generated from coulomb/repo-seed
T2: greenfield live proof against a fresh uninitialized OpenBao 2.5.5 — caught and fixed 'bao operator unseal -' not reading stdin (now 'bao write sys/unseal key=-'); init and reseal-replay paths proven. T3: attended-ceremony selectable — runbook, non-secret ceremony-record template + validator, and a lab/production deployment profile that blocks sops-held-automation in console selection, gates, and the init script. T4: console gate + evidence flags for auto-unseal-transit (Helm seal stanza prepared in railiance-platform). Also: SCOPE.md refreshed to current repo state; adhoc fix for the broken check-secrets Make target (unescaped $). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
51 lines
1.6 KiB
Markdown
51 lines
1.6 KiB
Markdown
---
|
|
id: adhoc-2026-07-02
|
|
type: workplan
|
|
title: "Ad Hoc Tasks — 2026-07-02"
|
|
domain: infotech
|
|
repo: net-kingdom
|
|
status: finished
|
|
owner: codex
|
|
topic_slug: net-kingdom
|
|
created: "2026-07-02"
|
|
updated: "2026-07-02"
|
|
state_hub_workstream_id: "67c1c7ac-d8b1-41dc-a81a-4e43f1afd068"
|
|
---
|
|
|
|
# Ad Hoc Tasks — 2026-07-02
|
|
|
|
## Fix creds-bootstrap-agent Phase 0 dry-run on machines without the age key
|
|
|
|
```task
|
|
id: ADHOC-2026-07-02-T01
|
|
status: done
|
|
priority: low
|
|
state_hub_task_id: "b86bf898-7916-4db3-ba67-ba3a3fd8a49f"
|
|
```
|
|
|
|
`--dry-run` previously aborted silently in Phase 0 on any machine without
|
|
`~/.config/sops/age/keys.txt`: key generation is correctly skipped in dry-run,
|
|
but the subsequent public-key read (`grep` on the missing file) killed the
|
|
script under `set -e`, so no later phase could be exercised.
|
|
|
|
Fix: when the key file is absent in dry-run, continue with a placeholder
|
|
recipient and a clear notice instead of dying; live runs without a key still
|
|
fail hard. Verified: full `--dry-run` now traverses Phase 0 through Phase 10
|
|
including the new Phase 7b OpenBao hook (NET-WP-0020-T02) on a machine with
|
|
no age key.
|
|
|
|
## Fix broken check-secrets Make target (unescaped `$`)
|
|
|
|
```task
|
|
id: ADHOC-2026-07-02-T02
|
|
status: done
|
|
priority: medium
|
|
```
|
|
|
|
`make check-secrets` failed with a bash parse error ("unexpected EOF while
|
|
looking for matching `'`"): the trailing `grep -v '/$'` used a single `$`,
|
|
which make expanded before bash saw it. Escaped to `$$`. Verified:
|
|
`make check-secrets` passes again ("All secrets/ files appear SOPS-encrypted").
|
|
Pre-existing bug, unrelated to NET-WP-0020; found while running the final
|
|
checks for that workplan.
|