# Inter-Hub Bootstrap Access Lane

Date: 2026-06-24 (catalog alignment)  
Catalog id: `inter-hub-bootstrap-ssh` — `warden route show inter-hub-bootstrap-ssh --json`

## Purpose

This runbook describes how ops-warden participates in authenticated Inter-Hub
bootstrap tasks, especially the ops-hub production activation lane tracked by
`CUST-WP-0049`.

ops-warden does not store Inter-Hub API keys. Its role is to issue short-lived
SSH certificates for a narrow actor so an operator or agent can reach a trusted
execution host without introducing static SSH keys into the workflow.

## Boundary

ops-warden owns:

- actor registration
- short-lived certificate issuance
- TTL and principal policy
- `ops-ssh-wrapper` usage

ops-warden does not own:

- Inter-Hub operator key storage
- OpenBao policy or secret paths
- host-side `/etc/ssh/auth_principals/` deployment
- force-command wrappers
- database migrations or Kubernetes access

Those host-side controls belong to `railiance-infra` or the relevant
deployment repo. Long-lived secret custody belongs in OpenBao or the approved
operator secret store.

## Actor Pattern

Use a dedicated `agt` actor for Codex-assisted bootstrap work:

```bash
warden inventory add agt-codex-interhub-bootstrap \
  --type agt \
  --principal agt-interhub-bootstrap \
  --ttl 2 \
  --description "Short-lived agent access for attended Inter-Hub bootstrap execution"
```

Guidance:

- Prefer a 1-2 hour TTL for attended bootstrap.
- Keep the principal narrower than general ops access.
- Do not reuse human `adm` actors for agent-assisted bootstrap runs.
- Remove or disable the actor after the bootstrap lane is no longer needed.

## Worker checklist

1. Confirm the bootstrap run is approved (`CUST-WP-0049` or equivalent workplan).
2. Register or verify the narrow `agt` actor in inventory (`warden inventory list`).
3. Sign a short-lived cert: `warden sign agt-codex-interhub-bootstrap --pubkey <path>`.
4. Confirm host principal `agt-interhub-bootstrap` is deployed (`railiance-infra`
   `ssh_principals.yaml`; optional drift check: `scripts/check_principals_drift.py`).
5. Choose **attended** or **unattended** material access (below).
6. Run via `ops-ssh-wrapper` or attended SSH; collect **non-secret** evidence only.

For generic SSH issuance steps see catalog id `ssh-cert-host-access`.

---

## Attended bootstrap

Use when host-side force-command / OpenBao read paths are not yet provisioned.

1. Operator holds the Inter-Hub operator key in an attended `0600` temp file
   (`IHUB_OPERATOR_KEY_FILE`) — never commit or paste in chat.
2. ops-warden signs the bootstrap actor cert (step 3 above).
3. Operator runs the repo-owned bootstrap command on the trusted host, for example
   `make interhub-bootstrap` in `ops-hub`.
4. Operator stores any generated runtime key into OpenBao immediately.
5. Record non-secret evidence in State Hub (ids, status, key prefixes).

Example client-side wrapper use:

```bash
WARDEN_ACTOR=agt-codex-interhub-bootstrap \
SSH_PUBKEY="$HOME/.ssh/id_ed25519.pub" \
ops-ssh-wrapper ssh ops-bootstrap@<trusted-host> run-ops-hub-interhub-bootstrap
```

The exact remote command and host account are environment-specific and should
be provisioned by the deployment repo.

---

## Unattended bootstrap

Use only after railiance-infra ships host-side controls (principals, force-command,
wrapper).

1. ops-warden signs the bootstrap actor cert.
2. Target host accepts only the `agt-interhub-bootstrap` principal.
3. Host-side wrapper reads the Inter-Hub operator key from OpenBao (see pointers
   below) — ops-warden does not vend that key.
4. Wrapper runs the approved bootstrap routine and writes the runtime key back
   to OpenBao.
5. Wrapper prints non-secret evidence only.

Without force-command and OpenBao read paths, stay on the **attended** branch.

---

## flex-auth and OpenBao pointers

ops-warden issues the SSH envelope only. Custody and authorization live elsewhere:

| Need | Route | Notes |
| --- | --- | --- |
| Inter-Hub operator key read/write | `warden route show openbao-api-key --json` | railiance-platform owns paths |
| Authorization before sensitive bootstrap | `warden route show flex-auth-policy-check --json` | flex-auth PDP when policy applies |
| Host principal deploy | `warden route show railiance-infra-principals --json` | Ansible `ssh_principals.yaml` |

Do not restate OpenBao path strings here — they change in `railiance-platform`.

## Host-Side Requirements

Before this lane can be used in production, railiance-infra or the deployment
owner should provide:

- an auth principals entry for `agt-interhub-bootstrap`
- password auth disabled for the target account
- a force-command or restricted wrapper for the bootstrap path
- OpenBao read access for the Inter-Hub operator key, if unattended material
  access is approved
- OpenBao write access for the generated ops-hub runtime key
- non-secret execution logging

Without those controls, use only an attended local `IHUB_OPERATOR_KEY_FILE`
run.

## Non-Secret Evidence

Safe evidence to copy into State Hub:

- workplan id and task id
- Inter-Hub base URL
- hub id and slug
- manifest id and status
- API consumer id
- runtime key prefix
- widget counts
- event id and event type

Never log:

- full operator keys
- full runtime API keys
- OpenBao tokens
- kubeconfig contents
- raw SQL output that could include secrets

## Related Work

- `the-custodian/workplans/CUST-WP-0049-interhub-bootstrap-access-lane.md`
- `ops-hub/docs/bootstrap-runbook.md`
- `wiki/AccessManagementDirective.md`
- `wiki/OpsWardenConfig.md`
- `wiki/CertCommandInterface.md`