Files
net-kingdom/workplans/ADHOC-2026-07-02.md
tegwick 85a781b7a4 NET-WP-0020 finished: attended-ceremony + auto-unseal-transit profiles, greenfield init/unseal proof
T2: greenfield live proof against a fresh uninitialized OpenBao 2.5.5 —
caught and fixed 'bao operator unseal -' not reading stdin (now
'bao write sys/unseal key=-'); init and reseal-replay paths proven.
T3: attended-ceremony selectable — runbook, non-secret ceremony-record
template + validator, and a lab/production deployment profile that blocks
sops-held-automation in console selection, gates, and the init script.
T4: console gate + evidence flags for auto-unseal-transit (Helm seal stanza
prepared in railiance-platform).
Also: SCOPE.md refreshed to current repo state; adhoc fix for the broken
check-secrets Make target (unescaped $).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 22:08:33 +02:00

51 lines
1.6 KiB
Markdown

---
id: adhoc-2026-07-02
type: workplan
title: "Ad Hoc Tasks — 2026-07-02"
domain: infotech
repo: net-kingdom
status: finished
owner: codex
topic_slug: net-kingdom
created: "2026-07-02"
updated: "2026-07-02"
state_hub_workstream_id: "67c1c7ac-d8b1-41dc-a81a-4e43f1afd068"
---
# Ad Hoc Tasks — 2026-07-02
## Fix creds-bootstrap-agent Phase 0 dry-run on machines without the age key
```task
id: ADHOC-2026-07-02-T01
status: done
priority: low
state_hub_task_id: "b86bf898-7916-4db3-ba67-ba3a3fd8a49f"
```
`--dry-run` previously aborted silently in Phase 0 on any machine without
`~/.config/sops/age/keys.txt`: key generation is correctly skipped in dry-run,
but the subsequent public-key read (`grep` on the missing file) killed the
script under `set -e`, so no later phase could be exercised.
Fix: when the key file is absent in dry-run, continue with a placeholder
recipient and a clear notice instead of dying; live runs without a key still
fail hard. Verified: full `--dry-run` now traverses Phase 0 through Phase 10
including the new Phase 7b OpenBao hook (NET-WP-0020-T02) on a machine with
no age key.
## Fix broken check-secrets Make target (unescaped `$`)
```task
id: ADHOC-2026-07-02-T02
status: done
priority: medium
```
`make check-secrets` failed with a bash parse error ("unexpected EOF while
looking for matching `'`"): the trailing `grep -v '/$'` used a single `$`,
which make expanded before bash saw it. Escaped to `$$`. Verified:
`make check-secrets` passes again ("All secrets/ files appear SOPS-encrypted").
Pre-existing bug, unrelated to NET-WP-0020; found while running the final
checks for that workplan.