provisioning-code/.ncl-cache/e75aa751fc0de5c7e177d86942fb03a0e16cb4b5f5b37ed9cec7180f096063b1.json

119 lines
3.4 KiB
JSON

{
"adr_refs": [
"adr-037",
"adr-038"
],
"description": "Generates Radicle identity, issues NATS JWT credential with scopes, proposes delegation patch on policy-<workspace> repo signed by existing quorum. After completion the new operator can sign ops commands and participate in quorum.",
"emit_audit": true,
"id": "onboard_operator",
"name": "Onboard Operator",
"params": [
{
"default_val": "",
"description": "Target workspace",
"name": "workspace",
"required": true
},
{
"default_val": "",
"description": "Human-readable name for the new operator",
"name": "operator_name",
"required": true
},
{
"default_val": "",
"description": "Path to operator Ed25519 public key PEM",
"name": "operator_pubkey",
"required": true
},
{
"default_val": "",
"description": "Radicle DID of the new operator",
"name": "operator_did",
"required": true
},
{
"default_val": "",
"description": "Comma-separated op_type patterns (e.g. deploy,rollback)",
"name": "allowed_op_types",
"required": true
},
{
"default_val": "",
"description": "NATS account server URL for JWT issuance",
"name": "nats_account_url",
"required": false
}
],
"preconditions": [
"New operator has generated their Radicle identity (rad auth)",
"New operator's Ed25519 public key is available",
"Existing quorum of current operators is available to sign the delegation patch",
"Agreed scope for new operator (which op_type patterns they may sign)"
],
"rollback_strategy": "manual",
"steps": [
{
"depends_on": [],
"dry_run_arg": "--dry-run",
"id": "issue_nats_credential",
"name": "Issue NATS JWT with scoped publish permissions",
"on_error": "Stop",
"params": {},
"script": "steps/issue_nats_credential.nu"
},
{
"depends_on": [
"issue_nats_credential"
],
"dry_run_arg": "--dry-run",
"id": "propose_policy_patch",
"name": "Propose delegation addition on policy-<workspace> repo",
"on_error": "Stop",
"params": {},
"script": "steps/propose_policy_patch.nu"
},
{
"depends_on": [
"propose_policy_patch"
],
"dry_run_arg": "--dry-run",
"id": "sign_policy_patch",
"name": "Await quorum signatures on delegation patch",
"on_error": "Stop",
"params": {},
"script": "steps/sign_policy_patch.nu"
},
{
"depends_on": [
"sign_policy_patch"
],
"dry_run_arg": "--dry-run",
"id": "verify_operator_can_sign",
"name": "Verify new operator credential can sign a test op",
"on_error": "Continue",
"params": {},
"script": "steps/verify_operator_sign.nu"
},
{
"depends_on": [
"sign_policy_patch"
],
"dry_run_arg": "--dry-run",
"id": "emit_audit",
"name": "Emit operator-onboard audit event",
"on_error": "Continue",
"params": {
"event_type": "operator_onboard"
},
"script": "steps/emit_audit.nu"
}
],
"success_criteria": [
"New operator NATS JWT credential file generated and encrypted with SOPS",
"Delegation patch merged in policy-<workspace> Radicle repo",
"New operator can sign a test op with keeper-cli",
"ops history shows operator-onboard audit event"
],
"version": 1
}