coulomb/the-custodian
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4eec96aa028c5f4d6905dfd4e03f30544c32d5ce
the-custodian/workplans/CUST-WP-0049-interhub-bootstrap-access-lane.md

6.2 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated state_hub_workstream_id
CUST-WP-0049 workplan Inter-Hub Bootstrap Access Lane custodian the-custodian active codex custodian high 49 2026-06-17 2026-06-17 9b56414a-c71f-4e72-9b2b-d2166aaf50d0

CUST-WP-0049 - Inter-Hub Bootstrap Access Lane

Goal

Create a repeatable, auditable lane for finishing Inter-Hub production bootstrap tasks without re-discovering credential, deployment, and operator handoff rules every time.

The immediate target is the ops-hub activation work blocked in CUST-WP-0047-T05. The reusable outcome should also support future Inter-Hub admin/bootstrap tasks from CUST-WP-0025 and adjacent domains.

Problem

The current friction pattern is consistent:

  • The required Inter-Hub action is usually small and well understood.
  • The blocker is access custody: authenticated admin API key, deployment-side migration access, or a trusted execution host.
  • Static keys should not be pasted into Codex sessions or committed.
  • The repo that needs the bootstrap does not own every part of the access chain.

Ownership Model

  • the-custodian owns the coordination workplan, State Hub registration, and cross-workplan blocker language.
  • ops-hub owns the ops-hub manifest/widget seeds, API bootstrap helper, and operator runbook.
  • ops-warden owns the short-lived SSH certificate actor pattern used to reach a trusted execution host.
  • railiance-infra owns host-side principal deployment, force-command wrappers, and any deployment-side database path.
  • The operator secret store, preferably OpenBao, owns long-lived Inter-Hub operator keys and generated runtime keys.

Non-Goals

  • Do not store Inter-Hub operator keys in Git, State Hub, workplans, shell history, or Codex-visible logs.
  • Do not make ops-warden an Inter-Hub API key store.
  • Do not run live production bootstrap without explicit operator-provided key material or an approved deployment-side path.
  • Do not bypass Inter-Hub APIs when a supported API path exists.

Target Routine

  1. Operator materializes an Inter-Hub operator key into a 0600 temp file or provides it to a trusted host from OpenBao.
  2. If a remote execution host is needed, ops-warden signs a short-lived certificate for a narrow bootstrap actor, such as agt-codex-interhub-bootstrap.
  3. Host-side railiance-infra policy maps that principal to a force-command or narrow wrapper that can run only the bootstrap routine.
  4. The bootstrap helper reads IHUB_OPERATOR_KEY_FILE, creates or reuses the ops-hub Inter-Hub records, writes any display-once runtime key to a 0600 output file, and prints only non-secret evidence.
  5. The operator stores the generated runtime key in OpenBao and removes the temp file.
  6. State Hub receives progress evidence with non-secret ids, prefixes, and validation status.

Task: Register Access-Lane Workplan

id: CUST-WP-0049-T01
status: done
priority: high
state_hub_task_id: "55f38c44-cb67-4a0a-9b31-7fbbc6f4b6f8"

Create this workplan, connect it to the blocked ops-hub Inter-Hub activation path, and keep the ownership boundaries explicit.

Done when CUST-WP-0047-T05 and CUST-WP-0025 can point to this workplan as the routine for authenticated Inter-Hub bootstrap work.

Task: Promote Ops-Hub API Bootstrap Helper

id: CUST-WP-0049-T02
status: done
priority: high
state_hub_task_id: "e4f5eaa4-1b68-456c-8f64-df1f52dcbc06"

Move the working ops-hub Inter-Hub bootstrap helper into the ops-hub repo so the implementation is owned by the repo whose records it creates.

Deliverables:

  • ops-hub/scripts/ops-hub-bootstrap-api.py
  • ops-hub/Makefile targets for gate probing and attended bootstrap

Done when the helper loads the ops-hub/seeds files, accepts IHUB_OPERATOR_KEY_FILE, avoids printing full keys, and has a local validation path.

Task: Document Operator Bootstrap Routine

id: CUST-WP-0049-T03
status: done
priority: high
state_hub_task_id: "7aee3250-143d-45fb-ab92-eb2e1d3b24a6"

Update the ops-hub bootstrap runbook so an operator can choose the preferred API path, OpenBao/temp-file custody path, or explicit SQL fallback without reconstructing prior decisions from chat history.

Done when the runbook states the routine, inputs, validation commands, and current live-execution blocker.

Task: Document Ops-Warden Access Envelope

id: CUST-WP-0049-T04
status: done
priority: high
state_hub_task_id: "caaf115d-debb-417c-b98d-7665cab01cbf"

Add an ops-warden runbook for the short-lived certificate envelope used by Inter-Hub bootstrap tasks.

Done when the doc identifies the actor/principal pattern, TTL guidance, ops-ssh-wrapper usage, host-side boundaries, and secret-custody limits.

Task: Sync State Hub

id: CUST-WP-0049-T05
status: done
priority: medium
state_hub_task_id: "6818aa6b-672e-482b-8541-2ec143bd298d"

Run the State Hub consistency sync for the-custodian after the workplan file and linked blocker notes are updated.

Done when make fix-consistency REPO=the-custodian has completed and this workplan has State Hub ids.

Task: Execute Live Ops-Hub Bootstrap

id: CUST-WP-0049-T06
status: blocked
priority: high
state_hub_task_id: "782b3846-f9c9-4acb-917b-fc1fcc6f2aec"

Run the ops-hub production bootstrap against Inter-Hub using either:

  • an operator-provided IHUB_OPERATOR_KEY_FILE on the local workstation,
  • an OpenBao-materialized operator key on a trusted execution host, or
  • an explicitly approved deployment-side migration/bootstrap path.

Blocked until authenticated Inter-Hub admin access or deployment-side execution is available for the session.

Done when the ops-hub Inter-Hub records exist in production, the generated runtime key is stored outside Git, and non-secret validation evidence is logged to State Hub.

Acceptance Criteria

  • The repeatable access lane is documented in the owning repos.
  • The ops-hub bootstrap helper lives in ops-hub, not only in a sibling repo.
  • The helper supports key-file inputs and never prints full secret values.
  • The blocked live-production step is explicit and actionable.
  • Custodian State Hub registration reflects the new workplan and task status.
Reference in New Issue View Git Blame Copy Permalink