From 6e0594616399f4153707654756a707e7f6a3c72a Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 3 Jun 2026 16:17:46 +0200 Subject: [PATCH] docs(NET-WP-0018): add explicit guidance in Coordination Notes on using pragmatic auditing/tracking infra (State Hub progress/decisions, workplan dated notes, git, console evidence/metadata, local audit) during 0018 implementation to feed T03 retrospective + optimization review - References existing audit_core bootstrap risk acceptance (production sink deferred) - Cross-refs T03 gap matrix (includes audit), T02 (document current pragmatic audit paths), assessment gap 7 (correlation), local-identity/audit.py, contract requirements - Answers query: pragmatic is sufficient and intended for tracking the workplan work + retrospect; do not block on establishing full production Audit Core first (risk accepted for bootstrap phase) - Per session protocol + ADR-001 (file first) --- ...bootstrap-automation-and-rebuild-readiness.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md b/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md index d0d6fbb..1f85cf1 100644 --- a/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md +++ b/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md @@ -62,6 +62,22 @@ say which interactions remain genuinely unavoidable. - Treat interactive prompts as an explicit design boundary: automate everything that can be automated safely, and document why each remaining human action is required. +- Pragmatic auditing / tracking for implementing *this workplan*: use State Hub + /progress/ (and /decisions/ for key choices e.g. during T02/T04), dated notes + + task status in this file (source of truth per ADR-001), descriptive git + commits, console evidence/validators + .local/security-bootstrap.json when + exercising paths, /tmp evidence, and runbooks. These artifacts (plus bumps + encountered while doing T02–T08) directly feed T03 retrospective and gap + matrix (which explicitly covers "audit" among other items). This enables + post-impl review for optimization potential without requiring production + Audit Core first. See audit_core_* fields in metadata (bootstrap risk + accepted=true; production sink ready=false; temp exception with owner/review + 2026-07-02 per .local and console gates). Proper cross-system audit + correlation (UE + flex-auth + platform sinks per contract/assessment gap 7) + remains a follow-up; document current pragmatic paths (local-identity/audit.py + TSV, OpenBao PVC + mock, State Hub/console evidence, separate bootstrap + audit) in T02 arch doc and T03 matrix. Do not block 0018 start on full Audit + Core. ## Related (post-0019 + assessment) - NET-WP-0019 (T06-adjacent user lifecycle dry-run polish; advanced control surface, evidence, claims for T06/T07/T08)