docs(NET-WP-0020): T5 automation ready; operator apply is next gate

Update workplan T5 to progress and assessment next-actions for live cluster apply before WP-0008 warden sign smoke.
2026-06-18 01:06:43 +02:00
parent 6336c28626
commit 5a5eb482d4
2 changed files with 12 additions and 9 deletions
--- a/history/2026-06-17-openbao-ssh-custody-and-bootstrap-assessment.md
+++ b/history/2026-06-17-openbao-ssh-custody-and-bootstrap-assessment.md
@@ -196,7 +196,7 @@ make security-bootstrap-console METADATA="$METADATA"
    → railiance-platform openbao-deploy
    → net-kingdom creds-bootstrap-agent (sops-held init/unseal)     [T2]
    → railiance-platform openbao-configure-initial                  [exists]
-    → railiance-platform openbao-configure-ssh                       [T5 — next]
+    → railiance-platform openbao-configure-ssh                       [T5 — scripted; operator apply pending]
    → railiance-infra bootstrap-ssh-ca (CA pubkey + principals)     [T5]
    → ops-warden warden sign smoke                                  [WP-0008 T2]
    → (later) flex-auth policy.enabled                              [WP-0008 T5]
@@ -230,10 +230,11 @@ automate actor key lifecycle (`warden issue`, credential roster, rotation).
 ## 10. Next actions (ordered)

 1. ~~Persist this assessment~~ (this file)  
-2. **NET-WP-0020 T5** — `openbao-apply-ssh-engine.sh` + railiance-infra host CA role  
-3. **WP-0008 T2** — `warden sign` smoke + append `openbao-production-verify.md`  
-4. **NET-WP-0020 T2** — wire `creds-bootstrap-agent.sh` for greenfield init/unseal  
-5. **NET-WP-0020 T3/T4** — unlock attended + auto-unseal console paths  
+2. ~~**NET-WP-0020 T5** — automation artifacts in railiance-platform + railiance-infra~~ (2026-06-18)  
+3. **Operator apply** — `make openbao-configure-ssh` then `make bootstrap-ssh-ca` (Track A)  
+4. **WP-0008 T2** — `warden sign` smoke + append `openbao-production-verify.md`  
+5. **NET-WP-0020 T2** — wire `creds-bootstrap-agent.sh` for greenfield init/unseal  
+6. **NET-WP-0020 T3/T4** — unlock attended + auto-unseal console paths  

 ---

--- a/workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md
+++ b/workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md
@@ -8,7 +8,7 @@ status: active
 owner: codex
 topic_slug: net-kingdom
 created: "2026-06-17"
-updated: "2026-06-17"
+updated: "2026-06-18"
 ---

 # NET-WP-0020 — OpenBao Unseal Custody Models and SSH Automation Path
@@ -78,12 +78,14 @@ priority: medium

 ```task
 id: NET-WP-0020-T05
-status: todo
+status: progress
 priority: high
 ```

- [ ] `railiance-platform`: `openbao-configure-ssh` declarative script
- [ ] `railiance-infra`: `bootstrap-ssh-ca` role + inventory sync
+- [x] `railiance-platform`: `openbao-configure-ssh` declarative script + Makefile targets
+- [x] `railiance-infra`: `bootstrap-ssh-ca` role + `ssh_principals.yaml` inventory
+- [ ] Live apply: `make openbao-configure-ssh` on Railiance OpenBao (operator token)
+- [ ] Live apply: `make bootstrap-ssh-ca` on managed hosts
 - [ ] Close `ops-warden` WP-0008 T2 verification gate

 ---