chore(consistency): sync task status from DB [auto]

Updated by fix-consistency on 2026-06-15:
  - HF-WP-0002-T05: progress → wait
This commit is contained in:
2026-06-15 02:01:42 +02:00
parent 76c9b55e71
commit 358e114856

View File

@@ -60,11 +60,12 @@ Desired new posture:
- Browser login redirects to KeyCape and returns to OpenBao UI at: - Browser login redirects to KeyCape and returns to OpenBao UI at:
```text ```text
https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
``` ```
- UI access maps to the existing `platform-admin` policy through the KeyCape - UI access maps to the existing `platform-admin` policy through the
OIDC path. KeyCape-backed `netkingdom` OIDC path. The earlier `keycape` path remains a
compatibility alias while operators move to the clearer mount name.
- OpenBao remains a privileged platform-secret surface, not a general public - OpenBao remains a privileged platform-secret surface, not a general public
application. Exposure must be TLS-only, audited, MFA-backed, and restricted application. Exposure must be TLS-only, audited, MFA-backed, and restricted
by identity and preferably by network boundary. by identity and preferably by network boundary.
@@ -100,8 +101,9 @@ Preferred controls:
2. Add or update the Railiance Platform OpenBao ingress manifest or Helm values 2. Add or update the Railiance Platform OpenBao ingress manifest or Helm values
so the OpenBao UI service is exposed at `bao.coulomb.social`. so the OpenBao UI service is exposed at `bao.coulomb.social`.
3. Add the OpenBao UI redirect URI to the KeyCape OpenBao admin client. 3. Add the OpenBao UI redirect URI to the KeyCape OpenBao admin client.
4. Add the same URI to the OpenBao `auth/keycape/role/platform-admin` 4. Add the same URI to the OpenBao `auth/netkingdom/role/platform-admin`
`allowed_redirect_uris`. `allowed_redirect_uris`, keeping `auth/keycape` as a compatibility alias
unless explicitly retired later.
5. Verify browser login end to end with the approved platform-root/operator 5. Verify browser login end to end with the approved platform-root/operator
identity and MFA. identity and MFA.
6. Verify metadata-only inspection of candidate paths such as: 6. Verify metadata-only inspection of candidate paths such as:
@@ -175,7 +177,7 @@ the Helm upgrade. Live DNS/deployment verification remains pending.
--- ---
### T03 - Add KeyCape UI Redirect URI ### T03 - Add KeyCape UI Redirect URIs
```task ```task
id: HF-WP-0002-T03 id: HF-WP-0002-T03
@@ -188,24 +190,26 @@ state_hub_task_id: "fc1d5850-eed9-4fd6-aac4-8c0e89d8b67d"
Update the KeyCape OpenBao admin client to include: Update the KeyCape OpenBao admin client to include:
```text ```text
https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
``` ```
Keep the existing localhost CLI callback URIs unless there is a separate Keep the existing localhost CLI callback URIs and the earlier
decision to retire CLI login. `https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback`
compatibility callback unless there is a separate decision to retire them.
Done when KeyCape accepts the OpenBao UI callback for the `openbao-admin` Done when KeyCape accepts the OpenBao UI callback for the `openbao-admin`
client and the deployed KeyCape configuration verifies cleanly. client and the deployed KeyCape configuration verifies cleanly.
Code progress on 2026-06-15: `net-kingdom` now includes the browser callback Code progress on 2026-06-15: `net-kingdom` now includes the preferred
URI in both the full `create-secrets.sh` KeyCape config generator and the `netkingdom` browser callback URI and the `keycape` compatibility callback in
focused live `openbao-client-config.py` patch/verify helper. The focused both the full `create-secrets.sh` KeyCape config generator and the focused
verifier also probes both CLI and browser redirect URIs. Live KeyCape rollout live `openbao-client-config.py` patch/verify helper. The focused verifier also
verification remains pending. probes CLI, `netkingdom`, and `keycape` redirect URIs. Live KeyCape rollout
verification for the preferred mount remains pending.
--- ---
### T04 - Add OpenBao UI Redirect URI To platform-admin Role ### T04 - Add OpenBao UI Redirect URIs To platform-admin Role
```task ```task
id: HF-WP-0002-T04 id: HF-WP-0002-T04
@@ -215,24 +219,25 @@ target_repo: railiance-platform
state_hub_task_id: "4f69cacb-9d8f-4ab6-a84f-3c9041f0d39a" state_hub_task_id: "4f69cacb-9d8f-4ab6-a84f-3c9041f0d39a"
``` ```
Update the OpenBao `auth/keycape/role/platform-admin` role so Update the OpenBao `auth/netkingdom/role/platform-admin` role so
`allowed_redirect_uris` includes: `allowed_redirect_uris` includes:
```text ```text
https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
``` ```
Keep the role bound to the intended KeyCape claims/groups and the Keep the `auth/keycape/role/platform-admin` compatibility role aligned while
`platform-admin` policy. Do not broaden this to root. it remains enabled. Keep both roles bound to the intended KeyCape
claims/groups and the `platform-admin` policy. Do not broaden this to root.
Done when the role supports browser UI login without breaking the existing CLI Done when the role supports browser UI login without breaking the existing CLI
OIDC path. OIDC path.
Code progress on 2026-06-15: `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh` Code progress on 2026-06-15: `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh`
now writes the browser callback URI into the OpenBao now configures both `auth/netkingdom/role/platform-admin` and the
`auth/keycape/role/platform-admin` `allowed_redirect_uris` while preserving the `auth/keycape/role/platform-admin` compatibility role with the browser callback
existing localhost CLI callbacks. Live role update and browser proof remain URIs while preserving the existing localhost CLI callbacks. Live preferred
pending. role update remains pending.
--- ---
@@ -248,7 +253,7 @@ state_hub_task_id: "31d1da2d-8498-4c7d-a6fa-da9d0133bfe2"
Perform an attended browser login: Perform an attended browser login:
1. Open `https://bao.coulomb.social`. 1. Open `https://bao.coulomb.social`.
2. Choose the KeyCape/OIDC auth method mounted at `keycape`. 2. Choose the KeyCape/OIDC auth method mounted at `netkingdom`.
3. Use role `platform-admin`. 3. Use role `platform-admin`.
4. Authenticate via `kc.coulomb.social` with MFA. 4. Authenticate via `kc.coulomb.social` with MFA.
5. Confirm the user can see permitted metadata paths. 5. Confirm the user can see permitted metadata paths.
@@ -258,11 +263,14 @@ For the `HF-WP-0001` unblock, inspect only metadata/path presence for the
Inter-Hub operator key location. Do not copy secret values into Git, State Hub, Inter-Hub operator key location. Do not copy secret values into Git, State Hub,
chat, or workplans. chat, or workplans.
Done when browser login succeeds and the operator can determine whether an Done when browser login succeeds through the preferred `netkingdom` mount and
Inter-Hub operator key exists without installing a local `bao` CLI. the operator can determine whether an Inter-Hub operator key exists without
installing a local `bao` CLI.
Waiting on live DNS/deployment, KeyCape config rollout, OpenBao role update, Progress on 2026-06-15: the operator reached the OpenBao UI and completed an
and an attended platform-admin browser login. attended platform-admin browser login. The preferred `netkingdom` mount has
been added in code and remains to be rolled out and used for the final
metadata-only inspection proof.
--- ---
@@ -280,7 +288,7 @@ NetKingdom so future operators know:
- `kc.coulomb.social` is the KeyCape/OIDC login authority. - `kc.coulomb.social` is the KeyCape/OIDC login authority.
- `bao.coulomb.social` is the OpenBao UI. - `bao.coulomb.social` is the OpenBao UI.
- Browser login uses auth path `keycape` and role `platform-admin`. - Browser login uses auth path `netkingdom` and role `platform-admin`.
- Metadata-only inspection is preferred when looking for whether a secret - Metadata-only inspection is preferred when looking for whether a secret
exists. exists.
- Secret values, OpenBao tokens, Inter-Hub keys, and one-time displayed API - Secret values, OpenBao tokens, Inter-Hub keys, and one-time displayed API
@@ -290,9 +298,9 @@ Done when the next operator can follow the browser path without rediscovering
the CLI-only limitation. the CLI-only limitation.
Completed on 2026-06-15: updated the Railiance Platform OpenBao runbook and Completed on 2026-06-15: updated the Railiance Platform OpenBao runbook and
NetKingdom KeyCape/OpenBao docs to describe `bao.coulomb.social`, the KeyCape NetKingdom KeyCape/OpenBao docs to describe `bao.coulomb.social`, the
OIDC callback, `platform-admin` browser login, metadata-only inspection, and preferred `netkingdom` KeyCape/OIDC auth path, `platform-admin` browser login,
the no-root-token/no-secret-copying boundary. metadata-only inspection, and the no-root-token/no-secret-copying boundary.
## Implementation Log ## Implementation Log
@@ -309,11 +317,13 @@ path:
- `railiance-platform/Makefile` applies the OpenBao middleware before Helm - `railiance-platform/Makefile` applies the OpenBao middleware before Helm
deployment. deployment.
- `net-kingdom/sso-mfa/k8s/keycape/create-secrets.sh` and - `net-kingdom/sso-mfa/k8s/keycape/create-secrets.sh` and
`openbao-client-config.py` include the browser callback URI for `openbao-client-config.py` include the preferred `netkingdom` browser
`openbao-admin`. callback URI and the `keycape` compatibility callback for `openbao-admin`.
- `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh` writes the same - `net-kingdom/sso-mfa/k8s/keycape/configure-openbao-oidc.sh` writes the same
browser callback URI to the OpenBao `platform-admin` role. browser callback URIs to the OpenBao `auth/netkingdom` and `auth/keycape`
- `net-kingdom` verifiers now expect and probe the browser callback URI. `platform-admin` roles.
- `net-kingdom` verifiers now expect and probe CLI, `netkingdom`, and
`keycape` callback URIs.
- Railiance Platform and NetKingdom docs now describe the browser path and - Railiance Platform and NetKingdom docs now describe the browser path and
secret-handling boundaries. secret-handling boundaries.
@@ -333,6 +343,13 @@ Verification not performed:
- Live OpenBao role update. - Live OpenBao role update.
- Attended browser login and metadata-only secret-path inspection. - Attended browser login and metadata-only secret-path inspection.
### 2026-06-15 - Preferred netkingdom auth mount added
After the first successful browser login, the preferred OpenBao OIDC auth
mount was changed from `keycape` to `netkingdom` to match the platform domain
language and reduce operator confusion in the UI. The `keycape` mount remains
configured as a compatibility alias.
## Acceptance Criteria ## Acceptance Criteria
This workplan is complete when: This workplan is complete when: