# Trinity Break-Glass Recovery Kit

## Purpose
This folder contains the first-pass implementation artifacts for a tightly-scoped break-glass recovery path that lets Trinity recover Mr Anderson when the gateway is down without granting broad host or personal-context access.

## Recommended Access Model
Use forced-command SSH with a dedicated recovery account.

### Recovery identity
- Account: `trinity-operator`
- Auth: SSH key only
- Network path: Tailscale-only or equivalent source restriction
- Shell access: disabled by forced command and SSH key restrictions

### Allowed actions
- `status`
- `logs`
- `restart`
- `verify`

### Not allowed
- Interactive shell
- Arbitrary commands
- Workspace browsing
- Reading `MEMORY.md`, `USER.md`, `SOUL.md`, or private notes
- Config changes
- OpenClaw updates
- Secret access or rotation

## Files
- `mr-anderson-recovery` — user-facing forced-command wrapper
- `mr-anderson-recovery-root` — root-owned helper with fixed allowlisted actions
- `sudoers-trinity-operator` — narrow sudoers entry
- `authorized_keys.example` — forced-command SSH key example
- `outage-test-checklist.md` — validation checklist

## Deployment order
1. Create `trinity-operator`
2. Install `mr-anderson-recovery` at `/usr/local/bin/mr-anderson-recovery`
3. Install `mr-anderson-recovery-root` at `/usr/local/bin/mr-anderson-recovery-root`
4. Install the sudoers snippet
5. Add Trinity's SSH key using the forced-command line
6. Restrict source access to Trinity over Tailscale
7. Run the outage test checklist

## Important implementation note
The current gateway service on this host is `openclaw-gateway.service` running as a user service for `isthekid`. The helper script below assumes that remains true. If the service model changes, update the helper script before deployment.