119 lines
3.4 KiB
JSON
119 lines
3.4 KiB
JSON
{
|
|
"adr_refs": [
|
|
"adr-037",
|
|
"adr-038"
|
|
],
|
|
"description": "Generates Radicle identity, issues NATS JWT credential with scopes, proposes delegation patch on policy-<workspace> repo signed by existing quorum. After completion the new operator can sign ops commands and participate in quorum.",
|
|
"emit_audit": true,
|
|
"id": "onboard_operator",
|
|
"name": "Onboard Operator",
|
|
"params": [
|
|
{
|
|
"default_val": "",
|
|
"description": "Target workspace",
|
|
"name": "workspace",
|
|
"required": true
|
|
},
|
|
{
|
|
"default_val": "",
|
|
"description": "Human-readable name for the new operator",
|
|
"name": "operator_name",
|
|
"required": true
|
|
},
|
|
{
|
|
"default_val": "",
|
|
"description": "Path to operator Ed25519 public key PEM",
|
|
"name": "operator_pubkey",
|
|
"required": true
|
|
},
|
|
{
|
|
"default_val": "",
|
|
"description": "Radicle DID of the new operator",
|
|
"name": "operator_did",
|
|
"required": true
|
|
},
|
|
{
|
|
"default_val": "",
|
|
"description": "Comma-separated op_type patterns (e.g. deploy,rollback)",
|
|
"name": "allowed_op_types",
|
|
"required": true
|
|
},
|
|
{
|
|
"default_val": "",
|
|
"description": "NATS account server URL for JWT issuance",
|
|
"name": "nats_account_url",
|
|
"required": false
|
|
}
|
|
],
|
|
"preconditions": [
|
|
"New operator has generated their Radicle identity (rad auth)",
|
|
"New operator's Ed25519 public key is available",
|
|
"Existing quorum of current operators is available to sign the delegation patch",
|
|
"Agreed scope for new operator (which op_type patterns they may sign)"
|
|
],
|
|
"rollback_strategy": "manual",
|
|
"steps": [
|
|
{
|
|
"depends_on": [],
|
|
"dry_run_arg": "--dry-run",
|
|
"id": "issue_nats_credential",
|
|
"name": "Issue NATS JWT with scoped publish permissions",
|
|
"on_error": "Stop",
|
|
"params": {},
|
|
"script": "steps/issue_nats_credential.nu"
|
|
},
|
|
{
|
|
"depends_on": [
|
|
"issue_nats_credential"
|
|
],
|
|
"dry_run_arg": "--dry-run",
|
|
"id": "propose_policy_patch",
|
|
"name": "Propose delegation addition on policy-<workspace> repo",
|
|
"on_error": "Stop",
|
|
"params": {},
|
|
"script": "steps/propose_policy_patch.nu"
|
|
},
|
|
{
|
|
"depends_on": [
|
|
"propose_policy_patch"
|
|
],
|
|
"dry_run_arg": "--dry-run",
|
|
"id": "sign_policy_patch",
|
|
"name": "Await quorum signatures on delegation patch",
|
|
"on_error": "Stop",
|
|
"params": {},
|
|
"script": "steps/sign_policy_patch.nu"
|
|
},
|
|
{
|
|
"depends_on": [
|
|
"sign_policy_patch"
|
|
],
|
|
"dry_run_arg": "--dry-run",
|
|
"id": "verify_operator_can_sign",
|
|
"name": "Verify new operator credential can sign a test op",
|
|
"on_error": "Continue",
|
|
"params": {},
|
|
"script": "steps/verify_operator_sign.nu"
|
|
},
|
|
{
|
|
"depends_on": [
|
|
"sign_policy_patch"
|
|
],
|
|
"dry_run_arg": "--dry-run",
|
|
"id": "emit_audit",
|
|
"name": "Emit operator-onboard audit event",
|
|
"on_error": "Continue",
|
|
"params": {
|
|
"event_type": "operator_onboard"
|
|
},
|
|
"script": "steps/emit_audit.nu"
|
|
}
|
|
],
|
|
"success_criteria": [
|
|
"New operator NATS JWT credential file generated and encrypted with SOPS",
|
|
"Delegation patch merged in policy-<workspace> Radicle repo",
|
|
"New operator can sign a test op with keeper-cli",
|
|
"ops history shows operator-onboard audit event"
|
|
],
|
|
"version": 1
|
|
}
|