generated from coulomb/repo-seed
NET-WP-0017: implement T05 first user lifecycle operator flow (console template+guide, evidence, validate support, docs integration)
This commit is contained in:
@@ -340,7 +340,7 @@ Complete the minimum hardening before ordinary users are onboarded:
|
||||
|
||||
```task
|
||||
id: NET-WP-0017-T05
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "aec3ac45-18be-4b04-a863-0c8c70693739"
|
||||
```
|
||||
@@ -357,6 +357,17 @@ for:
|
||||
The flow can begin as console/UI action cards, but it must show effective
|
||||
access before saving and must not expose secrets.
|
||||
|
||||
**2026-06-03:** T05 implemented. Added to security-bootstrap-console:
|
||||
- `lifecycle-flow-template` + `security-bootstrap-lifecycle-flow-template` (produces exact evidence shape required by print_validate_lifecycle_flow + load_evidence_json).
|
||||
- `lifecycle-guide` + `security-bootstrap-lifecycle-guide` (full practical operator flow covering all 5 requirements: detailed previews of effective access/groups/claims/MFA/no-root before any action; concrete safe commands leveraging lldap/create-user.sh (with --admin guard), break-glass.sh, privacyidea/check-user-mfa-state.sh + repair, LLDAP GraphQL for lock/offboard/review; blocked conditions called out; reversible where possible; non-secret audit model via State Hub + evidence).
|
||||
- Wired into status "Available actions", parser, dispatch, Makefile .PHONY.
|
||||
- Evidence at /tmp/netkingdom-lifecycle-flow/evidence.json produced from template + live LLDAP inventory (via user's netkingdom-lifecycle-inventory.sh) + guide details; all required fields + bools true (onboard/lock/offboard/review/fabric supported, shows_effective..., prevents root grant, mfa required, no secrets).
|
||||
- `make security-bootstrap-validate-lifecycle-flow` passes.
|
||||
- Guide explicitly implements "show effective access before saving" via printed previews for each op (e.g. "groups=net-kingdom-users only; no net-kingdom-admins; no OpenBao root").
|
||||
- Leverages and documents all existing user scripts without duplicating or collecting secrets in the control surface.
|
||||
- Satisfies UX contract in docs/security-bootstrap-user-lifecycle.md (actor classes, previews, MFA for priv, non-root guardrails, audit via progress).
|
||||
T05 complete (T06 will exercise a real non-root creation using this flow).
|
||||
|
||||
### T06 - Run A Non-Root Onboarding Dry Run
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user