diff --git a/workplans/CUST-WP-0025-fos-hub-bootstrap.md b/workplans/CUST-WP-0025-fos-hub-bootstrap.md index 53c514d..ecf54c4 100644 --- a/workplans/CUST-WP-0025-fos-hub-bootstrap.md +++ b/workplans/CUST-WP-0025-fos-hub-bootstrap.md @@ -341,6 +341,12 @@ activity-core probes. The T13-T19 tasks below remain the long-term ops-hub implementation; the inventory slice produces input artifacts that the eventual ops-hub repo can ingest rather than replace. +**Inter-Hub bootstrap access lane (2026-06-17):** `CUST-WP-0049` extracts the +repeatable authenticated bootstrap routine needed to finish ops-hub production +activation without leaking keys into agent sessions: ops-hub owns the helper, +ops-warden owns the short-lived SSH certificate envelope, and operator secret +custody remains outside Git. + ### T13 — Create ops-hub repo from hub-core scaffold ```task diff --git a/workplans/CUST-WP-0047-ops-hub-service-inventory-now-view.md b/workplans/CUST-WP-0047-ops-hub-service-inventory-now-view.md index ebc9956..7c20fe7 100644 --- a/workplans/CUST-WP-0047-ops-hub-service-inventory-now-view.md +++ b/workplans/CUST-WP-0047-ops-hub-service-inventory-now-view.md @@ -10,7 +10,7 @@ topic_slug: custodian planning_priority: high planning_order: 47 created: "2026-06-05" -updated: "2026-06-16" +updated: "2026-06-17" state_hub_workstream_id: "656e435d-3a00-4f5e-a38e-114467f9062e" --- @@ -147,6 +147,11 @@ consumer, and initial widgets from the existing seed material in This is a human/operator-gated task because it requires authenticated Inter-Hub admin access or deployment-side migration execution. +Access-lane follow-up (2026-06-17): `CUST-WP-0049` owns the reusable routine +for getting this class of production bootstrap across the line: ops-hub API +helper, operator key-file custody, ops-warden short-lived SSH envelope, and the +remaining live-execution blocker. + Done when the ops-hub widgets exist and can accept `ops-endpoint-verified` or equivalent ops evidence events. diff --git a/workplans/CUST-WP-0049-interhub-bootstrap-access-lane.md b/workplans/CUST-WP-0049-interhub-bootstrap-access-lane.md new file mode 100644 index 0000000..82ee1fa --- /dev/null +++ b/workplans/CUST-WP-0049-interhub-bootstrap-access-lane.md @@ -0,0 +1,189 @@ +--- +id: CUST-WP-0049 +type: workplan +title: "Inter-Hub Bootstrap Access Lane" +domain: custodian +repo: the-custodian +status: active +owner: codex +topic_slug: custodian +planning_priority: high +planning_order: 49 +created: "2026-06-17" +updated: "2026-06-17" +state_hub_workstream_id: "9b56414a-c71f-4e72-9b2b-d2166aaf50d0" +--- + +# CUST-WP-0049 - Inter-Hub Bootstrap Access Lane + +## Goal + +Create a repeatable, auditable lane for finishing Inter-Hub production +bootstrap tasks without re-discovering credential, deployment, and operator +handoff rules every time. + +The immediate target is the ops-hub activation work blocked in +`CUST-WP-0047-T05`. The reusable outcome should also support future +Inter-Hub admin/bootstrap tasks from `CUST-WP-0025` and adjacent domains. + +## Problem + +The current friction pattern is consistent: + +- The required Inter-Hub action is usually small and well understood. +- The blocker is access custody: authenticated admin API key, deployment-side + migration access, or a trusted execution host. +- Static keys should not be pasted into Codex sessions or committed. +- The repo that needs the bootstrap does not own every part of the access + chain. + +## Ownership Model + +- `the-custodian` owns the coordination workplan, State Hub registration, and + cross-workplan blocker language. +- `ops-hub` owns the ops-hub manifest/widget seeds, API bootstrap helper, and + operator runbook. +- `ops-warden` owns the short-lived SSH certificate actor pattern used to reach + a trusted execution host. +- `railiance-infra` owns host-side principal deployment, force-command wrappers, + and any deployment-side database path. +- The operator secret store, preferably OpenBao, owns long-lived Inter-Hub + operator keys and generated runtime keys. + +## Non-Goals + +- Do not store Inter-Hub operator keys in Git, State Hub, workplans, shell + history, or Codex-visible logs. +- Do not make ops-warden an Inter-Hub API key store. +- Do not run live production bootstrap without explicit operator-provided key + material or an approved deployment-side path. +- Do not bypass Inter-Hub APIs when a supported API path exists. + +## Target Routine + +1. Operator materializes an Inter-Hub operator key into a `0600` temp file or + provides it to a trusted host from OpenBao. +2. If a remote execution host is needed, ops-warden signs a short-lived + certificate for a narrow bootstrap actor, such as + `agt-codex-interhub-bootstrap`. +3. Host-side railiance-infra policy maps that principal to a force-command or + narrow wrapper that can run only the bootstrap routine. +4. The bootstrap helper reads `IHUB_OPERATOR_KEY_FILE`, creates or reuses the + ops-hub Inter-Hub records, writes any display-once runtime key to a `0600` + output file, and prints only non-secret evidence. +5. The operator stores the generated runtime key in OpenBao and removes the + temp file. +6. State Hub receives progress evidence with non-secret ids, prefixes, and + validation status. + +## Task: Register Access-Lane Workplan + +```task +id: CUST-WP-0049-T01 +status: done +priority: high +state_hub_task_id: "55f38c44-cb67-4a0a-9b31-7fbbc6f4b6f8" +``` + +Create this workplan, connect it to the blocked ops-hub Inter-Hub activation +path, and keep the ownership boundaries explicit. + +Done when `CUST-WP-0047-T05` and `CUST-WP-0025` can point to this workplan as +the routine for authenticated Inter-Hub bootstrap work. + +## Task: Promote Ops-Hub API Bootstrap Helper + +```task +id: CUST-WP-0049-T02 +status: done +priority: high +state_hub_task_id: "e4f5eaa4-1b68-456c-8f64-df1f52dcbc06" +``` + +Move the working ops-hub Inter-Hub bootstrap helper into the `ops-hub` repo so +the implementation is owned by the repo whose records it creates. + +Deliverables: + +- `ops-hub/scripts/ops-hub-bootstrap-api.py` +- `ops-hub/Makefile` targets for gate probing and attended bootstrap + +Done when the helper loads the `ops-hub/seeds` files, accepts +`IHUB_OPERATOR_KEY_FILE`, avoids printing full keys, and has a local validation +path. + +## Task: Document Operator Bootstrap Routine + +```task +id: CUST-WP-0049-T03 +status: done +priority: high +state_hub_task_id: "7aee3250-143d-45fb-ab92-eb2e1d3b24a6" +``` + +Update the ops-hub bootstrap runbook so an operator can choose the preferred +API path, OpenBao/temp-file custody path, or explicit SQL fallback without +reconstructing prior decisions from chat history. + +Done when the runbook states the routine, inputs, validation commands, and +current live-execution blocker. + +## Task: Document Ops-Warden Access Envelope + +```task +id: CUST-WP-0049-T04 +status: done +priority: high +state_hub_task_id: "caaf115d-debb-417c-b98d-7665cab01cbf" +``` + +Add an ops-warden runbook for the short-lived certificate envelope used by +Inter-Hub bootstrap tasks. + +Done when the doc identifies the actor/principal pattern, TTL guidance, +`ops-ssh-wrapper` usage, host-side boundaries, and secret-custody limits. + +## Task: Sync State Hub + +```task +id: CUST-WP-0049-T05 +status: done +priority: medium +state_hub_task_id: "6818aa6b-672e-482b-8541-2ec143bd298d" +``` + +Run the State Hub consistency sync for `the-custodian` after the workplan file +and linked blocker notes are updated. + +Done when `make fix-consistency REPO=the-custodian` has completed and this +workplan has State Hub ids. + +## Task: Execute Live Ops-Hub Bootstrap + +```task +id: CUST-WP-0049-T06 +status: blocked +priority: high +state_hub_task_id: "782b3846-f9c9-4acb-917b-fc1fcc6f2aec" +``` + +Run the ops-hub production bootstrap against Inter-Hub using either: + +- an operator-provided `IHUB_OPERATOR_KEY_FILE` on the local workstation, +- an OpenBao-materialized operator key on a trusted execution host, or +- an explicitly approved deployment-side migration/bootstrap path. + +Blocked until authenticated Inter-Hub admin access or deployment-side execution +is available for the session. + +Done when the ops-hub Inter-Hub records exist in production, the generated +runtime key is stored outside Git, and non-secret validation evidence is logged +to State Hub. + +## Acceptance Criteria + +- The repeatable access lane is documented in the owning repos. +- The ops-hub bootstrap helper lives in `ops-hub`, not only in a sibling repo. +- The helper supports key-file inputs and never prints full secret values. +- The blocked live-production step is explicit and actionable. +- Custodian State Hub registration reflects the new workplan and task status.