diff --git a/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md b/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md index 878ddc8..d0d6fbb 100644 --- a/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md +++ b/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md @@ -8,7 +8,7 @@ status: active owner: codex topic_slug: netkingdom created: "2026-06-01" -updated: "2026-06-01" +updated: "2026-06-03" depends_on: - NET-WP-0015 - NET-WP-0017 @@ -63,6 +63,10 @@ say which interactions remain genuinely unavoidable. that can be automated safely, and document why each remaining human action is required. +## Related (post-0019 + assessment) +- NET-WP-0019 (T06-adjacent user lifecycle dry-run polish; advanced control surface, evidence, claims for T06/T07/T08) +- docs/user-engine-netkingdom-integration-assessment.md (detailed T04 boundary/intent/scope review for user-engine integration + 7 gaps; cross-referenced from SCOPE etc.) + ## Tasks ### T01 - Close Or Hand Off NET-WP-0015 Remaining Gates @@ -91,6 +95,8 @@ path retirement and credential reset/rotation; T07 owns final archive review. `NET-WP-0018` now continues with architecture documentation, retrospective, guide, UI automation, validations, and rebuild-risk assessment. +**2026-06-03:** 0019 polish (dry-run orchestrator, console subcommands/make targets/claims/validators/runbook) and the user-engine/net-kingdom assessment (see T04) are cross-cutting enablers. See per-task notes (T02–T09) for specifics; 0019 advances T06/T07/T08 for lifecycle automation; assessment fulfills UE boundary review portion of T04. Related: NET-WP-0019, docs/user-engine-netkingdom-integration-assessment.md. + ### T02 - Document The Runtime Architecture ```task @@ -109,6 +115,15 @@ The document should explain the working system as deployed, not an idealized future architecture. It should be specific enough to guide a scratch rebuild without requiring the operator to rediscover the same integration details. +**2026-06-03 (post 0017/0019 + assessment):** The runtime now includes the +T06-adjacent dry-run tooling (orchestrator + console/make exposure + evidence +discipline) as part of the control surface. Per the persisted assessment, the +arch doc must capture: current direct LLDAP/KeyCape paths for bootstrap users +(vs. future UE claims_enrichment adapter), membership facts in LLDAP groups +vs. UE Membership (owning_system etc.), bootstrap local-identity vs. UE local +mode, and the boundary contract as the governance layer. Include refs to +canon/standards/user-engine-boundary-contract_v0.1.md and the assessment. + ### T03 - Produce A Bootstrap Retrospective And Automation Gap Matrix ```task @@ -127,6 +142,18 @@ matrix covering state persistence, privacyIDEA realm repair, KeyCape image delivery, OIDC callbacks, OpenBao claim mapping, token revocation, audit, escrow, and rebuild verification. +**2026-06-03 (post 0017 close + 0019 polish):** Retrospective should now +incorporate: successful S6 reopen + platform_reopened flag + cleanup_complete +in .local/security-bootstrap.json; T06 dry-run evidence discipline (12+ bools +incl. effective_access_before_save, no_secret_material_recorded, lldap_identity_verified, +keycape_oidc_claims_verified, actor_class != king, !net-kingdom-admins for non-root); +safer secret handling via /tmp WORKSPACE + trap + k8s fallback (never write +sso-mfa/bootstrap/secrets for dry-runs); console as non-secret control surface +with runbooks + templates + validators; 0019 make targets and orchestrator as +repeatable automation. Gaps remaining: UE adapter integration (see assessment). +The first bootstrap's interactive repairs (realm drift, callbacks, claim shape, +token expiry, operator-state) are now partially automated via console/evidence. + ### T04 - Review Repository Intent And Scope Boundaries ```task @@ -147,6 +174,26 @@ unclear. The result should answer: where should a bug fix live, where should a runbook live, where should validation live, and which repo owns live deployment state. +**2026-06-03:** The user-engine/net-kingdom integration assessment (persisted in +`docs/user-engine-netkingdom-integration-assessment.md`, cross-referenced from +SCOPE.md Getting Oriented, canon/standards/user-engine-boundary-contract_v0.1.md, +docs/responsibility-map.md, user-engine-interface-guidance.md, and this/0019 +workplans) provides a comprehensive review of intent, implemented scope (UE: +headless domain models + in-mem MVP + ports/adapters for claims/audit/projections; +NK: IAM orchestration + contracts + bootstrap), architectural fit (no intent +conflicts; UE owns user-domain facts/projections, NK orchestrates boundaries per +ADR-0007/0010/contract), and 7 specific gaps/risks (1. Missing Platform Integration +Adapters -- biggest; 2. Bootstrap/Platform Users vs. Governed UE Lifecycle; +3. App Onboarding "Application" concept overload; 4. Membership/Group overlap; +5. Governance/Workplan/Brief split (UE brief stale); 6. Claims Enrichment Path +drift (current direct LLDAP in NK/keycape paths); 7. Audit correlation). NK +bootstrap (0015-0017/0019) is allowed for local/non-prod per contract. This +largely fulfills the UE + boundary review portion of T04. Recommend follow-up +reviews or work items for key-cape (OIDC client vs UE Application Binding), +railiance-platform (deployment refs), and explicit transition rules for seeding +externally_provisioned memberships from IAM groups. The assessment recommends +using 0018's T07/T08 to drive integration tests/dry-runs once adapters exist. + ### T05 - Create The Smooth Bootstrap Guide ```task @@ -165,6 +212,18 @@ KeyCape deployment and client registration, OpenBao init/unseal/configuration, OIDC admin binding, token cleanup, State Hub sync, and handoff to production readiness. +**2026-06-03:** Base material exists in piecemeal form: docs/security-bootstrap-*.md +(user-lifecycle.md, operator-journey.md, king-credential-kit.md, openbao-ceremony-ux.md, +handover-cleanup.md, etc.), console lifecycle-guide (T05/T06 flows with previews), +and security-bootstrap-user-lifecycle.md (UX contract for show-effective-before-save, +actor classes, blocked conditions). The 0019 polish extended the console lifecycle-guide +with T06 DRY-RUN EXECUTION section (though that section still lists pre-orchestrator +manual secret steps; update to prefer make security-bootstrap-onboarding-dry-run + +dry-run-nonroot-user.sh + k8s fallback). T05 should consolidate into one +"NET-WP-0018 smooth bootstrap guide" (or update operator-journey) with explicit +evidence per step (linking the validate-* make targets and templates). 0019's +dry-run + evidence is the model for user-lifecycle portion of the guide. + ### T06 - Align The Control Surface With The Bootstrap Guide ```task @@ -183,6 +242,27 @@ clear when human custody or secret handling is required. Done when the UI guides the same sequence as the bootstrap guide and makes wrong-order execution visibly hard. +**2026-06-03 (0019 polish delivered):** Control surface now includes (in status, +available actions, parser, dispatch, runbook_payloads, web-ui capable): +- onboarding-dry-run-template / validate-onboarding-dry-run +- onboarding-dry-run (delegates to sso-mfa/k8s/lldap/dry-run-nonroot-user.sh) +- onboarding-dry-run-claims (uses print_dry_run_oidc_claims_verification, warns on + platform-root/admins groups) +- lifecycle-cleanup-dryrun-users (pattern offboard) +- lifecycle-guide (with T06 section) +- make targets: security-bootstrap-onboarding-dry-run (SUBJECT/EMAIL/DISPLAY), + security-bootstrap-lifecycle-cleanup-dryrun-users PATTERN=..., security-bootstrap-* + -validate-onboarding-dry-run etc. +The orchestrator (dry-run-nonroot-user.sh) uses /tmp workspace + EXIT trap, +prefers env/k8s for LLDAP_ADMIN_PASS (k8s fallback added to create-user.sh), +runs create --test, verifs (check-user-mfa, verify-openbao-client), optional +GraphQL lock/offboard, populates /tmp/.../evidence.json from template + live jq +data, then runs validate. Non-secret only. This fulfills much of the "convert +fragile copy-paste into scripts", "persist non-secret progress", "expose repair" +for the user-lifecycle slice. Full alignment awaits T05 guide + more validators +in T08 (e.g. for OIDC client, OpenBao config). See 0019 workplan for details; +lifecycle_guide T06 section needs refresh to deprecate old secret-mkdir path. + ### T07 - Add Automated Tests For Bootstrap UI Sections And Runbooks ```task @@ -208,7 +288,7 @@ impossible state. **Note (NET-WP-0019 polish):** Include tests for the user-lifecycle dry-run (T06 from 0017/0019): the orchestrator script, onboarding-dry-run console command, claims verification (T05), cleanup helper, and evidence validators. See NET-WP-0019 workplan and sso-mfa/k8s/lldap/dry-run-nonroot-user.sh . This cross-links the T06-adjacent polish into 0018's automation goals. -See also `docs/user-engine-netkingdom-integration-assessment.md` for the broader intent/scope fit, gaps (esp. adapters), and recommendations. +See also `docs/user-engine-netkingdom-integration-assessment.md` for the broader intent/scope fit, gaps (esp. adapters), and recommendations. (The 0019 artifacts -- script, console subcmds, make targets, runbook entry, templates/validators -- are now the concrete implementation to cover with the layered tests in T07.) ### T08 - Integrate Validations Into The UI State Model @@ -230,6 +310,22 @@ config, token policy proof, audit status, restore evidence, and State Hub sync. Done when the UI can distinguish success, failure, error, and unknown states for the critical bootstrap gates and the live setup satisfies those checks. +**2026-06-03 (0019 contribution):** Dry-run specific validators now exist: +onboarding_dry_run_template() + require_evidence_fields match + make +security-bootstrap-validate-onboarding-dry-run (calls console which runs +print_validate_onboarding_dry_run or equivalent, checks all *_true bools, +actor_class, groups, no secret markers, effective_access_summary etc.). +Console status/metadata shows many gates as "done" from prior evidence-driven +flags (e.g. platform_reopened, cleanup_complete, oidc_login_verified). The +evidence_validator_gate and build_gates logic support computing ok/fail from +live evidence rather than manual. Extend this pattern to other T08 targets +(KeyCape client, privacyIDEA realm, LLDAP membership, OpenBao OIDC, Authelia +routes, State Hub sync). 0019 also added claims verification as a hook that +can feed validation (infers from LLDAP groups + T01 role binding, surfaces +warnings). Use the dry-run orchestrator + /tmp evidence as a repeatable +fixture for these validators. See assessment for UE-side validation targets +once adapters land (e.g. claims_enrichment projection). + ### T09 - Assess Scratch-Rebuild Risk And Define A Rehearsal Plan ```task @@ -248,6 +344,26 @@ method, mitigation, and remaining human interaction. It should also recommend whether the next rebuild should be a full teardown, an isolated parallel cluster rehearsal, a namespace-level rehearsal, or a scripted dry run. +**2026-06-03 (post 0017/0019 + assessment):** Rebuild risk assessment (T09) will +be informed by: T02 arch (incl. UE integration points/gaps), T03 retrospective +(capturing what was fragile vs now automated via console/evidence/orchestrator), +T05 guide + evidence per step, T07 tests, T08 live validations (current metadata +shows S6 reopen with many flags true, but adapter gaps remain). From assessment: +- IAM-orchestration bootstrap (creds via creds-init skill, LLDAP/Keycloak direct, + OpenBao via KeyCape OIDC) is repeatable and rehearsable today with 0019 tooling. +- Full UE-backed user facts in rebuild: blocked until net-kingdom-specific + adapters (IdentityClaimsAdapter from KeyCape claims, AuthorizationCheckPort to + flex-auth, SecretProvider OpenBao, EventOutbox, AuditWriter, MembershipFactExporter) + are implemented (primarily in user-engine per contract; NK orchestrates). +- Other: direct LLDAP in paths (create-user, keycape) must route via claims_enrichment + adapter post-adapter to avoid drift. Bootstrap users (platform-root etc.) stay + IAM-side or seed externally_provisioned in UE. Recommend: T09 classify "UE + integration" as separate risk item with mitigation "implement adapters + NK + wiring + update dry-run to exercise UE projection"; current 0019 dry-run proves + the IAM-lifecycle contract. creds-init skill (in .claude/commands) provides + automated cred bootstrap entrypoint for rehearsal. No live destructive rebuild + as non-goal. + ## Acceptance Criteria - `NET-WP-0015` is closed, archived, or explicitly reconciled with remaining