clawdie/colibri
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 31

docs: restore green format gate — prettier PLAN-MOTHER-MCP-VAULT-KEYS #145

Merged
clawdie merged 1 commit from fix-plan-mother-doc-format into main 2026-06-21 22:47:57 +02:00
Conversation 0 Commits 1 Files changed 1 +23 -23
1 changed files with 23 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
docs/PLAN-MOTHER-MCP-VAULT-KEYS.md
View file

@ -39,18 +39,18 @@ ISO (agent) VAULTWARDEN MOTHER
### Our side (clawdie-iso)
| File | Change | What |
|------|--------|------|
| `clawdie-enable-mother.sh` | Extend | Add keygen + vault publish BEFORE the external-mcp.json update |
| File | Change | What |
| ------------------------------- | ------ | --------------------------------------------------------------- |
| `clawdie-enable-mother.sh` | Extend | Add keygen + vault publish BEFORE the external-mcp.json update |
| `clawdie-vault-fetch` (colibri) | Extend | Add `--publish-pubkey` mode: create/update item in hive-pubkeys |
### Mother side (OSA, new)
| File | What |
|------|------|
| `mother-sync-hive-keys.sh` | Pull all pubkeys from vault → rebuild authorized_keys.hive |
| `/etc/cron.d/mother-hive-keys` | `@every 5m` cron entry |
| sshd_config change | Add `AuthorizedKeysFile ... /var/db/colibri/.ssh/authorized_keys.hive` |
| File | What |
| ------------------------------ | ---------------------------------------------------------------------- |
| `mother-sync-hive-keys.sh` | Pull all pubkeys from vault → rebuild authorized_keys.hive |
| `/etc/cron.d/mother-hive-keys` | `@every 5m` cron entry |
| sshd_config change | Add `AuthorizedKeysFile ... /var/db/colibri/.ssh/authorized_keys.hive` |
---
@ -128,14 +128,14 @@ service sshd reload
## Security properties
| Property | How |
|----------|-----|
| Rebuild, not append | Each sync regenerates the file — deleting a vault item = revocation |
| Restriction applied by mother | `command="colibri-mcp",restrict` — not baked by publisher |
| Dedicated key file | `authorized_keys.hive` separate from operator keys |
| No shell access | `restrict` blocks everything except the forced command |
| Atomic write | `mktemp` + `mv` — no partial reads |
| TOFU on first connect | `StrictHostKeyChecking=accept-new` — auto-trust on first connection |
| Property | How |
| ----------------------------- | ------------------------------------------------------------------- |
| Rebuild, not append | Each sync regenerates the file — deleting a vault item = revocation |
| Restriction applied by mother | `command="colibri-mcp",restrict` — not baked by publisher |
| Dedicated key file | `authorized_keys.hive` separate from operator keys |
| No shell access | `restrict` blocks everything except the forced command |
| Atomic write | `mktemp` + `mv` — no partial reads |
| TOFU on first connect | `StrictHostKeyChecking=accept-new` — auto-trust on first connection |
---
@ -153,10 +153,10 @@ service sshd reload
## Sequencing
| Step | Repo | Content |
|------|------|---------|
| 1 | colibri | Extend `clawdie-vault-fetch` with `--publish-pubkey` |
| 2 | clawdie-iso | Extend `clawdie-enable-mother.sh` — keygen + publish |
| 3 | — | Create `mother-sync-hive-keys.sh` on OSA |
| 4 | — | Wire cron + sshd_config on OSA |
| 5 | — | End-to-end test: ISO → vault → OSA → SSH → colibri-mcp |
| Step | Repo | Content |
| ---- | ----------- | ------------------------------------------------------ |
| 1 | colibri | Extend `clawdie-vault-fetch` with `--publish-pubkey` |
| 2 | clawdie-iso | Extend `clawdie-enable-mother.sh` — keygen + publish |
| 3 | — | Create `mother-sync-hive-keys.sh` on OSA |
| 4 | — | Wire cron + sshd_config on OSA |
| 5 | — | End-to-end test: ISO → vault → OSA → SSH → colibri-mcp |