From f10f813d7eae06b900aa47658c0d6b85a82806e8 Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 24 Jun 2026 12:45:23 +0200 Subject: [PATCH] feat(WP-0012): add inter-hub-bootstrap-ssh catalog entry and align wiki Promote Inter-Hub bootstrap lane to active catalog with worker checklist, attended/unattended branches, and flex-auth/OpenBao pointers. Mark WP-0012 T2/T3 done; ops-bridge tunnel playbook shipped in prior WP-0013 commit. --- SCOPE.md | 2 +- registry/routing/catalog.yaml | 11 +++ wiki/InterHubBootstrapAccessLane.md | 69 +++++++++++++++---- ...RDEN-WP-0012-routing-scenario-playbooks.md | 21 +++--- 4 files changed, 78 insertions(+), 25 deletions(-) diff --git a/SCOPE.md b/SCOPE.md index 3b723b7..e58a776 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -136,7 +136,7 @@ for the rest. | WP | Status | Focus | | --- | --- | --- | -| **WP-0012** | `ready` | Routing scenario playbooks (catalog + wiki expansion) | +| **WP-0012** | `active` | Routing scenario playbooks (catalog + wiki expansion) | ### Known gaps (not ops-warden workplans) diff --git a/registry/routing/catalog.yaml b/registry/routing/catalog.yaml index f7a29e8..bdd9712 100644 --- a/registry/routing/catalog.yaml +++ b/registry/routing/catalog.yaml @@ -103,6 +103,17 @@ entries: reviewed: "2026-06-18" status: active + - id: inter-hub-bootstrap-ssh + title: Inter-Hub bootstrap SSH envelope + need_keywords: [inter-hub, interhub, bootstrap, ops-hub, agt-interhub-bootstrap, envelope, force-command, CUST-WP-0049] + owner_repo: ops-warden + subsystem: ops-warden + railiance-infra + warden_executes: false + wiki_ref: wiki/InterHubBootstrapAccessLane.md#worker-checklist + canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path + reviewed: "2026-06-24" + status: active + - id: activity-core-issue-sink title: activity-core IssueSink → issue-core REST emission need_keywords: [activity-core, issue-sink, issue-core, emission, issue_core_url, issue_core_api_key, tasks, ingest, rest, issuesink] diff --git a/wiki/InterHubBootstrapAccessLane.md b/wiki/InterHubBootstrapAccessLane.md index 67a720e..ae16f0d 100644 --- a/wiki/InterHubBootstrapAccessLane.md +++ b/wiki/InterHubBootstrapAccessLane.md @@ -1,6 +1,7 @@ # Inter-Hub Bootstrap Access Lane -Date: 2026-06-17 +Date: 2026-06-24 (catalog alignment) +Catalog id: `inter-hub-bootstrap-ssh` — `warden route show inter-hub-bootstrap-ssh --json` ## Purpose @@ -52,22 +53,31 @@ Guidance: - Do not reuse human `adm` actors for agent-assisted bootstrap runs. - Remove or disable the actor after the bootstrap lane is no longer needed. -## Execution Shape +## Worker checklist -The intended flow is: +1. Confirm the bootstrap run is approved (`CUST-WP-0049` or equivalent workplan). +2. Register or verify the narrow `agt` actor in inventory (`warden inventory list`). +3. Sign a short-lived cert: `warden sign agt-codex-interhub-bootstrap --pubkey `. +4. Confirm host principal `agt-interhub-bootstrap` is deployed (`railiance-infra` + `ssh_principals.yaml`; optional drift check: `scripts/check_principals_drift.py`). +5. Choose **attended** or **unattended** material access (below). +6. Run via `ops-ssh-wrapper` or attended SSH; collect **non-secret** evidence only. -1. Operator approves the production bootstrap run. -2. ops-warden signs a short-lived cert for `agt-codex-interhub-bootstrap`. -3. The target host accepts only the narrow `agt-interhub-bootstrap` principal. -4. Host-side policy maps that principal to a force-command or wrapper that can - run only the Inter-Hub bootstrap routine. -5. The wrapper reads the Inter-Hub operator key from OpenBao or an attended - `0600` temp file. -6. The wrapper runs the repo-owned bootstrap command, for example +For generic SSH issuance steps see catalog id `ssh-cert-host-access`. + +--- + +## Attended bootstrap + +Use when host-side force-command / OpenBao read paths are not yet provisioned. + +1. Operator holds the Inter-Hub operator key in an attended `0600` temp file + (`IHUB_OPERATOR_KEY_FILE`) — never commit or paste in chat. +2. ops-warden signs the bootstrap actor cert (step 3 above). +3. Operator runs the repo-owned bootstrap command on the trusted host, for example `make interhub-bootstrap` in `ops-hub`. -7. Any generated runtime key is stored back into OpenBao immediately. -8. The wrapper prints non-secret evidence only: ids, status, timestamps, and - key prefixes. +4. Operator stores any generated runtime key into OpenBao immediately. +5. Record non-secret evidence in State Hub (ids, status, key prefixes). Example client-side wrapper use: @@ -80,6 +90,37 @@ ops-ssh-wrapper ssh ops-bootstrap@ run-ops-hub-interhub-bootstrap The exact remote command and host account are environment-specific and should be provisioned by the deployment repo. +--- + +## Unattended bootstrap + +Use only after railiance-infra ships host-side controls (principals, force-command, +wrapper). + +1. ops-warden signs the bootstrap actor cert. +2. Target host accepts only the `agt-interhub-bootstrap` principal. +3. Host-side wrapper reads the Inter-Hub operator key from OpenBao (see pointers + below) — ops-warden does not vend that key. +4. Wrapper runs the approved bootstrap routine and writes the runtime key back + to OpenBao. +5. Wrapper prints non-secret evidence only. + +Without force-command and OpenBao read paths, stay on the **attended** branch. + +--- + +## flex-auth and OpenBao pointers + +ops-warden issues the SSH envelope only. Custody and authorization live elsewhere: + +| Need | Route | Notes | +| --- | --- | --- | +| Inter-Hub operator key read/write | `warden route show openbao-api-key --json` | railiance-platform owns paths | +| Authorization before sensitive bootstrap | `warden route show flex-auth-policy-check --json` | flex-auth PDP when policy applies | +| Host principal deploy | `warden route show railiance-infra-principals --json` | Ansible `ssh_principals.yaml` | + +Do not restate OpenBao path strings here — they change in `railiance-platform`. + ## Host-Side Requirements Before this lane can be used in production, railiance-infra or the deployment diff --git a/workplans/WARDEN-WP-0012-routing-scenario-playbooks.md b/workplans/WARDEN-WP-0012-routing-scenario-playbooks.md index 6253f42..d03aa8f 100644 --- a/workplans/WARDEN-WP-0012-routing-scenario-playbooks.md +++ b/workplans/WARDEN-WP-0012-routing-scenario-playbooks.md @@ -4,7 +4,7 @@ type: workplan title: "Routing Scenario Playbooks" domain: infotech repo: ops-warden -status: ready +status: active owner: codex topic_slug: custodian planning_priority: medium @@ -27,7 +27,7 @@ owner's procedure inside the catalog. **Depends on:** WARDEN-WP-0010 (charter + catalog schema), WARDEN-WP-0011 (routing CLI). -**Status:** `ready` — WP-0010 and WP-0011 shipped; parallel to WP-0013 integration closeout. +**Status:** `active` — WP-0013 archived; T2/T3 in progress. --- @@ -50,7 +50,7 @@ pointer to a non-existent path is worse than no entry. | `inter-hub-bootstrap-ssh` | SSH envelope + on-host wrapper reads OpenBao | ops-warden SSH + railiance-infra | ready (SSH lane) | | `openrouter-llm-connect` | OpenBao → K8s Secret in activity-core | railiance-platform | path exists | | `object-storage-sts` | NK-WP-0007 vending path | net-kingdom + flex-auth + OpenBao | canon exists | -| `ops-bridge-tunnel-cert` | cert_command vs static-key migration | ops-bridge | coordinate | +| `ops-bridge-tunnel-cert` | cert_command vs static-key migration | ops-bridge | done (WP-0013) | | `human-oidc-login` | key-cape / Keycloak IAM Profile | key-cape | canon exists | | `flex-auth-resource-check` | Policy decision before sensitive action | flex-auth | canon exists | | `host-principal-deploy` | auth_principals sync | railiance-infra | canon exists | @@ -77,26 +77,27 @@ state_hub_task_id: "830bb512-0288-4dba-9dd4-ccfd28a4921f" ```task id: WARDEN-WP-0012-T02 -status: todo +status: done priority: medium state_hub_task_id: "7726a703-6e00-4e49-9380-ed3fb3268827" ``` -- [ ] Align `wiki/InterHubBootstrapAccessLane.md` with the catalog id. -- [ ] Document attended vs unattended bootstrap branches. -- [ ] Cross-link flex-auth and OpenBao expectations (pointers, not restated steps). +- [x] Align `wiki/InterHubBootstrapAccessLane.md` with catalog id `inter-hub-bootstrap-ssh` +- [x] Document attended vs unattended bootstrap branches +- [x] Cross-link flex-auth and OpenBao expectations (pointers, not restated steps) +- [x] Promote catalog entry to `active` with `wiki_ref` ### T3 — ops-bridge tunnel migration ```task id: WARDEN-WP-0012-T03 -status: todo +status: done priority: medium state_hub_task_id: "9fb397f0-0abb-48f5-bb62-7e77edae93bb" ``` -- [ ] Playbook: static-key → `cert_command` migration checklist. -- [ ] Pilot tunnel notes (`agt-state-hub-bridge`) — coordinate with ops-bridge. +- [x] Playbook: `wiki/playbooks/ops-bridge-tunnel-cert.md` (WARDEN-WP-0013) +- [x] Pilot tunnel `agt-state-hub-bridge` documented; ops-bridge coordination sent ### T4 — Platform secret scenarios (LLM, STS, DB)