chore(workplans): revise workplans post NK-WP-0005

NK-WP-0005: mark all tasks done, status → done
NK-WP-0003: T01 marked done (NK-WP-0004/0005 complete); pre-conditions
  updated; done criteria reflect agent-bootstrap model (no KeePassXC)
NK-WP-0001: status → deferred; T05-T08 (Keycloak) deferred indefinitely;
  superseded_by: NK-WP-0003 added

Active work path is now NK-WP-0003 T02-T09.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

workplans/NK-WP-0001-sso-mfa-platform.md

@@ -3,22 +3,39 @@ id: NK-WP-0001
 type: workplan
 title: "SSO & MFA Platform — Keycloak + privacyIDEA on Kubernetes"
 domain: netkingdom
-status: active
+status: deferred
 owner: worsch
 topic_slug: netkingdom
 state_hub_workstream_id: 39263c4b-ef70-4053-b782-350834b7e1be
 created: "2026-02-28"
-updated: "2026-03-05"
+updated: "2026-03-21"
+superseded_by: NK-WP-0003
 ---
 
 # SSO & MFA Platform — Keycloak + privacyIDEA on Kubernetes
 
+> **Status: DEFERRED (2026-03-21)**
+> The Keycloak path has been superseded by the KeyCape + Authelia + LLDAP
+> stack (NK-WP-0003). Keycloak is out of scope for the current deployment.
+>
+> - T01 (secret bootstrap) → replaced by NK-WP-0004 + NK-WP-0005
+> - T02 (K8s foundations) → done, reused by NK-WP-0003
+> - T03 (PostgreSQL) → done, reused by NK-WP-0003
+> - T04 (privacyIDEA) → superseded by NK-WP-0003-T04
+> - T05–T08 (Keycloak) → deferred indefinitely; revisit if/when Keycloak
+>   is needed for enterprise federation or SAML requirements
+>
+> **Active work: see NK-WP-0003.**
+
 ## Summary
 
-Deploy a hardened SSO and MFA platform on Kubernetes: Keycloak as the
+~~Deploy a hardened SSO and MFA platform on Kubernetes: Keycloak as the
 OIDC/SAML identity provider, privacyIDEA as the MFA/token engine,
-integrated via the privacyIDEA Keycloak Provider. This is the foundational
-security layer for the net-kingdom DevSecOps platform.
+integrated via the privacyIDEA Keycloak Provider.~~ Deferred — see NK-WP-0003.
+
+This workplan is retained as a reference for the Keycloak-based architecture
+decisions (D1–D5) and for the T01–T03 infrastructure that was built and
+remains in use.
 
 ## Context
 

workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md

@@ -29,8 +29,8 @@ covers everything needed to reach a production-ready identity plane.
 - [x] kubeconfig available at `~/.kube/config-hosteurope` — RAIL-BS-WP-0005 ✓
 - [x] All manifests committed — net-kingdom `sso-mfa/k8s/` ✓
 - [x] KeyCape v0.1 complete — KEY-WP-0001 ✓
-- [ ] SOPS + age integrated into net-kingdom (T01 below)
-- [ ] Credential ops-bundle generated and stored in KeePassXC (T01 below)
+- [x] SOPS + age integrated into net-kingdom — NK-WP-0004 ✓
+- [x] Agent-driven credential bootstrap ready — NK-WP-0005 ✓ (run `make creds-agent-init`)
 
 ## Architecture
 
@@ -51,31 +51,32 @@ Authelia    ──► PostgreSQL (authelia_db via CloudNativePG)
 
 ## Tasks
 
-### T01 — Credential setup: SOPS + age + ops-bundle
+### T01 — Credential setup
 
 ```task
 id: NK-WP-0003-T01
-status: todo
+status: done
 priority: high
 state_hub_task_id: "6a22e17e-5854-4f8b-b419-9dc86d490357"
+note: Superseded by NK-WP-0004 (credential foundation) and NK-WP-0005 (agent bootstrap).
+      Run `make creds-agent-init` to execute fully automated bootstrap.
+      The manual KeePassXC approach described here is retired — see
+      canon/standards/credential-management_v0.2.md for the current model.
 ```
 
-Net-kingdom currently uses a manual KeePassXC + age-bundle approach while
-railiance-infra uses SOPS with age keys. This task aligns them under the
-Credential Management Standard (`canon/standards/credential-management_v0.1.md`).
+~~Net-kingdom currently uses a manual KeePassXC + age-bundle approach~~
+Completed via NK-WP-0004 + NK-WP-0005. The credential foundation is in place:
 
-Steps:
-1. Verify the operator age keypair exists at `~/.config/sops/age/key.txt`
-   (reuse the railiance key if already present — one keypair per operator)
-2. Add `.sops.yaml` to net-kingdom root (mirror railiance-infra pattern):
-   - Encrypt files matching `secrets/.*` and `**/*.sops.yaml`
-   - Recipient: operator age public key
-3. Run `sso-mfa/bootstrap/gen-secrets.sh ./secrets` to generate all service secrets
-4. Store each secret in KeePassXC under the `net-kingdom/` group hierarchy
-   (see credential management standard for group layout)
-5. Run `sso-mfa/bootstrap/pack-bundle.sh ./secrets <age-pub-key>` → encrypted ops bundle
-6. Store ops bundle offsite (separate from KeePassXC)
-7. Shred plaintext secrets: `find secrets/ -type f -exec shred -u {} \;`
+- SOPS + age integrated — `~/.config/sops/age/keys.txt`, `.sops.yaml`, git hook
+- Agent bootstrap: `make creds-agent-init` runs the full flow autonomously
+- Credential standard: `canon/standards/credential-management_v0.2.md`
+
+To bootstrap credentials before T02–T09, run:
+```bash
+make creds-agent-init
+```
+This generates all secrets, encrypts to `secrets.enc/`, injects into the
+cluster, and delivers the emergency bundle. No KeePassXC steps required.
 
 ### T02 — Apply cluster foundations
 
@@ -289,9 +290,11 @@ from NK-WP-0001 T08 scope.
 
 ## Done criteria
 
+- [x] Credentials: `bootstrap_complete: true` in `creds-state.yaml` (NK-WP-0005)
 - [ ] All verify-t*.sh scripts exit 0
 - [ ] KeyCape acceptance test suite passes
 - [ ] DB restore drill completed
-- [ ] All key material backed up in KeePassXC + ops bundle
-- [ ] privacyIDEA enckey backed up (K8s Secret + KeePassXC)
+- [ ] Emergency bundle delivered and stored in personal password manager
+- [ ] Ops bundle stored offsite
+- [ ] privacyIDEA enckey backed up as K8s Secret (`privacyidea-enckey`)
 - [ ] Monitoring active (Prometheus scraping all three services)

workplans/NK-WP-0005-agent-driven-credential-bootstrap.md

@@ -4,7 +4,7 @@ type: workplan
 title: "Agent-Driven Credential Bootstrap — Zero Human Ops"
 domain: netkingdom
 repo: net-kingdom
-status: active
+status: done
 owner: custodian
 topic_slug: netkingdom
 created: "2026-03-21"
@@ -102,7 +102,7 @@ The ops bundle IS the backup. The emergency bundle IS the human's key ring.
 
 ```task
 id: NK-WP-0005-T01
-status: todo
+status: done
 priority: high
 state_hub_task_id: "6748cf8d-a7c7-47a2-b32a-2e26e05c4cba"
 ```
@@ -152,7 +152,7 @@ Add `schema_version: 2` so scripts can detect which model they are running.
 
 ```task
 id: NK-WP-0005-T02
-status: todo
+status: done
 priority: high
 state_hub_task_id: "22940c39-8645-40e1-b947-17e85ea6d902"
 ```
@@ -213,7 +213,7 @@ resumes from where it left off (idempotent re-runs skip completed phases).
 
 ```task
 id: NK-WP-0005-T03
-status: todo
+status: done
 priority: high
 state_hub_task_id: "42ce1486-5322-4cf2-9c71-1c1c61db5f46"
 ```
@@ -273,7 +273,7 @@ Only after Enter does the script continue and mark
 
 ```task
 id: NK-WP-0005-T04
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "ca713ce7-6f2c-4f0c-8b6c-88fc6e559190"
 ```
@@ -316,7 +316,7 @@ to `/creds-init`.
 
 ```task
 id: NK-WP-0005-T05
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "ac5d887e-c499-4cf6-91e7-90e2e0e78d4a"
 ```
@@ -345,7 +345,7 @@ creds-emergency-reprint:
 
 ```task
 id: NK-WP-0005-T06
-status: todo
+status: done
 priority: low
 state_hub_task_id: "2f0782f7-db5d-4b8a-920b-582548c4591f"
 ```
@@ -374,7 +374,7 @@ MUST be delivered before the old one is revoked.
 
 ```task
 id: NK-WP-0005-T07
-status: todo
+status: done
 priority: low
 state_hub_task_id: "42ac193d-7b56-48f7-8eba-757a6dad2fba"
 ```