review(NET-WP-0018): update frontmatter, add Related section, and dated notes (2026-06-03) across T02-T09 for 0019 polish artifacts + user-engine/net-kingdom assessment

- T04: assessment fulfills UE boundary/intent/scope review (7 gaps detailed)
- T02/T03/T05/T06/T08/T09: note post-0017/0019 state, enablers (orchestrator, console subcmds, make targets, claims helper, evidence/validators, runbook exposure), remaining work, cross-refs to assessment
- T07 note enhanced with pointer to 0019 impl
- T01 note trimmed to pointer
- updated date + Related section
- Prepares for impl readiness assessment; no status changes (still 1/9 in file/hub pending tasks)

See docs/user-engine-netkingdom-integration-assessment.md and NET-WP-0019.
This commit is contained in:
2026-06-03 11:47:41 +02:00
parent 1721226427
commit 000d263bea

View File

@@ -8,7 +8,7 @@ status: active
owner: codex
topic_slug: netkingdom
created: "2026-06-01"
updated: "2026-06-01"
updated: "2026-06-03"
depends_on:
- NET-WP-0015
- NET-WP-0017
@@ -63,6 +63,10 @@ say which interactions remain genuinely unavoidable.
that can be automated safely, and document why each remaining human action is
required.
## Related (post-0019 + assessment)
- NET-WP-0019 (T06-adjacent user lifecycle dry-run polish; advanced control surface, evidence, claims for T06/T07/T08)
- docs/user-engine-netkingdom-integration-assessment.md (detailed T04 boundary/intent/scope review for user-engine integration + 7 gaps; cross-referenced from SCOPE etc.)
## Tasks
### T01 - Close Or Hand Off NET-WP-0015 Remaining Gates
@@ -91,6 +95,8 @@ path retirement and credential reset/rotation; T07 owns final archive review.
`NET-WP-0018` now continues with architecture documentation, retrospective,
guide, UI automation, validations, and rebuild-risk assessment.
**2026-06-03:** 0019 polish (dry-run orchestrator, console subcommands/make targets/claims/validators/runbook) and the user-engine/net-kingdom assessment (see T04) are cross-cutting enablers. See per-task notes (T02T09) for specifics; 0019 advances T06/T07/T08 for lifecycle automation; assessment fulfills UE boundary review portion of T04. Related: NET-WP-0019, docs/user-engine-netkingdom-integration-assessment.md.
### T02 - Document The Runtime Architecture
```task
@@ -109,6 +115,15 @@ The document should explain the working system as deployed, not an idealized
future architecture. It should be specific enough to guide a scratch rebuild
without requiring the operator to rediscover the same integration details.
**2026-06-03 (post 0017/0019 + assessment):** The runtime now includes the
T06-adjacent dry-run tooling (orchestrator + console/make exposure + evidence
discipline) as part of the control surface. Per the persisted assessment, the
arch doc must capture: current direct LLDAP/KeyCape paths for bootstrap users
(vs. future UE claims_enrichment adapter), membership facts in LLDAP groups
vs. UE Membership (owning_system etc.), bootstrap local-identity vs. UE local
mode, and the boundary contract as the governance layer. Include refs to
canon/standards/user-engine-boundary-contract_v0.1.md and the assessment.
### T03 - Produce A Bootstrap Retrospective And Automation Gap Matrix
```task
@@ -127,6 +142,18 @@ matrix covering state persistence, privacyIDEA realm repair, KeyCape image
delivery, OIDC callbacks, OpenBao claim mapping, token revocation, audit,
escrow, and rebuild verification.
**2026-06-03 (post 0017 close + 0019 polish):** Retrospective should now
incorporate: successful S6 reopen + platform_reopened flag + cleanup_complete
in .local/security-bootstrap.json; T06 dry-run evidence discipline (12+ bools
incl. effective_access_before_save, no_secret_material_recorded, lldap_identity_verified,
keycape_oidc_claims_verified, actor_class != king, !net-kingdom-admins for non-root);
safer secret handling via /tmp WORKSPACE + trap + k8s fallback (never write
sso-mfa/bootstrap/secrets for dry-runs); console as non-secret control surface
with runbooks + templates + validators; 0019 make targets and orchestrator as
repeatable automation. Gaps remaining: UE adapter integration (see assessment).
The first bootstrap's interactive repairs (realm drift, callbacks, claim shape,
token expiry, operator-state) are now partially automated via console/evidence.
### T04 - Review Repository Intent And Scope Boundaries
```task
@@ -147,6 +174,26 @@ unclear. The result should answer: where should a bug fix live, where should a
runbook live, where should validation live, and which repo owns live
deployment state.
**2026-06-03:** The user-engine/net-kingdom integration assessment (persisted in
`docs/user-engine-netkingdom-integration-assessment.md`, cross-referenced from
SCOPE.md Getting Oriented, canon/standards/user-engine-boundary-contract_v0.1.md,
docs/responsibility-map.md, user-engine-interface-guidance.md, and this/0019
workplans) provides a comprehensive review of intent, implemented scope (UE:
headless domain models + in-mem MVP + ports/adapters for claims/audit/projections;
NK: IAM orchestration + contracts + bootstrap), architectural fit (no intent
conflicts; UE owns user-domain facts/projections, NK orchestrates boundaries per
ADR-0007/0010/contract), and 7 specific gaps/risks (1. Missing Platform Integration
Adapters -- biggest; 2. Bootstrap/Platform Users vs. Governed UE Lifecycle;
3. App Onboarding "Application" concept overload; 4. Membership/Group overlap;
5. Governance/Workplan/Brief split (UE brief stale); 6. Claims Enrichment Path
drift (current direct LLDAP in NK/keycape paths); 7. Audit correlation). NK
bootstrap (0015-0017/0019) is allowed for local/non-prod per contract. This
largely fulfills the UE + boundary review portion of T04. Recommend follow-up
reviews or work items for key-cape (OIDC client vs UE Application Binding),
railiance-platform (deployment refs), and explicit transition rules for seeding
externally_provisioned memberships from IAM groups. The assessment recommends
using 0018's T07/T08 to drive integration tests/dry-runs once adapters exist.
### T05 - Create The Smooth Bootstrap Guide
```task
@@ -165,6 +212,18 @@ KeyCape deployment and client registration, OpenBao init/unseal/configuration,
OIDC admin binding, token cleanup, State Hub sync, and handoff to production
readiness.
**2026-06-03:** Base material exists in piecemeal form: docs/security-bootstrap-*.md
(user-lifecycle.md, operator-journey.md, king-credential-kit.md, openbao-ceremony-ux.md,
handover-cleanup.md, etc.), console lifecycle-guide (T05/T06 flows with previews),
and security-bootstrap-user-lifecycle.md (UX contract for show-effective-before-save,
actor classes, blocked conditions). The 0019 polish extended the console lifecycle-guide
with T06 DRY-RUN EXECUTION section (though that section still lists pre-orchestrator
manual secret steps; update to prefer make security-bootstrap-onboarding-dry-run +
dry-run-nonroot-user.sh + k8s fallback). T05 should consolidate into one
"NET-WP-0018 smooth bootstrap guide" (or update operator-journey) with explicit
evidence per step (linking the validate-* make targets and templates). 0019's
dry-run + evidence is the model for user-lifecycle portion of the guide.
### T06 - Align The Control Surface With The Bootstrap Guide
```task
@@ -183,6 +242,27 @@ clear when human custody or secret handling is required.
Done when the UI guides the same sequence as the bootstrap guide and makes
wrong-order execution visibly hard.
**2026-06-03 (0019 polish delivered):** Control surface now includes (in status,
available actions, parser, dispatch, runbook_payloads, web-ui capable):
- onboarding-dry-run-template / validate-onboarding-dry-run
- onboarding-dry-run (delegates to sso-mfa/k8s/lldap/dry-run-nonroot-user.sh)
- onboarding-dry-run-claims (uses print_dry_run_oidc_claims_verification, warns on
platform-root/admins groups)
- lifecycle-cleanup-dryrun-users (pattern offboard)
- lifecycle-guide (with T06 section)
- make targets: security-bootstrap-onboarding-dry-run (SUBJECT/EMAIL/DISPLAY),
security-bootstrap-lifecycle-cleanup-dryrun-users PATTERN=..., security-bootstrap-*
-validate-onboarding-dry-run etc.
The orchestrator (dry-run-nonroot-user.sh) uses /tmp workspace + EXIT trap,
prefers env/k8s for LLDAP_ADMIN_PASS (k8s fallback added to create-user.sh),
runs create --test, verifs (check-user-mfa, verify-openbao-client), optional
GraphQL lock/offboard, populates /tmp/.../evidence.json from template + live jq
data, then runs validate. Non-secret only. This fulfills much of the "convert
fragile copy-paste into scripts", "persist non-secret progress", "expose repair"
for the user-lifecycle slice. Full alignment awaits T05 guide + more validators
in T08 (e.g. for OIDC client, OpenBao config). See 0019 workplan for details;
lifecycle_guide T06 section needs refresh to deprecate old secret-mkdir path.
### T07 - Add Automated Tests For Bootstrap UI Sections And Runbooks
```task
@@ -208,7 +288,7 @@ impossible state.
**Note (NET-WP-0019 polish):** Include tests for the user-lifecycle dry-run (T06 from 0017/0019): the orchestrator script, onboarding-dry-run console command, claims verification (T05), cleanup helper, and evidence validators. See NET-WP-0019 workplan and sso-mfa/k8s/lldap/dry-run-nonroot-user.sh . This cross-links the T06-adjacent polish into 0018's automation goals.
See also `docs/user-engine-netkingdom-integration-assessment.md` for the broader intent/scope fit, gaps (esp. adapters), and recommendations.
See also `docs/user-engine-netkingdom-integration-assessment.md` for the broader intent/scope fit, gaps (esp. adapters), and recommendations. (The 0019 artifacts -- script, console subcmds, make targets, runbook entry, templates/validators -- are now the concrete implementation to cover with the layered tests in T07.)
### T08 - Integrate Validations Into The UI State Model
@@ -230,6 +310,22 @@ config, token policy proof, audit status, restore evidence, and State Hub sync.
Done when the UI can distinguish success, failure, error, and unknown states
for the critical bootstrap gates and the live setup satisfies those checks.
**2026-06-03 (0019 contribution):** Dry-run specific validators now exist:
onboarding_dry_run_template() + require_evidence_fields match + make
security-bootstrap-validate-onboarding-dry-run (calls console which runs
print_validate_onboarding_dry_run or equivalent, checks all *_true bools,
actor_class, groups, no secret markers, effective_access_summary etc.).
Console status/metadata shows many gates as "done" from prior evidence-driven
flags (e.g. platform_reopened, cleanup_complete, oidc_login_verified). The
evidence_validator_gate and build_gates logic support computing ok/fail from
live evidence rather than manual. Extend this pattern to other T08 targets
(KeyCape client, privacyIDEA realm, LLDAP membership, OpenBao OIDC, Authelia
routes, State Hub sync). 0019 also added claims verification as a hook that
can feed validation (infers from LLDAP groups + T01 role binding, surfaces
warnings). Use the dry-run orchestrator + /tmp evidence as a repeatable
fixture for these validators. See assessment for UE-side validation targets
once adapters land (e.g. claims_enrichment projection).
### T09 - Assess Scratch-Rebuild Risk And Define A Rehearsal Plan
```task
@@ -248,6 +344,26 @@ method, mitigation, and remaining human interaction. It should also recommend
whether the next rebuild should be a full teardown, an isolated parallel
cluster rehearsal, a namespace-level rehearsal, or a scripted dry run.
**2026-06-03 (post 0017/0019 + assessment):** Rebuild risk assessment (T09) will
be informed by: T02 arch (incl. UE integration points/gaps), T03 retrospective
(capturing what was fragile vs now automated via console/evidence/orchestrator),
T05 guide + evidence per step, T07 tests, T08 live validations (current metadata
shows S6 reopen with many flags true, but adapter gaps remain). From assessment:
- IAM-orchestration bootstrap (creds via creds-init skill, LLDAP/Keycloak direct,
OpenBao via KeyCape OIDC) is repeatable and rehearsable today with 0019 tooling.
- Full UE-backed user facts in rebuild: blocked until net-kingdom-specific
adapters (IdentityClaimsAdapter from KeyCape claims, AuthorizationCheckPort to
flex-auth, SecretProvider OpenBao, EventOutbox, AuditWriter, MembershipFactExporter)
are implemented (primarily in user-engine per contract; NK orchestrates).
- Other: direct LLDAP in paths (create-user, keycape) must route via claims_enrichment
adapter post-adapter to avoid drift. Bootstrap users (platform-root etc.) stay
IAM-side or seed externally_provisioned in UE. Recommend: T09 classify "UE
integration" as separate risk item with mitigation "implement adapters + NK
wiring + update dry-run to exercise UE projection"; current 0019 dry-run proves
the IAM-lifecycle contract. creds-init skill (in .claude/commands) provides
automated cred bootstrap entrypoint for rehearsal. No live destructive rebuild
as non-goal.
## Acceptance Criteria
- `NET-WP-0015` is closed, archived, or explicitly reconciled with remaining