From 358e114856a01e022db4b2d698bddd51a424505f Mon Sep 17 00:00:00 2001 From: tegwick Date: Mon, 15 Jun 2026 02:01:42 +0200 Subject: [PATCH] chore(consistency): sync task status from DB [auto] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated by fix-consistency on 2026-06-15: - HF-WP-0002-T05: progress → wait --- ...penbao-browser-ui-at-bao-coulomb-social.md | 89 +++++++++++-------- 1 file changed, 53 insertions(+), 36 deletions(-) diff --git a/workplans/HF-WP-0002-openbao-browser-ui-at-bao-coulomb-social.md b/workplans/HF-WP-0002-openbao-browser-ui-at-bao-coulomb-social.md index 3b97b3a..6f96d9a 100644 --- a/workplans/HF-WP-0002-openbao-browser-ui-at-bao-coulomb-social.md +++ b/workplans/HF-WP-0002-openbao-browser-ui-at-bao-coulomb-social.md @@ -60,11 +60,12 @@ Desired new posture: - Browser login redirects to KeyCape and returns to OpenBao UI at: ```text - https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback + https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback ``` -- UI access maps to the existing `platform-admin` policy through the KeyCape - OIDC path. +- UI access maps to the existing `platform-admin` policy through the + KeyCape-backed `netkingdom` OIDC path. The earlier `keycape` path remains a + compatibility alias while operators move to the clearer mount name. - OpenBao remains a privileged platform-secret surface, not a general public application. Exposure must be TLS-only, audited, MFA-backed, and restricted by identity and preferably by network boundary. @@ -100,8 +101,9 @@ Preferred controls: 2. Add or update the Railiance Platform OpenBao ingress manifest or Helm values so the OpenBao UI service is exposed at `bao.coulomb.social`. 3. Add the OpenBao UI redirect URI to the KeyCape OpenBao admin client. -4. Add the same URI to the OpenBao `auth/keycape/role/platform-admin` - `allowed_redirect_uris`. +4. Add the same URI to the OpenBao `auth/netkingdom/role/platform-admin` + `allowed_redirect_uris`, keeping `auth/keycape` as a compatibility alias + unless explicitly retired later. 5. Verify browser login end to end with the approved platform-root/operator identity and MFA. 6. Verify metadata-only inspection of candidate paths such as: @@ -175,7 +177,7 @@ the Helm upgrade. Live DNS/deployment verification remains pending. --- -### T03 - Add KeyCape UI Redirect URI +### T03 - Add KeyCape UI Redirect URIs ```task id: HF-WP-0002-T03 @@ -188,24 +190,26 @@ state_hub_task_id: "fc1d5850-eed9-4fd6-aac4-8c0e89d8b67d" Update the KeyCape OpenBao admin client to include: ```text -https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback +https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback ``` -Keep the existing localhost CLI callback URIs unless there is a separate -decision to retire CLI login. +Keep the existing localhost CLI callback URIs and the earlier +`https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback` +compatibility callback unless there is a separate decision to retire them. Done when KeyCape accepts the OpenBao UI callback for the `openbao-admin` client and the deployed KeyCape configuration verifies cleanly. -Code progress on 2026-06-15: `net-kingdom` now includes the browser callback -URI in both the full `create-secrets.sh` KeyCape config generator and the -focused live `openbao-client-config.py` patch/verify helper. The focused -verifier also probes both CLI and browser redirect URIs. Live KeyCape rollout -verification remains pending. +Code progress on 2026-06-15: `net-kingdom` now includes the preferred +`netkingdom` browser callback URI and the `keycape` compatibility callback in +both the full `create-secrets.sh` KeyCape config generator and the focused +live `openbao-client-config.py` patch/verify helper. The focused verifier also +probes CLI, `netkingdom`, and `keycape` redirect URIs. Live KeyCape rollout +verification for the preferred mount remains pending. --- -### T04 - Add OpenBao UI Redirect URI To platform-admin Role +### T04 - Add OpenBao UI Redirect URIs To platform-admin Role ```task id: HF-WP-0002-T04 @@ -215,24 +219,25 @@ target_repo: railiance-platform state_hub_task_id: "4f69cacb-9d8f-4ab6-a84f-3c9041f0d39a" ``` -Update the OpenBao `auth/keycape/role/platform-admin` role so +Update the OpenBao `auth/netkingdom/role/platform-admin` role so `allowed_redirect_uris` includes: ```text -https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback +https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback ``` -Keep the role bound to the intended KeyCape claims/groups and the -`platform-admin` policy. Do not broaden this to root. +Keep the `auth/keycape/role/platform-admin` compatibility role aligned while +it remains enabled. Keep both roles bound to the intended KeyCape +claims/groups and the `platform-admin` policy. Do not broaden this to root. Done when the role supports browser UI login without breaking the existing CLI OIDC path. Code progress on 2026-06-15: `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh` -now writes the browser callback URI into the OpenBao -`auth/keycape/role/platform-admin` `allowed_redirect_uris` while preserving the -existing localhost CLI callbacks. Live role update and browser proof remain -pending. +now configures both `auth/netkingdom/role/platform-admin` and the +`auth/keycape/role/platform-admin` compatibility role with the browser callback +URIs while preserving the existing localhost CLI callbacks. Live preferred +role update remains pending. --- @@ -248,7 +253,7 @@ state_hub_task_id: "31d1da2d-8498-4c7d-a6fa-da9d0133bfe2" Perform an attended browser login: 1. Open `https://bao.coulomb.social`. -2. Choose the KeyCape/OIDC auth method mounted at `keycape`. +2. Choose the KeyCape/OIDC auth method mounted at `netkingdom`. 3. Use role `platform-admin`. 4. Authenticate via `kc.coulomb.social` with MFA. 5. Confirm the user can see permitted metadata paths. @@ -258,11 +263,14 @@ For the `HF-WP-0001` unblock, inspect only metadata/path presence for the Inter-Hub operator key location. Do not copy secret values into Git, State Hub, chat, or workplans. -Done when browser login succeeds and the operator can determine whether an -Inter-Hub operator key exists without installing a local `bao` CLI. +Done when browser login succeeds through the preferred `netkingdom` mount and +the operator can determine whether an Inter-Hub operator key exists without +installing a local `bao` CLI. -Waiting on live DNS/deployment, KeyCape config rollout, OpenBao role update, -and an attended platform-admin browser login. +Progress on 2026-06-15: the operator reached the OpenBao UI and completed an +attended platform-admin browser login. The preferred `netkingdom` mount has +been added in code and remains to be rolled out and used for the final +metadata-only inspection proof. --- @@ -280,7 +288,7 @@ NetKingdom so future operators know: - `kc.coulomb.social` is the KeyCape/OIDC login authority. - `bao.coulomb.social` is the OpenBao UI. -- Browser login uses auth path `keycape` and role `platform-admin`. +- Browser login uses auth path `netkingdom` and role `platform-admin`. - Metadata-only inspection is preferred when looking for whether a secret exists. - Secret values, OpenBao tokens, Inter-Hub keys, and one-time displayed API @@ -290,9 +298,9 @@ Done when the next operator can follow the browser path without rediscovering the CLI-only limitation. Completed on 2026-06-15: updated the Railiance Platform OpenBao runbook and -NetKingdom KeyCape/OpenBao docs to describe `bao.coulomb.social`, the KeyCape -OIDC callback, `platform-admin` browser login, metadata-only inspection, and -the no-root-token/no-secret-copying boundary. +NetKingdom KeyCape/OpenBao docs to describe `bao.coulomb.social`, the +preferred `netkingdom` KeyCape/OIDC auth path, `platform-admin` browser login, +metadata-only inspection, and the no-root-token/no-secret-copying boundary. ## Implementation Log @@ -309,11 +317,13 @@ path: - `railiance-platform/Makefile` applies the OpenBao middleware before Helm deployment. - `net-kingdom/sso-mfa/k8s/keycape/create-secrets.sh` and - `openbao-client-config.py` include the browser callback URI for - `openbao-admin`. + `openbao-client-config.py` include the preferred `netkingdom` browser + callback URI and the `keycape` compatibility callback for `openbao-admin`. - `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh` writes the same - browser callback URI to the OpenBao `platform-admin` role. -- `net-kingdom` verifiers now expect and probe the browser callback URI. + browser callback URIs to the OpenBao `auth/netkingdom` and `auth/keycape` + `platform-admin` roles. +- `net-kingdom` verifiers now expect and probe CLI, `netkingdom`, and + `keycape` callback URIs. - Railiance Platform and NetKingdom docs now describe the browser path and secret-handling boundaries. @@ -333,6 +343,13 @@ Verification not performed: - Live OpenBao role update. - Attended browser login and metadata-only secret-path inspection. +### 2026-06-15 - Preferred netkingdom auth mount added + +After the first successful browser login, the preferred OpenBao OIDC auth +mount was changed from `keycape` to `netkingdom` to match the platform domain +language and reduce operator confusion in the UI. The `keycape` mount remains +configured as a compatibility alias. + ## Acceptance Criteria This workplan is complete when: