generated from coulomb/repo-seed
feat(WP-0012): add inter-hub-bootstrap-ssh catalog entry and align wiki
Promote Inter-Hub bootstrap lane to active catalog with worker checklist, attended/unattended branches, and flex-auth/OpenBao pointers. Mark WP-0012 T2/T3 done; ops-bridge tunnel playbook shipped in prior WP-0013 commit.
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
# Inter-Hub Bootstrap Access Lane
|
||||
|
||||
Date: 2026-06-17
|
||||
Date: 2026-06-24 (catalog alignment)
|
||||
Catalog id: `inter-hub-bootstrap-ssh` — `warden route show inter-hub-bootstrap-ssh --json`
|
||||
|
||||
## Purpose
|
||||
|
||||
@@ -52,22 +53,31 @@ Guidance:
|
||||
- Do not reuse human `adm` actors for agent-assisted bootstrap runs.
|
||||
- Remove or disable the actor after the bootstrap lane is no longer needed.
|
||||
|
||||
## Execution Shape
|
||||
## Worker checklist
|
||||
|
||||
The intended flow is:
|
||||
1. Confirm the bootstrap run is approved (`CUST-WP-0049` or equivalent workplan).
|
||||
2. Register or verify the narrow `agt` actor in inventory (`warden inventory list`).
|
||||
3. Sign a short-lived cert: `warden sign agt-codex-interhub-bootstrap --pubkey <path>`.
|
||||
4. Confirm host principal `agt-interhub-bootstrap` is deployed (`railiance-infra`
|
||||
`ssh_principals.yaml`; optional drift check: `scripts/check_principals_drift.py`).
|
||||
5. Choose **attended** or **unattended** material access (below).
|
||||
6. Run via `ops-ssh-wrapper` or attended SSH; collect **non-secret** evidence only.
|
||||
|
||||
1. Operator approves the production bootstrap run.
|
||||
2. ops-warden signs a short-lived cert for `agt-codex-interhub-bootstrap`.
|
||||
3. The target host accepts only the narrow `agt-interhub-bootstrap` principal.
|
||||
4. Host-side policy maps that principal to a force-command or wrapper that can
|
||||
run only the Inter-Hub bootstrap routine.
|
||||
5. The wrapper reads the Inter-Hub operator key from OpenBao or an attended
|
||||
`0600` temp file.
|
||||
6. The wrapper runs the repo-owned bootstrap command, for example
|
||||
For generic SSH issuance steps see catalog id `ssh-cert-host-access`.
|
||||
|
||||
---
|
||||
|
||||
## Attended bootstrap
|
||||
|
||||
Use when host-side force-command / OpenBao read paths are not yet provisioned.
|
||||
|
||||
1. Operator holds the Inter-Hub operator key in an attended `0600` temp file
|
||||
(`IHUB_OPERATOR_KEY_FILE`) — never commit or paste in chat.
|
||||
2. ops-warden signs the bootstrap actor cert (step 3 above).
|
||||
3. Operator runs the repo-owned bootstrap command on the trusted host, for example
|
||||
`make interhub-bootstrap` in `ops-hub`.
|
||||
7. Any generated runtime key is stored back into OpenBao immediately.
|
||||
8. The wrapper prints non-secret evidence only: ids, status, timestamps, and
|
||||
key prefixes.
|
||||
4. Operator stores any generated runtime key into OpenBao immediately.
|
||||
5. Record non-secret evidence in State Hub (ids, status, key prefixes).
|
||||
|
||||
Example client-side wrapper use:
|
||||
|
||||
@@ -80,6 +90,37 @@ ops-ssh-wrapper ssh ops-bootstrap@<trusted-host> run-ops-hub-interhub-bootstrap
|
||||
The exact remote command and host account are environment-specific and should
|
||||
be provisioned by the deployment repo.
|
||||
|
||||
---
|
||||
|
||||
## Unattended bootstrap
|
||||
|
||||
Use only after railiance-infra ships host-side controls (principals, force-command,
|
||||
wrapper).
|
||||
|
||||
1. ops-warden signs the bootstrap actor cert.
|
||||
2. Target host accepts only the `agt-interhub-bootstrap` principal.
|
||||
3. Host-side wrapper reads the Inter-Hub operator key from OpenBao (see pointers
|
||||
below) — ops-warden does not vend that key.
|
||||
4. Wrapper runs the approved bootstrap routine and writes the runtime key back
|
||||
to OpenBao.
|
||||
5. Wrapper prints non-secret evidence only.
|
||||
|
||||
Without force-command and OpenBao read paths, stay on the **attended** branch.
|
||||
|
||||
---
|
||||
|
||||
## flex-auth and OpenBao pointers
|
||||
|
||||
ops-warden issues the SSH envelope only. Custody and authorization live elsewhere:
|
||||
|
||||
| Need | Route | Notes |
|
||||
| --- | --- | --- |
|
||||
| Inter-Hub operator key read/write | `warden route show openbao-api-key --json` | railiance-platform owns paths |
|
||||
| Authorization before sensitive bootstrap | `warden route show flex-auth-policy-check --json` | flex-auth PDP when policy applies |
|
||||
| Host principal deploy | `warden route show railiance-infra-principals --json` | Ansible `ssh_principals.yaml` |
|
||||
|
||||
Do not restate OpenBao path strings here — they change in `railiance-platform`.
|
||||
|
||||
## Host-Side Requirements
|
||||
|
||||
Before this lane can be used in production, railiance-infra or the deployment
|
||||
|
||||
Reference in New Issue
Block a user