NET-WP-0019: register T06-adjacent polish workplan + implement core (orchestrator script, safer secret fallback in create-user, console dry-run + cleanup commands, make targets, cross-link from 0017 T06). See workplan file for task status.

tools/security-bootstrap-console/security_bootstrap_console.py

@@ -678,10 +678,11 @@ def print_status(data: dict[str, Any]) -> None:
     print("8. lifecycle-flow-template")
     print("9. lifecycle-guide")
     print("10. onboarding-dry-run-template")
-    print("11. validate-custody-roster")
-    print("12. metadata-template")
-    print("13. approve-custody-mode")
-    print("14. web-ui")
+    print("11. onboarding-dry-run")
+    print("12. validate-custody-roster")
+    print("13. metadata-template")
+    print("14. approve-custody-mode")
+    print("15. web-ui")
     print("")
     print("Refusal boundary")
     print("This console will not run bao operator init or collect secret values.")
@@ -4725,6 +4726,9 @@ def build_parser() -> argparse.ArgumentParser:
     sub.add_parser("lifecycle-flow-template", help="Print non-secret NET-WP-0017-T05 lifecycle operator flow evidence JSON template.")
     sub.add_parser("lifecycle-guide", help="Print the practical T05 operator flow guide with commands and previews (no secrets).")
     sub.add_parser("onboarding-dry-run-template", help="Print non-secret NET-WP-0017-T06 onboarding dry-run evidence JSON template (skeleton for T06 evidence).")
+    sub.add_parser("onboarding-dry-run", help="Run (or guide) a T06 non-root dry-run using the orchestrator script (sso-mfa/k8s/lldap/dry-run-nonroot-user.sh). See NET-WP-0019.")
+    cl = sub.add_parser("lifecycle-cleanup-dryrun-users", help="Clean up test/dry-run users by pattern (T04 helper, NET-WP-0019). Example: --pattern t06-*")
+    cl.add_argument("--pattern", default="t06-*", help="Regex or glob pattern for test users to offboard (default t06-*)")
     sub.add_parser("handover-checklist", help="Print handover and cleanup checklist.")
     sub.add_parser("metadata-template", help="Print non-secret metadata JSON template.")
     sub.add_parser("refuse-live-init", help="Explain why live OpenBao init is refused.")
@@ -4798,6 +4802,32 @@ def main(argv: list[str] | None = None) -> int:
     if args.command == "onboarding-dry-run-template":
         print_onboarding_dry_run_template()
         return 0
+    if args.command == "onboarding-dry-run":
+        print("NET-WP-0019 / T06 Dry-Run (orchestrator)")
+        print("Run the script directly for full automation:")
+        print("  cd sso-mfa/k8s/lldap")
+        print("  ./dry-run-nonroot-user.sh <username> <email> \"Display Name\" [--actor user] [--scope none]")
+        print("")
+        print("It will:")
+        print("  - safely extract admin pass into /tmp (trap cleanup)")
+        print("  - create the user (non-root)")
+        print("  - verify LLDAP/groups, MFA readiness, KeyCape OIDC path")
+        print("  - exercise lock (remove group) + offboard (delete)")
+        print("  - emit /tmp/netkingdom-onboarding-dry-run/evidence.json (from template)")
+        print("  - clean up")
+        print("")
+        print("Then validate:")
+        print("  make security-bootstrap-validate-onboarding-dry-run")
+        print("")
+        print("See also: make security-bootstrap-lifecycle-guide (T06 section) and the NET-WP-0019 workplan.")
+        return 0
+    if args.command == "lifecycle-cleanup-dryrun-users":
+        pat = getattr(args, "pattern", "t06-*") if hasattr(args, "pattern") else "t06-*"
+        print("Delegating cleanup for pattern", pat, "to orchestrator...")
+        import subprocess, os
+        script = "sso-mfa/k8s/lldap/dry-run-nonroot-user.sh"
+        subprocess.call(["bash", script, "--cleanup-only", pat])
+        return 0
     if args.command == "handover-checklist":
         print_handover_checklist()
         return 0