T2: greenfield live proof against a fresh uninitialized OpenBao 2.5.5 — caught and fixed 'bao operator unseal -' not reading stdin (now 'bao write sys/unseal key=-'); init and reseal-replay paths proven. T3: attended-ceremony selectable — runbook, non-secret ceremony-record template + validator, and a lab/production deployment profile that blocks sops-held-automation in console selection, gates, and the init script. T4: console gate + evidence flags for auto-unseal-transit (Helm seal stanza prepared in railiance-platform). Also: SCOPE.md refreshed to current repo state; adhoc fix for the broken check-secrets Make target (unescaped $). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1.6 KiB
id, type, title, domain, repo, status, owner, topic_slug, created, updated, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | created | updated | state_hub_workstream_id |
|---|---|---|---|---|---|---|---|---|---|---|
| adhoc-2026-07-02 | workplan | Ad Hoc Tasks — 2026-07-02 | infotech | net-kingdom | finished | codex | net-kingdom | 2026-07-02 | 2026-07-02 | 67c1c7ac-d8b1-41dc-a81a-4e43f1afd068 |
Ad Hoc Tasks — 2026-07-02
Fix creds-bootstrap-agent Phase 0 dry-run on machines without the age key
id: ADHOC-2026-07-02-T01
status: done
priority: low
state_hub_task_id: "b86bf898-7916-4db3-ba67-ba3a3fd8a49f"
--dry-run previously aborted silently in Phase 0 on any machine without
~/.config/sops/age/keys.txt: key generation is correctly skipped in dry-run,
but the subsequent public-key read (grep on the missing file) killed the
script under set -e, so no later phase could be exercised.
Fix: when the key file is absent in dry-run, continue with a placeholder
recipient and a clear notice instead of dying; live runs without a key still
fail hard. Verified: full --dry-run now traverses Phase 0 through Phase 10
including the new Phase 7b OpenBao hook (NET-WP-0020-T02) on a machine with
no age key.
Fix broken check-secrets Make target (unescaped $)
id: ADHOC-2026-07-02-T02
status: done
priority: medium
make check-secrets failed with a bash parse error ("unexpected EOF while
looking for matching '"): the trailing grep -v '/$' used a single $,
which make expanded before bash saw it. Escaped to $$. Verified:
make check-secrets passes again ("All secrets/ files appear SOPS-encrypted").
Pre-existing bug, unrelated to NET-WP-0020; found while running the final
checks for that workplan.