generated from coulomb/repo-seed
chore(consistency): sync task status from DB [auto]
Updated by fix-consistency on 2026-06-15: - HF-WP-0002-T05: progress → wait
This commit is contained in:
@@ -60,11 +60,12 @@ Desired new posture:
|
||||
- Browser login redirects to KeyCape and returns to OpenBao UI at:
|
||||
|
||||
```text
|
||||
https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback
|
||||
https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||||
```
|
||||
|
||||
- UI access maps to the existing `platform-admin` policy through the KeyCape
|
||||
OIDC path.
|
||||
- UI access maps to the existing `platform-admin` policy through the
|
||||
KeyCape-backed `netkingdom` OIDC path. The earlier `keycape` path remains a
|
||||
compatibility alias while operators move to the clearer mount name.
|
||||
- OpenBao remains a privileged platform-secret surface, not a general public
|
||||
application. Exposure must be TLS-only, audited, MFA-backed, and restricted
|
||||
by identity and preferably by network boundary.
|
||||
@@ -100,8 +101,9 @@ Preferred controls:
|
||||
2. Add or update the Railiance Platform OpenBao ingress manifest or Helm values
|
||||
so the OpenBao UI service is exposed at `bao.coulomb.social`.
|
||||
3. Add the OpenBao UI redirect URI to the KeyCape OpenBao admin client.
|
||||
4. Add the same URI to the OpenBao `auth/keycape/role/platform-admin`
|
||||
`allowed_redirect_uris`.
|
||||
4. Add the same URI to the OpenBao `auth/netkingdom/role/platform-admin`
|
||||
`allowed_redirect_uris`, keeping `auth/keycape` as a compatibility alias
|
||||
unless explicitly retired later.
|
||||
5. Verify browser login end to end with the approved platform-root/operator
|
||||
identity and MFA.
|
||||
6. Verify metadata-only inspection of candidate paths such as:
|
||||
@@ -175,7 +177,7 @@ the Helm upgrade. Live DNS/deployment verification remains pending.
|
||||
|
||||
---
|
||||
|
||||
### T03 - Add KeyCape UI Redirect URI
|
||||
### T03 - Add KeyCape UI Redirect URIs
|
||||
|
||||
```task
|
||||
id: HF-WP-0002-T03
|
||||
@@ -188,24 +190,26 @@ state_hub_task_id: "fc1d5850-eed9-4fd6-aac4-8c0e89d8b67d"
|
||||
Update the KeyCape OpenBao admin client to include:
|
||||
|
||||
```text
|
||||
https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback
|
||||
https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||||
```
|
||||
|
||||
Keep the existing localhost CLI callback URIs unless there is a separate
|
||||
decision to retire CLI login.
|
||||
Keep the existing localhost CLI callback URIs and the earlier
|
||||
`https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback`
|
||||
compatibility callback unless there is a separate decision to retire them.
|
||||
|
||||
Done when KeyCape accepts the OpenBao UI callback for the `openbao-admin`
|
||||
client and the deployed KeyCape configuration verifies cleanly.
|
||||
|
||||
Code progress on 2026-06-15: `net-kingdom` now includes the browser callback
|
||||
URI in both the full `create-secrets.sh` KeyCape config generator and the
|
||||
focused live `openbao-client-config.py` patch/verify helper. The focused
|
||||
verifier also probes both CLI and browser redirect URIs. Live KeyCape rollout
|
||||
verification remains pending.
|
||||
Code progress on 2026-06-15: `net-kingdom` now includes the preferred
|
||||
`netkingdom` browser callback URI and the `keycape` compatibility callback in
|
||||
both the full `create-secrets.sh` KeyCape config generator and the focused
|
||||
live `openbao-client-config.py` patch/verify helper. The focused verifier also
|
||||
probes CLI, `netkingdom`, and `keycape` redirect URIs. Live KeyCape rollout
|
||||
verification for the preferred mount remains pending.
|
||||
|
||||
---
|
||||
|
||||
### T04 - Add OpenBao UI Redirect URI To platform-admin Role
|
||||
### T04 - Add OpenBao UI Redirect URIs To platform-admin Role
|
||||
|
||||
```task
|
||||
id: HF-WP-0002-T04
|
||||
@@ -215,24 +219,25 @@ target_repo: railiance-platform
|
||||
state_hub_task_id: "4f69cacb-9d8f-4ab6-a84f-3c9041f0d39a"
|
||||
```
|
||||
|
||||
Update the OpenBao `auth/keycape/role/platform-admin` role so
|
||||
Update the OpenBao `auth/netkingdom/role/platform-admin` role so
|
||||
`allowed_redirect_uris` includes:
|
||||
|
||||
```text
|
||||
https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback
|
||||
https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||||
```
|
||||
|
||||
Keep the role bound to the intended KeyCape claims/groups and the
|
||||
`platform-admin` policy. Do not broaden this to root.
|
||||
Keep the `auth/keycape/role/platform-admin` compatibility role aligned while
|
||||
it remains enabled. Keep both roles bound to the intended KeyCape
|
||||
claims/groups and the `platform-admin` policy. Do not broaden this to root.
|
||||
|
||||
Done when the role supports browser UI login without breaking the existing CLI
|
||||
OIDC path.
|
||||
|
||||
Code progress on 2026-06-15: `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh`
|
||||
now writes the browser callback URI into the OpenBao
|
||||
`auth/keycape/role/platform-admin` `allowed_redirect_uris` while preserving the
|
||||
existing localhost CLI callbacks. Live role update and browser proof remain
|
||||
pending.
|
||||
now configures both `auth/netkingdom/role/platform-admin` and the
|
||||
`auth/keycape/role/platform-admin` compatibility role with the browser callback
|
||||
URIs while preserving the existing localhost CLI callbacks. Live preferred
|
||||
role update remains pending.
|
||||
|
||||
---
|
||||
|
||||
@@ -248,7 +253,7 @@ state_hub_task_id: "31d1da2d-8498-4c7d-a6fa-da9d0133bfe2"
|
||||
Perform an attended browser login:
|
||||
|
||||
1. Open `https://bao.coulomb.social`.
|
||||
2. Choose the KeyCape/OIDC auth method mounted at `keycape`.
|
||||
2. Choose the KeyCape/OIDC auth method mounted at `netkingdom`.
|
||||
3. Use role `platform-admin`.
|
||||
4. Authenticate via `kc.coulomb.social` with MFA.
|
||||
5. Confirm the user can see permitted metadata paths.
|
||||
@@ -258,11 +263,14 @@ For the `HF-WP-0001` unblock, inspect only metadata/path presence for the
|
||||
Inter-Hub operator key location. Do not copy secret values into Git, State Hub,
|
||||
chat, or workplans.
|
||||
|
||||
Done when browser login succeeds and the operator can determine whether an
|
||||
Inter-Hub operator key exists without installing a local `bao` CLI.
|
||||
Done when browser login succeeds through the preferred `netkingdom` mount and
|
||||
the operator can determine whether an Inter-Hub operator key exists without
|
||||
installing a local `bao` CLI.
|
||||
|
||||
Waiting on live DNS/deployment, KeyCape config rollout, OpenBao role update,
|
||||
and an attended platform-admin browser login.
|
||||
Progress on 2026-06-15: the operator reached the OpenBao UI and completed an
|
||||
attended platform-admin browser login. The preferred `netkingdom` mount has
|
||||
been added in code and remains to be rolled out and used for the final
|
||||
metadata-only inspection proof.
|
||||
|
||||
---
|
||||
|
||||
@@ -280,7 +288,7 @@ NetKingdom so future operators know:
|
||||
|
||||
- `kc.coulomb.social` is the KeyCape/OIDC login authority.
|
||||
- `bao.coulomb.social` is the OpenBao UI.
|
||||
- Browser login uses auth path `keycape` and role `platform-admin`.
|
||||
- Browser login uses auth path `netkingdom` and role `platform-admin`.
|
||||
- Metadata-only inspection is preferred when looking for whether a secret
|
||||
exists.
|
||||
- Secret values, OpenBao tokens, Inter-Hub keys, and one-time displayed API
|
||||
@@ -290,9 +298,9 @@ Done when the next operator can follow the browser path without rediscovering
|
||||
the CLI-only limitation.
|
||||
|
||||
Completed on 2026-06-15: updated the Railiance Platform OpenBao runbook and
|
||||
NetKingdom KeyCape/OpenBao docs to describe `bao.coulomb.social`, the KeyCape
|
||||
OIDC callback, `platform-admin` browser login, metadata-only inspection, and
|
||||
the no-root-token/no-secret-copying boundary.
|
||||
NetKingdom KeyCape/OpenBao docs to describe `bao.coulomb.social`, the
|
||||
preferred `netkingdom` KeyCape/OIDC auth path, `platform-admin` browser login,
|
||||
metadata-only inspection, and the no-root-token/no-secret-copying boundary.
|
||||
|
||||
## Implementation Log
|
||||
|
||||
@@ -309,11 +317,13 @@ path:
|
||||
- `railiance-platform/Makefile` applies the OpenBao middleware before Helm
|
||||
deployment.
|
||||
- `net-kingdom/sso-mfa/k8s/keycape/create-secrets.sh` and
|
||||
`openbao-client-config.py` include the browser callback URI for
|
||||
`openbao-admin`.
|
||||
`openbao-client-config.py` include the preferred `netkingdom` browser
|
||||
callback URI and the `keycape` compatibility callback for `openbao-admin`.
|
||||
- `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh` writes the same
|
||||
browser callback URI to the OpenBao `platform-admin` role.
|
||||
- `net-kingdom` verifiers now expect and probe the browser callback URI.
|
||||
browser callback URIs to the OpenBao `auth/netkingdom` and `auth/keycape`
|
||||
`platform-admin` roles.
|
||||
- `net-kingdom` verifiers now expect and probe CLI, `netkingdom`, and
|
||||
`keycape` callback URIs.
|
||||
- Railiance Platform and NetKingdom docs now describe the browser path and
|
||||
secret-handling boundaries.
|
||||
|
||||
@@ -333,6 +343,13 @@ Verification not performed:
|
||||
- Live OpenBao role update.
|
||||
- Attended browser login and metadata-only secret-path inspection.
|
||||
|
||||
### 2026-06-15 - Preferred netkingdom auth mount added
|
||||
|
||||
After the first successful browser login, the preferred OpenBao OIDC auth
|
||||
mount was changed from `keycape` to `netkingdom` to match the platform domain
|
||||
language and reduce operator confusion in the UI. The `keycape` mount remains
|
||||
configured as a compatibility alias.
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
This workplan is complete when:
|
||||
|
||||
Reference in New Issue
Block a user