id, type, title, domain, repo, status, owner, topic_slug, created, updated, state_hub_workstream_id
id type title domain repo status owner topic_slug created updated state_hub_workstream_id
adhoc-2026-07-02 workplan Ad Hoc Tasks — 2026-07-02 infotech net-kingdom finished codex net-kingdom 2026-07-02 2026-07-02 67c1c7ac-d8b1-41dc-a81a-4e43f1afd068

Ad Hoc Tasks — 2026-07-02

Fix creds-bootstrap-agent Phase 0 dry-run on machines without the age key

id: ADHOC-2026-07-02-T01
status: done
priority: low
state_hub_task_id: "b86bf898-7916-4db3-ba67-ba3a3fd8a49f"

--dry-run previously aborted silently in Phase 0 on any machine without ~/.config/sops/age/keys.txt: key generation is correctly skipped in dry-run, but the subsequent public-key read (grep on the missing file) killed the script under set -e, so no later phase could be exercised.

Fix: when the key file is absent in dry-run, continue with a placeholder recipient and a clear notice instead of dying; live runs without a key still fail hard. Verified: full --dry-run now traverses Phase 0 through Phase 10 including the new Phase 7b OpenBao hook (NET-WP-0020-T02) on a machine with no age key.

Fix broken check-secrets Make target (unescaped $)

id: ADHOC-2026-07-02-T02
status: done
priority: medium

make check-secrets failed with a bash parse error ("unexpected EOF while looking for matching '"): the trailing grep -v '/$' used a single $, which make expanded before bash saw it. Escaped to $$. Verified: make check-secrets passes again ("All secrets/ files appear SOPS-encrypted"). Pre-existing bug, unrelated to NET-WP-0020; found while running the final checks for that workplan.