diff --git a/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md b/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md index d0d6fbb..1f85cf1 100644 --- a/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md +++ b/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md @@ -62,6 +62,22 @@ say which interactions remain genuinely unavoidable. - Treat interactive prompts as an explicit design boundary: automate everything that can be automated safely, and document why each remaining human action is required. +- Pragmatic auditing / tracking for implementing *this workplan*: use State Hub + /progress/ (and /decisions/ for key choices e.g. during T02/T04), dated notes + + task status in this file (source of truth per ADR-001), descriptive git + commits, console evidence/validators + .local/security-bootstrap.json when + exercising paths, /tmp evidence, and runbooks. These artifacts (plus bumps + encountered while doing T02–T08) directly feed T03 retrospective and gap + matrix (which explicitly covers "audit" among other items). This enables + post-impl review for optimization potential without requiring production + Audit Core first. See audit_core_* fields in metadata (bootstrap risk + accepted=true; production sink ready=false; temp exception with owner/review + 2026-07-02 per .local and console gates). Proper cross-system audit + correlation (UE + flex-auth + platform sinks per contract/assessment gap 7) + remains a follow-up; document current pragmatic paths (local-identity/audit.py + TSV, OpenBao PVC + mock, State Hub/console evidence, separate bootstrap + audit) in T02 arch doc and T03 matrix. Do not block 0018 start on full Audit + Core. ## Related (post-0019 + assessment) - NET-WP-0019 (T06-adjacent user lifecycle dry-run polish; advanced control surface, evidence, claims for T06/T07/T08)