From 6b71025772dcfe85e9fc0453ca2effa16474cd54 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Sun, 21 Jun 2026 22:47:45 +0200 Subject: [PATCH] docs: prettier-format PLAN-MOTHER-MCP-VAULT-KEYS table alignment Pre-existing gate offender (PR #141 slipped check-format.sh). Table-alignment whitespace only, no content change. Restores a green ./scripts/check-format.sh. Co-Authored-By: Claude Opus 4.8 --- docs/PLAN-MOTHER-MCP-VAULT-KEYS.md | 46 +++++++++++++++--------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/PLAN-MOTHER-MCP-VAULT-KEYS.md b/docs/PLAN-MOTHER-MCP-VAULT-KEYS.md index 5fd470d..68e6b3b 100644 --- a/docs/PLAN-MOTHER-MCP-VAULT-KEYS.md +++ b/docs/PLAN-MOTHER-MCP-VAULT-KEYS.md @@ -39,18 +39,18 @@ ISO (agent) VAULTWARDEN MOTHER ### Our side (clawdie-iso) -| File | Change | What | -|------|--------|------| -| `clawdie-enable-mother.sh` | Extend | Add keygen + vault publish BEFORE the external-mcp.json update | +| File | Change | What | +| ------------------------------- | ------ | --------------------------------------------------------------- | +| `clawdie-enable-mother.sh` | Extend | Add keygen + vault publish BEFORE the external-mcp.json update | | `clawdie-vault-fetch` (colibri) | Extend | Add `--publish-pubkey` mode: create/update item in hive-pubkeys | ### Mother side (OSA, new) -| File | What | -|------|------| -| `mother-sync-hive-keys.sh` | Pull all pubkeys from vault → rebuild authorized_keys.hive | -| `/etc/cron.d/mother-hive-keys` | `@every 5m` cron entry | -| sshd_config change | Add `AuthorizedKeysFile ... /var/db/colibri/.ssh/authorized_keys.hive` | +| File | What | +| ------------------------------ | ---------------------------------------------------------------------- | +| `mother-sync-hive-keys.sh` | Pull all pubkeys from vault → rebuild authorized_keys.hive | +| `/etc/cron.d/mother-hive-keys` | `@every 5m` cron entry | +| sshd_config change | Add `AuthorizedKeysFile ... /var/db/colibri/.ssh/authorized_keys.hive` | --- @@ -128,14 +128,14 @@ service sshd reload ## Security properties -| Property | How | -|----------|-----| -| Rebuild, not append | Each sync regenerates the file — deleting a vault item = revocation | -| Restriction applied by mother | `command="colibri-mcp",restrict` — not baked by publisher | -| Dedicated key file | `authorized_keys.hive` separate from operator keys | -| No shell access | `restrict` blocks everything except the forced command | -| Atomic write | `mktemp` + `mv` — no partial reads | -| TOFU on first connect | `StrictHostKeyChecking=accept-new` — auto-trust on first connection | +| Property | How | +| ----------------------------- | ------------------------------------------------------------------- | +| Rebuild, not append | Each sync regenerates the file — deleting a vault item = revocation | +| Restriction applied by mother | `command="colibri-mcp",restrict` — not baked by publisher | +| Dedicated key file | `authorized_keys.hive` separate from operator keys | +| No shell access | `restrict` blocks everything except the forced command | +| Atomic write | `mktemp` + `mv` — no partial reads | +| TOFU on first connect | `StrictHostKeyChecking=accept-new` — auto-trust on first connection | --- @@ -153,10 +153,10 @@ service sshd reload ## Sequencing -| Step | Repo | Content | -|------|------|---------| -| 1 | colibri | Extend `clawdie-vault-fetch` with `--publish-pubkey` | -| 2 | clawdie-iso | Extend `clawdie-enable-mother.sh` — keygen + publish | -| 3 | — | Create `mother-sync-hive-keys.sh` on OSA | -| 4 | — | Wire cron + sshd_config on OSA | -| 5 | — | End-to-end test: ISO → vault → OSA → SSH → colibri-mcp | +| Step | Repo | Content | +| ---- | ----------- | ------------------------------------------------------ | +| 1 | colibri | Extend `clawdie-vault-fetch` with `--publish-pubkey` | +| 2 | clawdie-iso | Extend `clawdie-enable-mother.sh` — keygen + publish | +| 3 | — | Create `mother-sync-hive-keys.sh` on OSA | +| 4 | — | Wire cron + sshd_config on OSA | +| 5 | — | End-to-end test: ISO → vault → OSA → SSH → colibri-mcp |