tegwick
bcae4bc6dd
- NK-WP-0003 T08: replace hardcoded /home/worsch/key-cape with $(git rev-parse --show-toplevel)/../key-cape so acceptance tests run correctly on any machine - NK-WP-0005 T04: create .claude/commands/creds-init.md — the autonomous credential bootstrap skill (reads creds-state.yaml, resumes from current phase, honours emergency bundle gate) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1.7 KiB
description, argument-hint, allowed-tools
| description | argument-hint | allowed-tools | ||||||
|---|---|---|---|---|---|---|---|---|
| Fully automated net-kingdom credential bootstrap. Generates all service secrets, encrypts and commits via SOPS, injects into cluster, and delivers a minimal emergency bundle for your personal password manager. No manual steps required. Run from the net-kingdom repo root. | [--dry-run] [--resume] |
|
Read sso-mfa/bootstrap/creds-state.yaml to determine the current bootstrap
phase, then proceed as follows:
-
If
bootstrap_complete: true— report the current state and exit. Nothing to do. -
If the file does not exist or
secrets_generated: false— run the full bootstrap from scratch:make creds-agent-init $ARGUMENTS -
If some phases are complete (
secrets_generated: trueor later fields aretrue) butbootstrap_complete: false— resume from the current phase by running:bash sso-mfa/bootstrap/creds-bootstrap-agent.sh --resume $ARGUMENTS -
After the script exits successfully, re-read
creds-state.yamland confirmbootstrap_complete: true. Report the final state to the user. -
Log a progress event to the state-hub:
- workstream: net-kingdom credential bootstrap (NK-WP-0005)
- event: "creds-init completed — bootstrap_complete: true"
Emergency bundle gate: The script will pause and prompt the user to store the emergency bundle before marking bootstrap complete. Do not skip or automate this step — it is a deliberate human gate.
Dry run: Pass --dry-run to validate all pre-flight checks and print what
would be done without writing secrets or applying K8s changes.