NET-WP-0020 finished: attended-ceremony + auto-unseal-transit profiles, greenfield init/unseal proof

T2: greenfield live proof against a fresh uninitialized OpenBao 2.5.5 —
caught and fixed 'bao operator unseal -' not reading stdin (now
'bao write sys/unseal key=-'); init and reseal-replay paths proven.
T3: attended-ceremony selectable — runbook, non-secret ceremony-record
template + validator, and a lab/production deployment profile that blocks
sops-held-automation in console selection, gates, and the init script.
T4: console gate + evidence flags for auto-unseal-transit (Helm seal stanza
prepared in railiance-platform).
Also: SCOPE.md refreshed to current repo state; adhoc fix for the broken
check-secrets Make target (unescaped $).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 22:08:33 +02:00
parent 60b9d7037d
commit 85a781b7a4
10 changed files with 564 additions and 69 deletions

View File

@@ -22,13 +22,21 @@ NetKingdom is a self-optimizing security platform for Kubernetes-based IT infras
- NetKingdom IAM Profile specification (versioned OIDC/PKCE contract;
canonical spec: `canon/standards/iam-profile_v0.2.md`)
- SSO/MFA Platform: Keycloak with LDAP/Entra federation, enterprise identity (NK-WP-0001)
- Local Identity: file-based user store + minimal OIDC server for bootstrap phase (NK-WP-0002)
- SSO/MFA Platform: Keycloak with LDAP/Entra federation, enterprise identity (NK-WP-0001, finished)
- Local Identity: file-based user store + minimal OIDC server for bootstrap phase (NK-WP-0002, finished)
- User Engine Boundary Contract: source-of-truth, membership,
application-onboarding, projection, authorization, and audit contracts for
`user-engine` integration (`canon/standards/user-engine-boundary-contract_v0.1.md`)
- Security bootstrapping: credential management, SOPS/age integration,
platform-root custody, OpenBao runtime secret authority
- OpenBao init/unseal custody models (NET-WP-0020): `sops-held-automation`
(lab, unattended greenfield rebuilds via `creds-bootstrap-agent` Phase 7b),
`attended-ceremony` (production, runbook + non-secret evidence records), and
`auto-unseal-transit` (production HA; seal stanza lives in
railiance-platform) — all gated by the security bootstrap console and a
lab/production deployment profile
- Security bootstrap console (`tools/security-bootstrap-console/`): custody
gates, roster, evidence validators, refuse-live-init boundary
- Architectural decisions (DECISIONS.md): identity source, secrets, GitOps, bootstrap user store
---
@@ -62,9 +70,17 @@ NetKingdom is a self-optimizing security platform for Kubernetes-based IT infras
## Current State
- Status: active (design phase complete, implementation ongoing)
- Implementation: emerging — NK-WP-0001 (SSO/MFA) and NK-WP-0002 (local identity) both in active development
- Stability: evolving
- Status: active — core identity and bootstrap phases delivered; follow-on work proposed
- Implementation: NK-WP-0001 (SSO/MFA), NK-WP-0002 (local identity), the
security bootstrap arc (NET-WP-00150017, 0019), the IAM Profile spec
(NK-WP-0012), user-engine boundary contracts (NK-WP-0014), and OpenBao
unseal custody + SSH automation (NET-WP-0020) are all finished — see
`workplans/archived/`
- Open: NK-WP-0009 (security pattern tutorials) and NK-WP-0011 (enterprise
federation / SAML) are proposed, not yet started
- Stability: stabilizing — bootstrap/custody tooling is live-proven (greenfield
OpenBao init/unseal proof 2026-07-02); production custody models are gated
by evidence
- Usage: foundational authentication layer for all NetKingdom deployments
---
@@ -108,6 +124,13 @@ description: Enterprise-grade Keycloak-based SSO with LDAP/Entra federation, MFA
keywords: [sso, mfa, keycloak, ldap, entra, federation, oidc, enterprise]
```
```capability
type: security
title: OpenBao unseal custody models and bootstrap automation
description: Three gated init/unseal custody models — SOPS-held automation for unattended lab rebuilds (greenfield-proven), attended ceremony with non-secret evidence records for production, and transit/KMS auto-unseal for production HA — enforced by the security bootstrap console and a lab/production deployment profile.
keywords: [openbao, unseal, custody, bootstrap, sops, age, ceremony, transit, auto-unseal, console]
```
```capability
type: security
title: Bootstrap local identity service
@@ -121,9 +144,12 @@ keywords: [bootstrap, local-identity, oidc, minimal, dev, sandbox]
- Start with: `wiki/` (specifications and decisions), `DECISIONS.md` (key architectural choices D1D5)
- Key files / directories: `docs/platform-root-custody.md`, `sso-mfa/`
(NK-WP-0001 active workplan), `local-identity/` (NK-WP-0002),
`workplans/`
- Entry points: `workplans/NK-WP-0001-sso-mfa-platform.md` and `NK-WP-0002-local-identity.md` for current work
(SSO/MFA platform + bootstrap scripts), `local-identity/`,
`tools/security-bootstrap-console/`, `workplans/` (finished plans in
`workplans/archived/`)
- Entry points: `workplans/NK-WP-0009-netkingdom-security-pattern-tutorials.md`
and `workplans/NK-WP-0011-enterprise-federation-saml.md` (proposed next
work); finished context in `workplans/archived/`
- User-domain boundary contract:
`canon/standards/user-engine-boundary-contract_v0.1.md`
- User-engine integration assessment (intent/scope fit, gaps, and recommendations):
@@ -131,5 +157,8 @@ keywords: [bootstrap, local-identity, oidc, minimal, dev, sandbox]
- Bootstrap/custody entry points:
`docs/platform-root-custody.md`,
`docs/security-bootstrap-use-cases.md`,
`workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md`,
and `workplans/NET-WP-0016-guided-security-bootstrap-experience.md`
`docs/openbao-unseal-custody-models.md` (three custody models + deployment
profile), and `docs/openbao-attended-ceremony-runbook.md` (production
ceremony); history of the custody/bootstrap arc in `workplans/archived/`
(NET-WP-00150017, 0019) and
`workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md`