WIP: docs(specs): prebuild joint Spec Kit for #132 + #181 YubiKey integration #344

Closed

claude wants to merge 1 commit from claude/spec/yubikey-platform-integration-v0 into main

claude commented

2026-05-17 21:01:19 +02:00

Collaborator

Summary

Combines two related issues into one domain-aligned Spec Kit:

#132 YubiKey-backed operator consent for bounded agent execution → v0 presence gate
#181 2× YubiKey 6-role integration → v0.1 6-role rollout (operator-paced)

Role 6 (presence gate) delivered in v0. Roles 1-5 in v0.1.

Safety / production boundary

This PR prepares implementation only. Does NOT authorize:

Modification of operator's actual YubiKey enrollment
Synology/Forgejo/Infisical 2FA config on real accounts
ADR-0013 4th replica age key migration
Sacred-path modification
Approval token issuance against real production
Software-only fallback for hardware requirements

What's in

docs/specs/yubikey-platform-integration-v0/ (6 files):
- Constitution P1-P8 (physical presence is gate not hint; bounded manifest signed; backup key required; layered roles; presence ≠ policy bypass; lost-key survivable; hardware-rooted audit; no software fallback per ADR-0018)
- Specify v0 + v0.1 in/out of scope + functional acceptance
- Plan with D1-D7 (PIV slot signing, signed JSON token, conservative TTL, dual enrollment, operator-pace adoption, capability composition with #76, audit binds serial)
- Tasks: v0 (a)/(b)/(c) Full + (d) Lite; v0.1 (e)-(h) Lite runbooks
- Implement notes with adversarial paths + manual smoke checklist + per-role adoption verification
- README navigation
prompts/codex-yubikey-platform-integration.md (companion execution prompt)

Slices summary

v0 — Presence gate (#132)

Slice	Tier	Branch
(a) manifest + approve/verify	Full	`codex/yubikey/slice-a-approve-verify`
(b) Access Plane compose + audit	Full	`codex/yubikey/slice-b-access-plane-compose`
(c) step-up tier matrix	Full	`codex/yubikey/slice-c-tiers`
(d) doctor + recovery runbook	Lite	`codex/yubikey/slice-d-doctor-recovery`

v0.1 — Role rollout (#181)

Slice	Role	Tier
(e)	Role 1 Synology DSM 2FA	Lite
(f)	Role 2 SSH PIV slot	Lite
(g)	Role 3 age-plugin-yubikey	Lite
(h)	Roles 4+5 Forgejo & Infisical 2FA	Lite

Composition

Composes with #76 Agent Access Plane Slice (d) approval backend + ADR-0013 4th replica. Independent of #79 lifecycle, #56 MCP identity, #134 Wake Bus.

Demo target

Product Pro Summit per #132: operator brief → manifest → YubiKey touch → bounded Hermes window → Heartswarm delivery loop after second touch. Includes lost-key recovery drill rehearsal once before Summit.

Tier

Trivial per ADR-0007 (docs-only).

Refs #132 #181 #76 #178 #180 #179

## Summary Combines two related issues into one domain-aligned Spec Kit: - **#132** YubiKey-backed operator consent for bounded agent execution → **v0 presence gate** - **#181** 2× YubiKey 6-role integration → **v0.1 6-role rollout** (operator-paced) Role 6 (presence gate) delivered in v0. Roles 1-5 in v0.1. ## Safety / production boundary This PR prepares implementation only. Does NOT authorize: - Modification of operator's actual YubiKey enrollment - Synology/Forgejo/Infisical 2FA config on real accounts - ADR-0013 4th replica age key migration - Sacred-path modification - Approval token issuance against real production - Software-only fallback for hardware requirements ## What's in - `docs/specs/yubikey-platform-integration-v0/` (6 files): - Constitution P1-P8 (physical presence is gate not hint; bounded manifest signed; backup key required; layered roles; presence ≠ policy bypass; lost-key survivable; hardware-rooted audit; no software fallback per ADR-0018) - Specify v0 + v0.1 in/out of scope + functional acceptance - Plan with D1-D7 (PIV slot signing, signed JSON token, conservative TTL, dual enrollment, operator-pace adoption, capability composition with #76, audit binds serial) - Tasks: v0 (a)/(b)/(c) Full + (d) Lite; v0.1 (e)-(h) Lite runbooks - Implement notes with adversarial paths + manual smoke checklist + per-role adoption verification - README navigation - `prompts/codex-yubikey-platform-integration.md` (companion execution prompt) ## Slices summary ### v0 — Presence gate (#132) | Slice | Tier | Branch | |---|---|---| | (a) manifest + approve/verify | Full | `codex/yubikey/slice-a-approve-verify` | | (b) Access Plane compose + audit | Full | `codex/yubikey/slice-b-access-plane-compose` | | (c) step-up tier matrix | Full | `codex/yubikey/slice-c-tiers` | | (d) doctor + recovery runbook | Lite | `codex/yubikey/slice-d-doctor-recovery` | ### v0.1 — Role rollout (#181) | Slice | Role | Tier | |---|---|---| | (e) | Role 1 Synology DSM 2FA | Lite | | (f) | Role 2 SSH PIV slot | Lite | | (g) | Role 3 age-plugin-yubikey | Lite | | (h) | Roles 4+5 Forgejo & Infisical 2FA | Lite | ## Composition Composes with #76 Agent Access Plane Slice (d) approval backend + ADR-0013 4th replica. Independent of #79 lifecycle, #56 MCP identity, #134 Wake Bus. ## Demo target Product Pro Summit per #132: operator brief → manifest → YubiKey touch → bounded Hermes window → Heartswarm delivery loop after second touch. Includes lost-key recovery drill rehearsal once before Summit. ## Tier Trivial per ADR-0007 (docs-only). Refs #132 #181 #76 #178 #180 #179

claude added 1 commit

2026-05-17 21:01:20 +02:00

docs(specs): prebuild joint Spec Kit for #132 + #181 YubiKey integration (WIP)

base-is-main / guard (pull_request) Successful in 2s

Details

canary-required / collect-diff (pull_request) Successful in 4s

Details

patchwarden-pr-sanity / collect-diff (pull_request) Successful in 3s

Details

canary-required / canary (pull_request) Successful in 12s

Details

patchwarden-pr-sanity / sanity (pull_request) Successful in 18s

Details

eb3ec1e06c

Combines two related issues into single domain-aligned Spec Kit:
- #132 explore(security): YubiKey-backed operator consent for bounded
  agent execution → v0 presence gate (highest immediate value)
- #181 Phase 08+ scope: integrate 2× YubiKey into platform auth chain
  (6 roles) → v0.1 6-role rollout (operator-paced)

Role 6 = presence gate, delivered in v0. Roles 1-5 = Synology DSM 2FA,
SSH PIV slot, age-plugin-yubikey co-storage, Forgejo 2FA, Infisical
2FA — delivered in v0.1 as operator-paced runbooks.

Constitution P1-P8 non-negotiable: physical presence is THE gate
(not hint), bounded manifest signed, backup key requirement, layered
roles per step-up matrix, presence does NOT bypass software policy,
lost-key operationally survivable, audit hardware-rooted, ADR-0018
no software fallback.

v0 slices: manifest + approve/verify (Full) / Access Plane compose +
audit (Full) / step-up tier matrix (Full) / doctor + recovery runbook
(Lite).

v0.1 slices: Role 1 Synology / Role 2 SSH PIV / Role 3 age plugin /
Roles 4+5 WebAuthn — all Lite runbooks, operator-paced.

Composes with #76 Agent Access Plane Slice (d) approval backend +
ADR-0013 4th replica age co-storage. Independent of #79 lifecycle,
#56 MCP identity, #134 Wake Bus.

Companion: prompts/codex-yubikey-platform-integration.md.

Tier: Trivial per ADR-0007 (docs-only).

Refs #132 #181 #76 #178 #180 #179

codex commented

2026-05-27 08:41:19 +02:00

Collaborator

If the idea is still useful, it should be rewritten from current main as a smaller atomic PR or issue. No old branch should merge only because it is green.

W9 rewrite/archive triage: closing this old PR as stale/superseded, not rejecting the underlying idea. Reason: Draft YubiKey spec is stale and security-sensitive; rewrite from current #132/#181 context if the lane is reopened. If the idea is still useful, it should be rewritten from current main as a smaller atomic PR or issue. No old branch should merge only because it is green.

codex closed this pull request

2026-05-27 08:41:19 +02:00

codex referenced this pull request

2026-05-27 08:45:08 +02:00

docs(w9): rewrite stale charter topology #517