Add credential CCR operator handoff

scripts/credential-change.py

@@ -5,6 +5,7 @@ import argparse
 import json
 import os
 import re
+import shlex
 import sys
 import urllib.error
 import urllib.request
@@ -374,6 +375,46 @@ def render_plan(ccr: dict[str, Any]) -> str:
     return "\n".join(lines)
 
 
+def shell_kv_arg(key: str, value: Any) -> str:
+    if isinstance(value, (dict, list)):
+        encoded = json.dumps(value, sort_keys=True, separators=(",", ":"))
+    elif isinstance(value, bool):
+        encoded = "true" if value else "false"
+    elif value is None:
+        encoded = ""
+    else:
+        encoded = str(value)
+    return shlex.quote(f"{key}={encoded}")
+
+
+def render_operator_commands(ccr: dict[str, Any]) -> str:
+    openbao = ccr["openbao"]
+    auth = openbao["auth"]
+    auth_path = f"auth/{auth['mount']}/role/{auth['role']}"
+    payload = auth_payload(ccr)
+    role_args = " ".join(
+        shell_kv_arg(key, payload[key]) for key in sorted(payload)
+    )
+    secret_args = " ".join(
+        shlex.quote(f"{field}=<enter-through-approved-custody>")
+        for field in openbao["fields"]
+    )
+    lines = [
+        f"# Operator handoff for {ccr['id']}: {ccr['title']}",
+        "# Run from the railiance-platform repo with an approved OpenBao operator token.",
+        "set -euo pipefail",
+        f"bao policy write {shlex.quote(openbao['policy_name'])} {shlex.quote(openbao['policy_file'])}",
+        f"bao write {shlex.quote(auth_path)} {role_args}",
+        "",
+        "# Secret provisioning remains under approved OpenBao/operator custody.",
+        "# Do not paste secret values into Git, State Hub, workplans, logs, or chat.",
+        f"# bao kv put {shlex.quote(openbao['kv_path'])} {secret_args}",
+        "",
+        "# After provisioning, run positive and negative verification without printing secret values.",
+    ]
+    return "\n".join(lines)
+
+
 def validate_or_exit(path: Path) -> tuple[dict[str, Any], list[str]]:
     ccr, errors, warnings = validate_ccr(path)
     for warning in warnings:
@@ -645,18 +686,30 @@ def command_status(args: argparse.Namespace) -> int:
     return 0
 
 
+def require_apply_ready(ccr: dict[str, Any], command_name: str) -> None:
+    if ccr.get("status") not in APPLY_ALLOWED_STATUSES:
+        fail(f"{command_name} requires status approved, got {ccr.get('status')}")
+    auth = ccr["openbao"]["auth"]
+    if auth.get("bound_claims_confirmed") is not True:
+        fail(f"{command_name} requires openbao.auth.bound_claims_confirmed=true")
+
+
 def command_apply_plan(args: argparse.Namespace) -> int:
     path = resolve_ccr(args.ref)
     ccr, _warnings = validate_or_exit(path)
-    if ccr.get("status") not in APPLY_ALLOWED_STATUSES:
-        fail(f"apply-plan requires status approved, got {ccr.get('status')}")
-    auth = ccr["openbao"]["auth"]
-    if auth.get("bound_claims_confirmed") is not True:
-        fail("apply-plan requires openbao.auth.bound_claims_confirmed=true")
+    require_apply_ready(ccr, "apply-plan")
     print(render_plan(ccr))
     return 0
 
 
+def command_operator_commands(args: argparse.Namespace) -> int:
+    path = resolve_ccr(args.ref)
+    ccr, _warnings = validate_or_exit(path)
+    require_apply_ready(ccr, "operator-commands")
+    print(render_operator_commands(ccr))
+    return 0
+
+
 def command_decision(args: argparse.Namespace, status: str) -> int:
     path = resolve_ccr(args.ref)
     append_decision(path, status, args.reviewer, args.comment)
@@ -713,6 +766,13 @@ def build_parser() -> argparse.ArgumentParser:
     apply_plan.add_argument("ref")
     apply_plan.set_defaults(func=command_apply_plan)
 
+    operator_commands = sub.add_parser(
+        "operator-commands",
+        help="Render reviewed non-secret OpenBao commands for an approved CCR",
+    )
+    operator_commands.add_argument("ref")
+    operator_commands.set_defaults(func=command_operator_commands)
+
     for name, status in (
         ("approve", "approved"),
         ("deny", "denied"),