coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openbao king credential bootstrapping

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-24 09:26:02 +02:00
parent 7d55cb8bd3
commit 1d0b0e7330
18 changed files with 3080 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
workplans/NET-WP-0016-guided-security-bootstrap-experience.md Normal file
View File

@@ -0,0 +1,202 @@
---
id: NET-WP-0016
type: workplan
title: "Guided Security Bootstrap Experience"
domain: netkingdom
repo: net-kingdom
status: finished
owner: codex
topic_slug: netkingdom
created: "2026-05-24"
updated: "2026-05-24"
depends_on:
- NET-WP-0015
- NK-WP-0012
state_hub_workstream_id: "16069174-6698-4855-ad9e-5092c8571f38"
---
# NET-WP-0016 - Guided Security Bootstrap Experience
## Goal
Create the operator-facing bootstrap experience that makes NetKingdom and
OpenBao security setup understandable, repeatable, and safe for non-experts.
The platform should be possible to assemble with a low-trust setup operator,
then hand over to a dedicated king credential, reset and harden the bootstrap
state, and reopen under explicit custody.
## Context
Railiance and NetKingdom have reached a point where raw runbooks are not enough.
The infrastructure is still early and evolving, and the human operator does not
need to be an OpenBao/Keycloak/flex-auth expert to take the next safe step.
Good security here should feel like guided operations: visible trust stage,
clear blocked actions, plain-language explanations, and no accidental secret
exposure.
## Scope
In scope:
- define bootstrap use cases for king credential setup, user lifecycle,
OpenBao bootstrap, fabric setup, break-glass, and multi-custodian upgrade;
- design the first local operator console/checklist flow;
- define safety gates for live OpenBao initialization;
- define non-secret status records and audit/progress events;
- define where the UI reads status from NetKingdom, Railiance, and State Hub;
and
- implement a first minimal CLI or local UI if the design stabilizes.
Out of scope:
- storing or displaying secret values;
- implementing the full web UI before the workflow is validated;
- replacing OpenBao, key-cape, Keycloak, or flex-auth administrative UIs;
- unattended OpenBao initialization; and
- sending root material or recovery secrets by email.
## Tasks
### T01 - Define Bootstrap Use Cases
```task
id: NET-WP-0016-T01
status: done
priority: high
state_hub_task_id: "67af8a29-7ca1-4a9d-be3e-bdc48dd2d1fd"
```
Document the canonical bootstrap use cases and trust stages.
**2026-05-24:** Added `docs/security-bootstrap-use-cases.md` covering king
credential setup, onboarding, temporary lockout, permanent lockout/offboarding,
credential review/rotation, new fabric admin setup, OpenBao bootstrap, custody
handover, and later multi-custodian upgrade.
### T02 - Design The First Operator Journey
```task
id: NET-WP-0016-T02
status: done
priority: high
state_hub_task_id: "662e439b-5fba-4e17-bc62-0ace97ba8788"
```
Design the first command-driven or local-web operator journey: trust stage,
next safe action, blocked gates, preflight checks, custody packet template, and
clear plain-language instructions.
**2026-05-24:** Added `docs/security-bootstrap-operator-journey.md`. The first
journey uses a quiet `whynot-design` control surface: trust stage, one next
safe action, blocked gates, evidence rows, and a refusal boundary around live
OpenBao initialization.
### T03 - Define King Credential Kit Output
```task
id: NET-WP-0016-T03
status: done
priority: high
state_hub_task_id: "98aba75f-a7c1-4486-be7f-e8d1148d5303"
```
Define the non-secret artifacts the bootstrap experience can generate for the
king credential: checklist, custody packet template, OTP setup instructions,
password-safe guidance, and verification prompts.
**2026-05-24:** Added `docs/security-bootstrap-king-credential-kit.md`.
### T04 - Define User Lifecycle Flows
```task
id: NET-WP-0016-T04
status: done
priority: high
state_hub_task_id: "44766b45-21b8-45cd-8c0a-0ca8281ae8e9"
```
Define guided flows for onboarding, temporary lockout, permanent lockout,
offboarding, credential review, credential rotation, and delegated fabric admin
setup.
**2026-05-24:** Added `docs/security-bootstrap-user-lifecycle.md`.
### T05 - Define OpenBao Ceremony UX
```task
id: NET-WP-0016-T05
status: done
priority: high
state_hub_task_id: "53f55c99-8403-4b58-9ed4-b03e68c1ef3c"
```
Translate the Railiance OpenBao ceremony into a guided sequence that can show
status, block unsafe live init, guide offline custody, and record non-secret
completion evidence.
**2026-05-24:** Added `docs/security-bootstrap-openbao-ceremony-ux.md`.
### T06 - Prototype Local Bootstrap Console
```task
id: NET-WP-0016-T06
status: done
priority: medium
state_hub_task_id: "ef1c8ee4-250c-479a-b0fb-0b5cf4249bd9"
```
Implement the first minimal local operator console or CLI once the journey is
clear. It should read status, print checklists, run safe preflight commands,
and refuse live bootstrap when gates are missing.
**2026-05-24:** Added
`tools/security-bootstrap-console/security_bootstrap_console.py`, a read-only
local console with status, king-kit, custody-packet, handover-checklist,
metadata-template, and OpenBao preflight commands. Added Make targets for the
safe entry points. The console refuses live OpenBao init.
### T07 - Define Handover And Cleanup Gates
```task
id: NET-WP-0016-T07
status: done
priority: medium
state_hub_task_id: "46c7e3dc-e824-46ef-833d-9a83189735e0"
```
Define the post-king handover cleanup flow: reset databases, rotate tokens,
review admin accounts, run scan/check steps, verify backups, and mark the
platform reopened under king oversight.
**2026-05-24:** Added `docs/security-bootstrap-handover-cleanup.md`.
### T08 - Review Related Workplans On Closeout
```task
id: NET-WP-0016-T08
status: done
priority: medium
state_hub_task_id: "7665f6ac-6b0e-4a09-8a9b-9d2150310114"
```
When this workplan closes, review related NetKingdom and Railiance security
workplans to update stale bootstrap assumptions, retire superseded tasks, and
add follow-ups where the guided bootstrap experience becomes the canonical
operator path.
**2026-05-24:** Added
`docs/security-bootstrap-related-workplan-review.md`, kept `NK-WP-0004` and
`NK-WP-0005` as substrate workplans with closeout notes, left historical
`NK-WP-0001` archived, and updated stale Railiance OpenBao custody wording.
## Acceptance Criteria
- The setup operator can see the current trust stage and next safe action.
- Live OpenBao init remains blocked until king credential and custody gates are
satisfied.
- User lifecycle operations are described in plain, auditable flows.
- New fabrics can receive delegated admins without granting platform root.
- Secret values are never stored or displayed by the bootstrap experience.
- The path to two-of-three custody is explicit and low-friction.