feat(custodian): add interhub bootstrap access lane
This commit is contained in:
@@ -341,6 +341,12 @@ activity-core probes. The T13-T19 tasks below remain the long-term ops-hub
|
|||||||
implementation; the inventory slice produces input artifacts that the eventual
|
implementation; the inventory slice produces input artifacts that the eventual
|
||||||
ops-hub repo can ingest rather than replace.
|
ops-hub repo can ingest rather than replace.
|
||||||
|
|
||||||
|
**Inter-Hub bootstrap access lane (2026-06-17):** `CUST-WP-0049` extracts the
|
||||||
|
repeatable authenticated bootstrap routine needed to finish ops-hub production
|
||||||
|
activation without leaking keys into agent sessions: ops-hub owns the helper,
|
||||||
|
ops-warden owns the short-lived SSH certificate envelope, and operator secret
|
||||||
|
custody remains outside Git.
|
||||||
|
|
||||||
### T13 — Create ops-hub repo from hub-core scaffold
|
### T13 — Create ops-hub repo from hub-core scaffold
|
||||||
|
|
||||||
```task
|
```task
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ topic_slug: custodian
|
|||||||
planning_priority: high
|
planning_priority: high
|
||||||
planning_order: 47
|
planning_order: 47
|
||||||
created: "2026-06-05"
|
created: "2026-06-05"
|
||||||
updated: "2026-06-16"
|
updated: "2026-06-17"
|
||||||
state_hub_workstream_id: "656e435d-3a00-4f5e-a38e-114467f9062e"
|
state_hub_workstream_id: "656e435d-3a00-4f5e-a38e-114467f9062e"
|
||||||
---
|
---
|
||||||
|
|
||||||
@@ -147,6 +147,11 @@ consumer, and initial widgets from the existing seed material in
|
|||||||
This is a human/operator-gated task because it requires authenticated
|
This is a human/operator-gated task because it requires authenticated
|
||||||
Inter-Hub admin access or deployment-side migration execution.
|
Inter-Hub admin access or deployment-side migration execution.
|
||||||
|
|
||||||
|
Access-lane follow-up (2026-06-17): `CUST-WP-0049` owns the reusable routine
|
||||||
|
for getting this class of production bootstrap across the line: ops-hub API
|
||||||
|
helper, operator key-file custody, ops-warden short-lived SSH envelope, and the
|
||||||
|
remaining live-execution blocker.
|
||||||
|
|
||||||
Done when the ops-hub widgets exist and can accept `ops-endpoint-verified` or
|
Done when the ops-hub widgets exist and can accept `ops-endpoint-verified` or
|
||||||
equivalent ops evidence events.
|
equivalent ops evidence events.
|
||||||
|
|
||||||
|
|||||||
189
workplans/CUST-WP-0049-interhub-bootstrap-access-lane.md
Normal file
189
workplans/CUST-WP-0049-interhub-bootstrap-access-lane.md
Normal file
@@ -0,0 +1,189 @@
|
|||||||
|
---
|
||||||
|
id: CUST-WP-0049
|
||||||
|
type: workplan
|
||||||
|
title: "Inter-Hub Bootstrap Access Lane"
|
||||||
|
domain: custodian
|
||||||
|
repo: the-custodian
|
||||||
|
status: active
|
||||||
|
owner: codex
|
||||||
|
topic_slug: custodian
|
||||||
|
planning_priority: high
|
||||||
|
planning_order: 49
|
||||||
|
created: "2026-06-17"
|
||||||
|
updated: "2026-06-17"
|
||||||
|
state_hub_workstream_id: "9b56414a-c71f-4e72-9b2b-d2166aaf50d0"
|
||||||
|
---
|
||||||
|
|
||||||
|
# CUST-WP-0049 - Inter-Hub Bootstrap Access Lane
|
||||||
|
|
||||||
|
## Goal
|
||||||
|
|
||||||
|
Create a repeatable, auditable lane for finishing Inter-Hub production
|
||||||
|
bootstrap tasks without re-discovering credential, deployment, and operator
|
||||||
|
handoff rules every time.
|
||||||
|
|
||||||
|
The immediate target is the ops-hub activation work blocked in
|
||||||
|
`CUST-WP-0047-T05`. The reusable outcome should also support future
|
||||||
|
Inter-Hub admin/bootstrap tasks from `CUST-WP-0025` and adjacent domains.
|
||||||
|
|
||||||
|
## Problem
|
||||||
|
|
||||||
|
The current friction pattern is consistent:
|
||||||
|
|
||||||
|
- The required Inter-Hub action is usually small and well understood.
|
||||||
|
- The blocker is access custody: authenticated admin API key, deployment-side
|
||||||
|
migration access, or a trusted execution host.
|
||||||
|
- Static keys should not be pasted into Codex sessions or committed.
|
||||||
|
- The repo that needs the bootstrap does not own every part of the access
|
||||||
|
chain.
|
||||||
|
|
||||||
|
## Ownership Model
|
||||||
|
|
||||||
|
- `the-custodian` owns the coordination workplan, State Hub registration, and
|
||||||
|
cross-workplan blocker language.
|
||||||
|
- `ops-hub` owns the ops-hub manifest/widget seeds, API bootstrap helper, and
|
||||||
|
operator runbook.
|
||||||
|
- `ops-warden` owns the short-lived SSH certificate actor pattern used to reach
|
||||||
|
a trusted execution host.
|
||||||
|
- `railiance-infra` owns host-side principal deployment, force-command wrappers,
|
||||||
|
and any deployment-side database path.
|
||||||
|
- The operator secret store, preferably OpenBao, owns long-lived Inter-Hub
|
||||||
|
operator keys and generated runtime keys.
|
||||||
|
|
||||||
|
## Non-Goals
|
||||||
|
|
||||||
|
- Do not store Inter-Hub operator keys in Git, State Hub, workplans, shell
|
||||||
|
history, or Codex-visible logs.
|
||||||
|
- Do not make ops-warden an Inter-Hub API key store.
|
||||||
|
- Do not run live production bootstrap without explicit operator-provided key
|
||||||
|
material or an approved deployment-side path.
|
||||||
|
- Do not bypass Inter-Hub APIs when a supported API path exists.
|
||||||
|
|
||||||
|
## Target Routine
|
||||||
|
|
||||||
|
1. Operator materializes an Inter-Hub operator key into a `0600` temp file or
|
||||||
|
provides it to a trusted host from OpenBao.
|
||||||
|
2. If a remote execution host is needed, ops-warden signs a short-lived
|
||||||
|
certificate for a narrow bootstrap actor, such as
|
||||||
|
`agt-codex-interhub-bootstrap`.
|
||||||
|
3. Host-side railiance-infra policy maps that principal to a force-command or
|
||||||
|
narrow wrapper that can run only the bootstrap routine.
|
||||||
|
4. The bootstrap helper reads `IHUB_OPERATOR_KEY_FILE`, creates or reuses the
|
||||||
|
ops-hub Inter-Hub records, writes any display-once runtime key to a `0600`
|
||||||
|
output file, and prints only non-secret evidence.
|
||||||
|
5. The operator stores the generated runtime key in OpenBao and removes the
|
||||||
|
temp file.
|
||||||
|
6. State Hub receives progress evidence with non-secret ids, prefixes, and
|
||||||
|
validation status.
|
||||||
|
|
||||||
|
## Task: Register Access-Lane Workplan
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: CUST-WP-0049-T01
|
||||||
|
status: done
|
||||||
|
priority: high
|
||||||
|
state_hub_task_id: "55f38c44-cb67-4a0a-9b31-7fbbc6f4b6f8"
|
||||||
|
```
|
||||||
|
|
||||||
|
Create this workplan, connect it to the blocked ops-hub Inter-Hub activation
|
||||||
|
path, and keep the ownership boundaries explicit.
|
||||||
|
|
||||||
|
Done when `CUST-WP-0047-T05` and `CUST-WP-0025` can point to this workplan as
|
||||||
|
the routine for authenticated Inter-Hub bootstrap work.
|
||||||
|
|
||||||
|
## Task: Promote Ops-Hub API Bootstrap Helper
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: CUST-WP-0049-T02
|
||||||
|
status: done
|
||||||
|
priority: high
|
||||||
|
state_hub_task_id: "e4f5eaa4-1b68-456c-8f64-df1f52dcbc06"
|
||||||
|
```
|
||||||
|
|
||||||
|
Move the working ops-hub Inter-Hub bootstrap helper into the `ops-hub` repo so
|
||||||
|
the implementation is owned by the repo whose records it creates.
|
||||||
|
|
||||||
|
Deliverables:
|
||||||
|
|
||||||
|
- `ops-hub/scripts/ops-hub-bootstrap-api.py`
|
||||||
|
- `ops-hub/Makefile` targets for gate probing and attended bootstrap
|
||||||
|
|
||||||
|
Done when the helper loads the `ops-hub/seeds` files, accepts
|
||||||
|
`IHUB_OPERATOR_KEY_FILE`, avoids printing full keys, and has a local validation
|
||||||
|
path.
|
||||||
|
|
||||||
|
## Task: Document Operator Bootstrap Routine
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: CUST-WP-0049-T03
|
||||||
|
status: done
|
||||||
|
priority: high
|
||||||
|
state_hub_task_id: "7aee3250-143d-45fb-ab92-eb2e1d3b24a6"
|
||||||
|
```
|
||||||
|
|
||||||
|
Update the ops-hub bootstrap runbook so an operator can choose the preferred
|
||||||
|
API path, OpenBao/temp-file custody path, or explicit SQL fallback without
|
||||||
|
reconstructing prior decisions from chat history.
|
||||||
|
|
||||||
|
Done when the runbook states the routine, inputs, validation commands, and
|
||||||
|
current live-execution blocker.
|
||||||
|
|
||||||
|
## Task: Document Ops-Warden Access Envelope
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: CUST-WP-0049-T04
|
||||||
|
status: done
|
||||||
|
priority: high
|
||||||
|
state_hub_task_id: "caaf115d-debb-417c-b98d-7665cab01cbf"
|
||||||
|
```
|
||||||
|
|
||||||
|
Add an ops-warden runbook for the short-lived certificate envelope used by
|
||||||
|
Inter-Hub bootstrap tasks.
|
||||||
|
|
||||||
|
Done when the doc identifies the actor/principal pattern, TTL guidance,
|
||||||
|
`ops-ssh-wrapper` usage, host-side boundaries, and secret-custody limits.
|
||||||
|
|
||||||
|
## Task: Sync State Hub
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: CUST-WP-0049-T05
|
||||||
|
status: done
|
||||||
|
priority: medium
|
||||||
|
state_hub_task_id: "6818aa6b-672e-482b-8541-2ec143bd298d"
|
||||||
|
```
|
||||||
|
|
||||||
|
Run the State Hub consistency sync for `the-custodian` after the workplan file
|
||||||
|
and linked blocker notes are updated.
|
||||||
|
|
||||||
|
Done when `make fix-consistency REPO=the-custodian` has completed and this
|
||||||
|
workplan has State Hub ids.
|
||||||
|
|
||||||
|
## Task: Execute Live Ops-Hub Bootstrap
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: CUST-WP-0049-T06
|
||||||
|
status: blocked
|
||||||
|
priority: high
|
||||||
|
state_hub_task_id: "782b3846-f9c9-4acb-917b-fc1fcc6f2aec"
|
||||||
|
```
|
||||||
|
|
||||||
|
Run the ops-hub production bootstrap against Inter-Hub using either:
|
||||||
|
|
||||||
|
- an operator-provided `IHUB_OPERATOR_KEY_FILE` on the local workstation,
|
||||||
|
- an OpenBao-materialized operator key on a trusted execution host, or
|
||||||
|
- an explicitly approved deployment-side migration/bootstrap path.
|
||||||
|
|
||||||
|
Blocked until authenticated Inter-Hub admin access or deployment-side execution
|
||||||
|
is available for the session.
|
||||||
|
|
||||||
|
Done when the ops-hub Inter-Hub records exist in production, the generated
|
||||||
|
runtime key is stored outside Git, and non-secret validation evidence is logged
|
||||||
|
to State Hub.
|
||||||
|
|
||||||
|
## Acceptance Criteria
|
||||||
|
|
||||||
|
- The repeatable access lane is documented in the owning repos.
|
||||||
|
- The ops-hub bootstrap helper lives in `ops-hub`, not only in a sibling repo.
|
||||||
|
- The helper supports key-file inputs and never prints full secret values.
|
||||||
|
- The blocked live-production step is explicit and actionable.
|
||||||
|
- Custodian State Hub registration reflects the new workplan and task status.
|
||||||
Reference in New Issue
Block a user