--- id: CUST-WP-0049 type: workplan title: "Inter-Hub Bootstrap Access Lane" domain: custodian repo: the-custodian status: active owner: codex topic_slug: custodian planning_priority: high planning_order: 49 created: "2026-06-17" updated: "2026-06-17" state_hub_workstream_id: "9b56414a-c71f-4e72-9b2b-d2166aaf50d0" --- # CUST-WP-0049 - Inter-Hub Bootstrap Access Lane ## Goal Create a repeatable, auditable lane for finishing Inter-Hub production bootstrap tasks without re-discovering credential, deployment, and operator handoff rules every time. The immediate target is the ops-hub activation work blocked in `CUST-WP-0047-T05`. The reusable outcome should also support future Inter-Hub admin/bootstrap tasks from `CUST-WP-0025` and adjacent domains. ## Problem The current friction pattern is consistent: - The required Inter-Hub action is usually small and well understood. - The blocker is access custody: authenticated admin API key, deployment-side migration access, or a trusted execution host. - Static keys should not be pasted into Codex sessions or committed. - The repo that needs the bootstrap does not own every part of the access chain. ## Ownership Model - `the-custodian` owns the coordination workplan, State Hub registration, and cross-workplan blocker language. - `ops-hub` owns the ops-hub manifest/widget seeds, API bootstrap helper, and operator runbook. - `ops-warden` owns the short-lived SSH certificate actor pattern used to reach a trusted execution host. - `railiance-infra` owns host-side principal deployment, force-command wrappers, and any deployment-side database path. - The operator secret store, preferably OpenBao, owns long-lived Inter-Hub operator keys and generated runtime keys. ## Non-Goals - Do not store Inter-Hub operator keys in Git, State Hub, workplans, shell history, or Codex-visible logs. - Do not make ops-warden an Inter-Hub API key store. - Do not run live production bootstrap without explicit operator-provided key material or an approved deployment-side path. - Do not bypass Inter-Hub APIs when a supported API path exists. ## Target Routine 1. Operator materializes an Inter-Hub operator key into a `0600` temp file or provides it to a trusted host from OpenBao. 2. If a remote execution host is needed, ops-warden signs a short-lived certificate for a narrow bootstrap actor, such as `agt-codex-interhub-bootstrap`. 3. Host-side railiance-infra policy maps that principal to a force-command or narrow wrapper that can run only the bootstrap routine. 4. The bootstrap helper reads `IHUB_OPERATOR_KEY_FILE`, creates or reuses the ops-hub Inter-Hub records, writes any display-once runtime key to a `0600` output file, and prints only non-secret evidence. 5. The operator stores the generated runtime key in OpenBao and removes the temp file. 6. State Hub receives progress evidence with non-secret ids, prefixes, and validation status. ## Task: Register Access-Lane Workplan ```task id: CUST-WP-0049-T01 status: done priority: high state_hub_task_id: "55f38c44-cb67-4a0a-9b31-7fbbc6f4b6f8" ``` Create this workplan, connect it to the blocked ops-hub Inter-Hub activation path, and keep the ownership boundaries explicit. Done when `CUST-WP-0047-T05` and `CUST-WP-0025` can point to this workplan as the routine for authenticated Inter-Hub bootstrap work. ## Task: Promote Ops-Hub API Bootstrap Helper ```task id: CUST-WP-0049-T02 status: done priority: high state_hub_task_id: "e4f5eaa4-1b68-456c-8f64-df1f52dcbc06" ``` Move the working ops-hub Inter-Hub bootstrap helper into the `ops-hub` repo so the implementation is owned by the repo whose records it creates. Deliverables: - `ops-hub/scripts/ops-hub-bootstrap-api.py` - `ops-hub/Makefile` targets for gate probing and attended bootstrap Done when the helper loads the `ops-hub/seeds` files, accepts `IHUB_OPERATOR_KEY_FILE`, avoids printing full keys, and has a local validation path. ## Task: Document Operator Bootstrap Routine ```task id: CUST-WP-0049-T03 status: done priority: high state_hub_task_id: "7aee3250-143d-45fb-ab92-eb2e1d3b24a6" ``` Update the ops-hub bootstrap runbook so an operator can choose the preferred API path, OpenBao/temp-file custody path, or explicit SQL fallback without reconstructing prior decisions from chat history. Done when the runbook states the routine, inputs, validation commands, and current live-execution blocker. ## Task: Document Ops-Warden Access Envelope ```task id: CUST-WP-0049-T04 status: done priority: high state_hub_task_id: "caaf115d-debb-417c-b98d-7665cab01cbf" ``` Add an ops-warden runbook for the short-lived certificate envelope used by Inter-Hub bootstrap tasks. Done when the doc identifies the actor/principal pattern, TTL guidance, `ops-ssh-wrapper` usage, host-side boundaries, and secret-custody limits. ## Task: Sync State Hub ```task id: CUST-WP-0049-T05 status: done priority: medium state_hub_task_id: "6818aa6b-672e-482b-8541-2ec143bd298d" ``` Run the State Hub consistency sync for `the-custodian` after the workplan file and linked blocker notes are updated. Done when `make fix-consistency REPO=the-custodian` has completed and this workplan has State Hub ids. ## Task: Execute Live Ops-Hub Bootstrap ```task id: CUST-WP-0049-T06 status: blocked priority: high state_hub_task_id: "782b3846-f9c9-4acb-917b-fc1fcc6f2aec" ``` Run the ops-hub production bootstrap against Inter-Hub using either: - an operator-provided `IHUB_OPERATOR_KEY_FILE` on the local workstation, - an OpenBao-materialized operator key on a trusted execution host, or - an explicitly approved deployment-side migration/bootstrap path. Blocked until authenticated Inter-Hub admin access or deployment-side execution is available for the session. Done when the ops-hub Inter-Hub records exist in production, the generated runtime key is stored outside Git, and non-secret validation evidence is logged to State Hub. ## Acceptance Criteria - The repeatable access lane is documented in the owning repos. - The ops-hub bootstrap helper lives in `ops-hub`, not only in a sibling repo. - The helper supports key-file inputs and never prints full secret values. - The blocked live-production step is explicit and actionable. - Custodian State Hub registration reflects the new workplan and task status.