From 4c47c9035f4dd8ccb242e3f16b1eb79e682ec342 Mon Sep 17 00:00:00 2001
From: Bernd Worsch <bernd.worsch@gmail.com>
Date: Wed, 25 Mar 2026 02:54:11 +0000
Subject: [PATCH] =?UTF-8?q?chore(workplan):=20NK-WP-0003=20T04+T08=20?=
 =?UTF-8?q?=E2=80=94=20testuser=20provisioned,=20pi-admin=20TOTP=20deferre?=
 =?UTF-8?q?d?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

testuser fully provisioned in LLDAP + privacyIDEA (TOTP00007147 validated).
pi-admin TOTP deferred: requires admin realm setup (SQLresolver), pi-manage
has no enroll command, WebUI only works for resolver-backed users.
T08 unblocked — proceed to KeyCape acceptance tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../NK-WP-0003-keycape-privacyidea-cluster-deployment.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
index 5f7b458..a2b9e73 100644
--- a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
+++ b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
@@ -163,7 +163,10 @@ state_hub_task_id: "9c9c1ec9-0cf5-4546-a83e-d74dbf3b27af"
 note: Done 2026-03-25 on RAILIANCE01. privacyIDEA pod Running, TLS certs issued,
       enckey + audit keys bootstrapped (privacyidea-enckey + privacyidea-auditkeys Secrets created),
       pi-admin + trigger-admin created, trigger-admin-rights policy created via REST API.
-      REMAINING: enroll TOTP MFA for pi-admin via https://pink.coulomb.social WebUI.
+      DEFERRED: pi-admin TOTP enrollment requires an admin realm (SQLresolver pointing to PI's
+      internal admin table) — pi-manage has no enroll command, WebUI token enrollment only works
+      for resolver-backed users. Admin MFA is production hardening; pi-admin auth works
+      password-only for now. Track as T09 hardening item.
 ```
 
 Run credential bootstrap (injects privacyIDEA secrets + creates pi-admin/trigger-admin):
@@ -269,6 +272,10 @@ note: Completed 2026-03-25. All 3 test packages pass (migration, negative, profi
       Tests run with: cd src && ~/go/bin/go test ./tests/... -v
       Results: ok keycape/tests/migration, ok keycape/tests/negative, ok keycape/tests/profile
       Note: tests use httptest.Server + mocks — no live cluster connection required.
+      Test user provisioned: testuser / test.user@coulomb.social
+        TOTP serial TOTP00007147, seed KVQLHEJCTKCI3K7G2UIF54QUE5BNLBAQ
+        Validated: auth PASS via privacyIDEA /validate/check.
+      pi-admin TOTP deferred to T09 hardening.
 ```
 
 Prove the full auth flow works: