git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity
Files
fix/postinst-thorough-audit
linux_patch_manager/tasks/credential-bootstrap-plan.md
Echo d326b25203
All checks were successful
CI Pipeline / Rust Format Check (push) Successful in 4s
Details
CI Pipeline / Clippy Lints (push) Successful in 53s
Details
CI Pipeline / Rust Unit Tests (push) Successful in 1m11s
Details
CI Pipeline / Security Audit (push) Successful in 4s
Details
CI Pipeline / Frontend Lint & Type Check (push) Successful in 14s
Details
CI Pipeline / Build .deb & Release (push) Has been skipped
Details
fix(ca): make CA path configurable and prevent encrypted keys 
- main.rs: use config.security.ca_cert_path parent directory instead
  of hardcoded /etc/patch-manager/ca for CA initialization.
- config.example.toml: add warning that CA key must be unencrypted PEM.
- This prevents silent generation of a second CA on fresh installs
  and ensures the manager always uses the configured CA.
2026-05-18 15:58:38 +00:00

45 lines
2.1 KiB
Markdown
Raw Permalink Blame History

# Credential Bootstrap & Skill Restoration Plan
## Problem
SSH keys and Vaultwarden access are lost on every container restart. This causes repeated auth failures at session start.
## Changes
### 1. Restore vaultwarden-secrets skill to /a0/skills/
- Source: `/tmp/vaultwarden-secrets/` (cloned from gitea)
- Destination: `/a0/skills/vaultwarden-secrets/`
- Files: SKILL.md, README.md, scripts/vw_client.py, scripts/bw-wrapper.sh
- This makes `vw_client.py` available at the path referenced in system prompt
- Verify pycryptodome is installed (needed by vw_client.py)
### 2. Add Session Bootstrap section to echo profile
- File: `/a0/usr/agents/echo/prompts/01-identity.md`
- Add a **Session Bootstrap** section that instructs Echo to verify credentials at the start of every new conversation
- Checks to perform:
1. **SSH key**: If `~/.ssh/id_ed25519` doesn't exist, retrieve from Vaultwarden using vw_client.py and install
2. **Vaultwarden skill**: Verify `/a0/skills/vaultwarden-secrets/scripts/vw_client.py` exists and works
3. **bw CLI**: Check if `bw` is installed; if not, install it (fallback for vw_client.py)
4. **Gitea SSH key**: Verify `/a0/usr/credentials/gitea-lxc/gitea_id_ed25519` exists for git operations
- Bootstrap runs silently unless a check fails (then report to user)
### 3. Update Credential Type Registry in 02-architecture.md
- Add Vaultwarden as the **authoritative source** for SSH keys
- Clarify that `/a0/usr/storage/echo-ssh-setup/` is a backup, not primary
- Add vw_client.py as the primary credential retrieval method
### 4. Update lessons.md
- Add lesson about credential bootstrap being a systemic fix
## Implementation Order
1. Restore vaultwarden-secrets skill (prerequisite for everything else)
2. Verify vw_client.py works with current credentials
3. Add Session Bootstrap to 01-identity.md
4. Update Credential Type Registry in 02-architecture.md
5. Update lessons.md
6. Test full bootstrap flow
## Approval Needed
- [ ] Modifying echo profile prompts (01-identity.md, 02-architecture.md)
- [ ] Installing skill files to /a0/skills/
- [ ] Installing bw CLI if missing
View Git Blame Copy Permalink