pdurlej/platform

Fork 0

docs(vault): add safe-session CA dual-trust bootstrap #618

Merged

pdurlej merged 1 commit from codex/m04-safe-session-ca-dual-trust-bootstrap into main

2026-05-29 22:47:55 +02:00

codex commented

2026-05-29 22:35:04 +02:00

Collaborator

Canary status: local preflight green; Forgejo checks pending

Summary

This PR adds the missing safe-session CA bootstrap/trust handoff gate before any live Vault sunset cutover.

DeepSeek V4 Pro redteam returned HOLD on doing live CA handoff immediately because replacing /etc/ssh/trusted-user-ca-keys.pem would invalidate outstanding Vault-signed certificates. This PR implements the recommended safe path: a temporary dual-trust window.

What changed

Added scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh.
Updated runbooks/safe-session-local-ca-cutover.md with the CA bootstrap and dual-trust handoff procedure.
Updated runbooks/vault-quarantine-and-sunset.md preconditions so Vault quarantine requires dual-trust handoff and local signer cutover evidence first.
Updated scripts/cutover/README.md.
Added tests for the bootstrap script contract.

Safety model

Default mode is read-only:

scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh --check

The write path requires an explicit separate gate:

scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh \
  --execute \
  --confirm m04-safe-session-ca-bootstrap-approved

The script appends the new public CA to TrustedUserCAKeys; it does not replace the old Vault CA in one step. Vault-signed certificates remain valid during the dual-trust window.

Validation

bash -n scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh
bash -n scripts/cutover/safe-session-local-ca-preflight.sh
bash -n scripts/cutover/vault-sunset-readiness.sh
UV_CACHE_DIR=/private/tmp/codex-uv-cache PYTHONPATH=control-plane uv run --project control-plane pytest tests/test_safe_session_ca_bootstrap.py -q — 5 passed.
UV_CACHE_DIR=/private/tmp/codex-uv-cache PYTHONPATH=control-plane uv run --project control-plane python -m platformctl.cli validate all --json — exitCode 0.
RS2000 read-only check: current trusted CA present, one active line; local CA key/pub missing; execute still gated.

DeepSeek V4 Pro redteam

Verdict before this PR: HOLD.

Blockers were:

replacing trusted CA would invalidate outstanding Vault-signed certs;
runbook did not document SSH trust handoff/bootstrap;
runtime cutover gate phrase was not provided;
local CA material was not staged.

This PR addresses the first two as repo/runbook/script gates. It does not execute bootstrap or runtime cutover.

Non-goals

No live Infisical write in this PR.
No SSH trust mutation in this PR.
No safe-session runtime cutover in this PR.
No Vault stop/quarantine/delete.

Canary status: local preflight green; Forgejo checks pending ## Summary This PR adds the missing safe-session CA bootstrap/trust handoff gate before any live Vault sunset cutover. DeepSeek V4 Pro redteam returned HOLD on doing live CA handoff immediately because replacing `/etc/ssh/trusted-user-ca-keys.pem` would invalidate outstanding Vault-signed certificates. This PR implements the recommended safe path: a temporary dual-trust window. ## What changed - Added `scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh`. - Updated `runbooks/safe-session-local-ca-cutover.md` with the CA bootstrap and dual-trust handoff procedure. - Updated `runbooks/vault-quarantine-and-sunset.md` preconditions so Vault quarantine requires dual-trust handoff and local signer cutover evidence first. - Updated `scripts/cutover/README.md`. - Added tests for the bootstrap script contract. ## Safety model Default mode is read-only: ```bash scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh --check ``` The write path requires an explicit separate gate: ```bash scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh \ --execute \ --confirm m04-safe-session-ca-bootstrap-approved ``` The script appends the new public CA to `TrustedUserCAKeys`; it does not replace the old Vault CA in one step. Vault-signed certificates remain valid during the dual-trust window. ## Validation - `bash -n scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh` - `bash -n scripts/cutover/safe-session-local-ca-preflight.sh` - `bash -n scripts/cutover/vault-sunset-readiness.sh` - `UV_CACHE_DIR=/private/tmp/codex-uv-cache PYTHONPATH=control-plane uv run --project control-plane pytest tests/test_safe_session_ca_bootstrap.py -q` — 5 passed. - `UV_CACHE_DIR=/private/tmp/codex-uv-cache PYTHONPATH=control-plane uv run --project control-plane python -m platformctl.cli validate all --json` — exitCode 0. - RS2000 read-only check: current trusted CA present, one active line; local CA key/pub missing; execute still gated. ## DeepSeek V4 Pro redteam Verdict before this PR: HOLD. Blockers were: - replacing trusted CA would invalidate outstanding Vault-signed certs; - runbook did not document SSH trust handoff/bootstrap; - runtime cutover gate phrase was not provided; - local CA material was not staged. This PR addresses the first two as repo/runbook/script gates. It does not execute bootstrap or runtime cutover. ## Non-goals - No live Infisical write in this PR. - No SSH trust mutation in this PR. - No safe-session runtime cutover in this PR. - No Vault stop/quarantine/delete.

codex added 1 commit

2026-05-29 22:35:04 +02:00

docs(vault): add safe-session CA dual-trust bootstrap

canary-required / collect-diff (pull_request) Successful in 5s

Details

patchwarden-client-dry-run / collect-diff (pull_request) Successful in 5s

Details

python-ci / Python 3.11 (pull_request) Successful in 44s

Details

python-ci / Python 3.12 (pull_request) Successful in 44s

Details

python-ci / Python 3.13 (pull_request) Successful in 43s

Details

canary-required / canary (pull_request) Successful in 14s

Details

patchwarden-client-dry-run / dry-run (pull_request) Successful in 22s

Details

base-is-main / guard (pull_request) Successful in 1s

Details

patchwarden-pr-sanity / collect-diff (pull_request) Successful in 5s

Details

patchwarden-pr-sanity / sanity (pull_request) Successful in 3m22s

Details

6284ee0638

codex added the

class/security-sensitive

label

2026-05-29 22:36:53 +02:00

codex commented

2026-05-29 22:41:17 +02:00

Author

Collaborator

Patchwarden PR sanity

Status: advisory_findings
PR: 618
Commit: 6284ee06388e67924a3e8a1173e87ef02e1527f7
Security-sensitive label: present
Authority: advisory model review plus deterministic blockers only
3+3 canary: still alive; this does not replace it

Deterministic findings

No deterministic findings.

Model reviewers

`global-glm` / `glm-5.1:cloud`

Status: ok
Verdict: OK
Findings: none

`global-deepseek` / `deepseek-v4-pro:cloud`

Status: ok
Verdict: NOT_OK
high Dual-trust append deduplication check is broken due to newline in pattern
- Evidence: In scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh, the line if grep -Fqx "$(cat "$ca_pub_file")" "$trusted_ca_file"; thenusescatwhich includes a trailing newline, causinggrep -x to never match a line without a newline. Th
- Next: Strip the trailing newline from the public key content before using it in grep, e.g., pub_key_content=$(cat "$ca_pub_file"); pub_key_content=${pub_key_content%$'\n'} and then use that variable.
medium No rollback of TrustedUserCAKeys if sshd -t fails after append
- Evidence: The script appends to the trusted CA file, then runs sshd -t. If sshd -tfails, the script exits due toset -e, but the modified file remains, potentially breaking SSH. The backup is created but not automatically restored.
- Next: Add a trap or conditional to restore the backup if sshd -t fails, or at least print a warning to manually restore.
low Infisical write failure may be silent
- Evidence: The infisical secrets setcommand uses--silentand>/dev/null, so if it fails, the error message is suppressed. The script relies on set -e to catch non-zero exit, but the operator won't see the error details.
- Next: Capture stderr or check exit code explicitly and emit a clear failure message.

`redteam` / `kimi-k2.6:cloud`

Status: ok
Verdict: NOT_OK
high SSH trust mutated before validation; no rollback on sshd -t failure
- Evidence: scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh: cat "$ca_pub_file" >> "$trusted_ca_file"precedessshd -t; with set -e, a validation failure aborts without restoring the $backup copy, leaving a potentially broken CA file on
- Next: Stage the appended CA file to a temporary path, validate with sshd -t (or via a temporary sshd_config pointing at the staging file), and only atomically replace the live file after validation passes; add an ERR trap to restore $backup on any failure after mutation.

Policy notes

GLM 5.1 + DeepSeek V4 Pro are the operator-required model mix for this bot.
Optional red-team model is enabled only when PLATFORMCTL_PR_SANITY_REDTEAM_MODEL is configured.
Auto-merge is not enabled here.

# Patchwarden PR sanity - Status: `advisory_findings` - PR: `618` - Commit: `6284ee06388e67924a3e8a1173e87ef02e1527f7` - Security-sensitive label: `present` - Authority: advisory model review plus deterministic blockers only - 3+3 canary: still alive; this does not replace it ## Deterministic findings No deterministic findings. ## Model reviewers ### `global-glm` / `glm-5.1:cloud` - Status: `ok` - Verdict: `OK` - Findings: none ### `global-deepseek` / `deepseek-v4-pro:cloud` - Status: `ok` - Verdict: `NOT_OK` - **`high`** Dual-trust append deduplication check is broken due to newline in pattern - Evidence: `In scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh, the line `if grep -Fqx "$(cat "$ca_pub_file")" "$trusted_ca_file"; then` uses `cat` which includes a trailing newline, causing `grep -x` to never match a line without a newline. Th` - Next: Strip the trailing newline from the public key content before using it in grep, e.g., `pub_key_content=$(cat "$ca_pub_file"); pub_key_content=${pub_key_content%$'\n'}` and then use that variable. - **`medium`** No rollback of TrustedUserCAKeys if sshd -t fails after append - Evidence: `The script appends to the trusted CA file, then runs `sshd -t`. If `sshd -t` fails, the script exits due to `set -e`, but the modified file remains, potentially breaking SSH. The backup is created but not automatically restored.` - Next: Add a trap or conditional to restore the backup if `sshd -t` fails, or at least print a warning to manually restore. - **`low`** Infisical write failure may be silent - Evidence: `The `infisical secrets set` command uses `--silent` and `>/dev/null`, so if it fails, the error message is suppressed. The script relies on `set -e` to catch non-zero exit, but the operator won't see the error details.` - Next: Capture stderr or check exit code explicitly and emit a clear failure message. ### `redteam` / `kimi-k2.6:cloud` - Status: `ok` - Verdict: `NOT_OK` - **`high`** SSH trust mutated before validation; no rollback on sshd -t failure - Evidence: `scripts/cutover/safe-session-ca-dual-trust-bootstrap.sh: `cat "$ca_pub_file" >> "$trusted_ca_file"` precedes `sshd -t`; with `set -e`, a validation failure aborts without restoring the `$backup` copy, leaving a potentially broken CA file on` - Next: Stage the appended CA file to a temporary path, validate with `sshd -t` (or via a temporary sshd_config pointing at the staging file), and only atomically replace the live file after validation passes; add an ERR trap to restore `$backup` on any failure after mutation. ## Policy notes - GLM 5.1 + DeepSeek V4 Pro are the operator-required model mix for this bot. - Optional red-team model is enabled only when `PLATFORMCTL_PR_SANITY_REDTEAM_MODEL` is configured. - Auto-merge is not enabled here.