clawdie-iso

History

Sam & Claude df783f2a59 fix(vault): wire seed bootstrap → vault-fetch path + harden agent dir validation Address the 5 review concerns on the secrets-out-of-the-box feature: 1. Seed↔fetch path alignment: _seed_split_env routes BW_* creds out of .env into ~/.config/vault-bootstrap.env (SEED_VAULT_BOOTSTRAP_REL), the path clawdie-vault-fetch actually reads — so 'seed bootstrap → fetch out of the box' now lines up without an explicit --bootstrap arg. 2. Drop unused COLLECTION_ID from clawdie-vault-fetch. Items are fetched by name via 'bw get password', which is fail-closed on ambiguity; document that item names must be unique in the visible vault. 3. Agent dir validation: _seed_agent_name_ok rejects leading-dot dirs (.Spotlight-V100, .fseventsd) and traversal; _seed_agent_has_payload requires a recognized payload so an empty/stray dir can't become active. 4. No phantom homes: extra agent dirs stage under /var/db/clawdie/seed/<agent> only — _seed_stage_agent never writes a home or SSH keys. 5. Bootstrap file mode enforcement: clawdie-vault-fetch now stat-checks the bootstrap file and refuses group/world-readable unless VAULT_ALLOW_INSECURE_BOOTSTRAP is set. Also renames _seed_import_env → _seed_merge_env + _seed_split_env and adds _seed_key_ok to guard env var names. Checks: sh -n on vault-fetch/live-seed/build.sh; git diff --check; ./scripts/check-format.sh (prettier clean); 5 concerns verified present. Co-Authored-By: Hermes & Sam <hello@clawdie.si>	2026-06-19 18:24:55 +02:00
..
operator-session	fix(vault): wire seed bootstrap → vault-fetch path + harden agent dir validation	2026-06-19 18:24:55 +02:00

Sam & Claude df783f2a59 fix(vault): wire seed bootstrap → vault-fetch path + harden agent dir validation

Address the 5 review concerns on the secrets-out-of-the-box feature:

1. Seed↔fetch path alignment: _seed_split_env routes BW_* creds out of .env
   into ~/.config/vault-bootstrap.env (SEED_VAULT_BOOTSTRAP_REL), the path
   clawdie-vault-fetch actually reads — so 'seed bootstrap → fetch out of
   the box' now lines up without an explicit --bootstrap arg.
2. Drop unused COLLECTION_ID from clawdie-vault-fetch. Items are fetched by
   name via 'bw get password', which is fail-closed on ambiguity; document
   that item names must be unique in the visible vault.
3. Agent dir validation: _seed_agent_name_ok rejects leading-dot dirs
   (.Spotlight-V100, .fseventsd) and traversal; _seed_agent_has_payload
   requires a recognized payload so an empty/stray dir can't become active.
4. No phantom homes: extra agent dirs stage under /var/db/clawdie/seed/<agent>
   only — _seed_stage_agent never writes a home or SSH keys.
5. Bootstrap file mode enforcement: clawdie-vault-fetch now stat-checks the
   bootstrap file and refuses group/world-readable unless
   VAULT_ALLOW_INSECURE_BOOTSTRAP is set.

Also renames _seed_import_env → _seed_merge_env + _seed_split_env and adds
_seed_key_ok to guard env var names.

Checks: sh -n on vault-fetch/live-seed/build.sh; git diff --check;
./scripts/check-format.sh (prettier clean); 5 concerns verified present.

Co-Authored-By: Hermes & Sam <hello@clawdie.si>

2026-06-19 18:24:55 +02:00

operator-session

fix(vault): wire seed bootstrap → vault-fetch path + harden agent dir validation

2026-06-19 18:24:55 +02:00