clawdie/colibri
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 48

docs: prettier-format PLAN-MOTHER-MCP-VAULT-KEYS table alignment
Some checks failed
CI / rust (pull_request) Has been cancelled
Details
CI / markdown (pull_request) Has been cancelled
Details
CI / port (pull_request) Has been cancelled
Details
CI / agent-jail-pkgs (pull_request) Has been cancelled
Details

Browse source 
Pre-existing gate offender (PR #141 slipped check-format.sh). Table-alignment
whitespace only, no content change. Restores a green ./scripts/check-format.sh.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Sam & Claude 2026-06-21 22:47:45 +02:00
parent 99c8e33a44
commit 6b71025772
1 changed files with 23 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
docs/PLAN-MOTHER-MCP-VAULT-KEYS.md
View file

@ -39,18 +39,18 @@ ISO (agent) VAULTWARDEN MOTHER
### Our side (clawdie-iso)
| File | Change | What |
|------|--------|------|
| `clawdie-enable-mother.sh` | Extend | Add keygen + vault publish BEFORE the external-mcp.json update |
| File | Change | What |
| ------------------------------- | ------ | --------------------------------------------------------------- |
| `clawdie-enable-mother.sh` | Extend | Add keygen + vault publish BEFORE the external-mcp.json update |
| `clawdie-vault-fetch` (colibri) | Extend | Add `--publish-pubkey` mode: create/update item in hive-pubkeys |
### Mother side (OSA, new)
| File | What |
|------|------|
| `mother-sync-hive-keys.sh` | Pull all pubkeys from vault → rebuild authorized_keys.hive |
| `/etc/cron.d/mother-hive-keys` | `@every 5m` cron entry |
| sshd_config change | Add `AuthorizedKeysFile ... /var/db/colibri/.ssh/authorized_keys.hive` |
| File | What |
| ------------------------------ | ---------------------------------------------------------------------- |
| `mother-sync-hive-keys.sh` | Pull all pubkeys from vault → rebuild authorized_keys.hive |
| `/etc/cron.d/mother-hive-keys` | `@every 5m` cron entry |
| sshd_config change | Add `AuthorizedKeysFile ... /var/db/colibri/.ssh/authorized_keys.hive` |
---
@ -128,14 +128,14 @@ service sshd reload
## Security properties
| Property | How |
|----------|-----|
| Rebuild, not append | Each sync regenerates the file — deleting a vault item = revocation |
| Restriction applied by mother | `command="colibri-mcp",restrict` — not baked by publisher |
| Dedicated key file | `authorized_keys.hive` separate from operator keys |
| No shell access | `restrict` blocks everything except the forced command |
| Atomic write | `mktemp` + `mv` — no partial reads |
| TOFU on first connect | `StrictHostKeyChecking=accept-new` — auto-trust on first connection |
| Property | How |
| ----------------------------- | ------------------------------------------------------------------- |
| Rebuild, not append | Each sync regenerates the file — deleting a vault item = revocation |
| Restriction applied by mother | `command="colibri-mcp",restrict` — not baked by publisher |
| Dedicated key file | `authorized_keys.hive` separate from operator keys |
| No shell access | `restrict` blocks everything except the forced command |
| Atomic write | `mktemp` + `mv` — no partial reads |
| TOFU on first connect | `StrictHostKeyChecking=accept-new` — auto-trust on first connection |
---
@ -153,10 +153,10 @@ service sshd reload
## Sequencing
| Step | Repo | Content |
|------|------|---------|
| 1 | colibri | Extend `clawdie-vault-fetch` with `--publish-pubkey` |
| 2 | clawdie-iso | Extend `clawdie-enable-mother.sh` — keygen + publish |
| 3 | — | Create `mother-sync-hive-keys.sh` on OSA |
| 4 | — | Wire cron + sshd_config on OSA |
| 5 | — | End-to-end test: ISO → vault → OSA → SSH → colibri-mcp |
| Step | Repo | Content |
| ---- | ----------- | ------------------------------------------------------ |
| 1 | colibri | Extend `clawdie-vault-fetch` with `--publish-pubkey` |
| 2 | clawdie-iso | Extend `clawdie-enable-mother.sh` — keygen + publish |
| 3 | — | Create `mother-sync-hive-keys.sh` on OSA |
| 4 | — | Wire cron + sshd_config on OSA |
| 5 | — | End-to-end test: ISO → vault → OSA → SSH → colibri-mcp |