docs(NET-WP-0018): add explicit guidance in Coordination Notes on using pragmatic auditing/tracking infra (State Hub progress/decisions, workplan dated notes, git, console evidence/metadata, local audit) during 0018 implementation to feed T03 retrospective + optimization review

- References existing audit_core bootstrap risk acceptance (production sink deferred)
- Cross-refs T03 gap matrix (includes audit), T02 (document current pragmatic audit paths), assessment gap 7 (correlation), local-identity/audit.py, contract requirements
- Answers query: pragmatic is sufficient and intended for tracking the workplan work + retrospect; do not block on establishing full production Audit Core first (risk accepted for bootstrap phase)
- Per session protocol + ADR-001 (file first)
This commit is contained in:
2026-06-03 16:17:46 +02:00
parent 000d263bea
commit 6e05946163

View File

@@ -62,6 +62,22 @@ say which interactions remain genuinely unavoidable.
- Treat interactive prompts as an explicit design boundary: automate everything
that can be automated safely, and document why each remaining human action is
required.
- Pragmatic auditing / tracking for implementing *this workplan*: use State Hub
/progress/ (and /decisions/ for key choices e.g. during T02/T04), dated notes
+ task status in this file (source of truth per ADR-001), descriptive git
commits, console evidence/validators + .local/security-bootstrap.json when
exercising paths, /tmp evidence, and runbooks. These artifacts (plus bumps
encountered while doing T02T08) directly feed T03 retrospective and gap
matrix (which explicitly covers "audit" among other items). This enables
post-impl review for optimization potential without requiring production
Audit Core first. See audit_core_* fields in metadata (bootstrap risk
accepted=true; production sink ready=false; temp exception with owner/review
2026-07-02 per .local and console gates). Proper cross-system audit
correlation (UE + flex-auth + platform sinks per contract/assessment gap 7)
remains a follow-up; document current pragmatic paths (local-identity/audit.py
TSV, OpenBao PVC + mock, State Hub/console evidence, separate bootstrap
audit) in T02 arch doc and T03 matrix. Do not block 0018 start on full Audit
Core.
## Related (post-0019 + assessment)
- NET-WP-0019 (T06-adjacent user lifecycle dry-run polish; advanced control surface, evidence, claims for T06/T07/T08)