michal/mcpctl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OpenBao provisioning script (recurrence fix) #76

Merged
michal merged 1 commits from feat/openbao-provisioning into main 2026-06-16 22:31:54 +00:00
Conversation 0 Commits 1 Files Changed 1 +96
michal commented 2026-06-16 22:21:09 +00:00
Owner
Copy Link

Idempotent script to (re)provision the OpenBao KV mount + app-mcpd policy + periodic app-mcpd-role. Prevents the recurring BACKEND_TOKEN_DEAD caused by a re-init dropping the hand-made policy. Verified live (dry-run + idempotent real run). Run with --seed after a re-init to also reseed bao-creds + restart mcpd.

🤖 Generated with Claude Code

Idempotent script to (re)provision the OpenBao KV mount + `app-mcpd` policy + periodic `app-mcpd-role`. Prevents the recurring BACKEND_TOKEN_DEAD caused by a re-init dropping the hand-made policy. Verified live (dry-run + idempotent real run). Run with `--seed` after a re-init to also reseed bao-creds + restart mcpd. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
michal added 1 commit 2026-06-16 22:21:10 +00:00
feat(ops): idempotent OpenBao provisioning script
Some checks failed
CI/CD / typecheck (pull_request) Successful in 1m4s
Details
CI/CD / lint (pull_request) Successful in 2m30s
Details
CI/CD / test (pull_request) Successful in 1m18s
Details
CI/CD / smoke (pull_request) Failing after 1m49s
Details
CI/CD / build (pull_request) Successful in 4m46s
Details
CI/CD / publish (pull_request) Has been skipped
Details
7e8568777e 
scripts/provision-openbao.sh recreates the KV mount + app-mcpd ACL policy +
periodic app-mcpd-role that mcpd's secret backend needs. These were hand-made
and uncaptured, so an OpenBao re-init silently dropped the policy (root cause
of the recurring BACKEND_TOKEN_DEAD / 403-on-secret-write). Now reproducible:
run after any OpenBao (re)init; --seed also mints a token, writes bao-creds,
and restarts mcpd. Mirrors src/shared/src/vault/policy.ts. Idempotent + --dry-run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
michal merged commit ab00fc6296 into main 2026-06-16 22:31:54 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michal
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: michal/mcpctl#76
Delete Branch "feat/openbao-provisioning"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?