coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Finish NET-WP-0015 bootstrap handoff

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-01 21:55:30 +02:00
parent e0c278156f
commit 9a8ec0d9a5
2 changed files with 41 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
View File

@@ -4,7 +4,7 @@ type: workplan
title: "King Credential And OpenBao Identity Bootstrap" title: "King Credential And OpenBao Identity Bootstrap"
domain: netkingdom domain: netkingdom
repo: net-kingdom repo: net-kingdom
status: active status: finished
owner: codex owner: codex
topic_slug: netkingdom topic_slug: netkingdom
created: "2026-05-24" created: "2026-05-24"
@@ -447,7 +447,7 @@ disclosed tokens, both keeping OpenBao token values off the local command line.
```task ```task
id: NET-WP-0015-T07 id: NET-WP-0015-T07
status: in_progress status: done
priority: medium priority: medium
state_hub_task_id: "aa40cbb4-36d3-405d-b59d-0c21ae8c9539" state_hub_task_id: "aa40cbb4-36d3-405d-b59d-0c21ae8c9539"
``` ```
@@ -461,11 +461,19 @@ verification, and restore-drill confirmation are recorded. This task remains
open for declarative audit configuration/durable audit shipping, residual open for declarative audit configuration/durable audit shipping, residual
taint-response closeout, and the next independent escrow holder. taint-response closeout, and the next independent escrow holder.
**2026-06-01:** Closed for the bootstrap handoff scope. The bootstrap plan has
confirmed the available recovery/audit/rotation evidence and, more
importantly, now has explicit production-readiness follow-up gates:
`NET-WP-0017-T02` owns declarative/durable audit, restore evidence,
emergency seal/unseal drill evidence, and the next independent escrow holder;
`NET-WP-0017-T03` owns residual taint closeout. These items are no longer
tracked as unfinished bootstrap ceremony work.
### T08 - Reset, Rotate, And Reopen Under King Oversight ### T08 - Reset, Rotate, And Reopen Under King Oversight
```task ```task
id: NET-WP-0015-T08 id: NET-WP-0015-T08
status: todo status: done
priority: high priority: high
state_hub_task_id: "e6a60dca-547b-4493-a36c-f6b668d1bf52" state_hub_task_id: "e6a60dca-547b-4493-a36c-f6b668d1bf52"
``` ```
@@ -475,6 +483,26 @@ database credentials, admin passwords, service tokens, OpenBao tokens, and
temporary access paths. Run host/workload checks and reopen the platform only temporary access paths. Run host/workload checks and reopen the platform only
after the new custody state is verified. after the new custody state is verified.
**2026-06-01:** Closed as a bootstrap-plan handoff rather than as a claim that
all production cleanup is complete. `NET-WP-0017-T03` owns retirement of
bootstrap admin paths and residual taint response, `NET-WP-0017-T04` owns
bootstrap-era credential rotation/reset plus host/workload checks, and
`NET-WP-0017-T07` owns final review and retirement/archive of superseded
bootstrap workplans. `NET-WP-0018` will turn those gates into a smoother
bootstrap guide, control-surface automation, validations, and rebuild-risk
assessment.
## Closeout
**2026-06-01:** `NET-WP-0015` is finished. The first safe bridge is in place:
the dedicated `platform-root` identity exists outside day-to-day operator use,
custody mode is recorded, OpenBao was initialized and configured under the
bootstrap ceremony, the initial root token is not the normal admin path, and
routine OpenBao administration now works through NetKingdom/KeyCape OIDC with
MFA and the `platform-admin` policy. Remaining production-readiness work is
explicitly tracked in `NET-WP-0017`; rebuild automation and validation
improvements are tracked in `NET-WP-0018`.
## Acceptance Criteria ## Acceptance Criteria
- The setup operator and king credential model are recorded without secret - The setup operator and king credential model are recorded without secret

12
workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md
View File

@@ -4,7 +4,7 @@ type: workplan
title: "Bootstrap Automation And Rebuild Readiness" title: "Bootstrap Automation And Rebuild Readiness"
domain: netkingdom domain: netkingdom
repo: net-kingdom repo: net-kingdom
status: ready status: active
owner: codex owner: codex
topic_slug: netkingdom topic_slug: netkingdom
created: "2026-06-01" created: "2026-06-01"
@@ -69,7 +69,7 @@ say which interactions remain genuinely unavoidable.
```task ```task
id: NET-WP-0018-T01 id: NET-WP-0018-T01
status: todo status: done
priority: high priority: high
state_hub_task_id: "7ff22629-838b-41df-9feb-bb36c5d57cc1" state_hub_task_id: "7ff22629-838b-41df-9feb-bb36c5d57cc1"
``` ```
@@ -83,6 +83,14 @@ Done when `NET-WP-0015` is either finished and ready to archive, or its
remaining tasks have precise owners, target workplans, and non-duplicative remaining tasks have precise owners, target workplans, and non-duplicative
acceptance criteria. acceptance criteria.
**2026-06-01:** Completed. `NET-WP-0015` was scope-closed as finished after
the OpenBao admin bridge was proven through KeyCape/MFA. Its remaining
production-readiness concerns were reconciled into `NET-WP-0017`: T02 owns
audit, restore, emergency drill evidence, and escrow; T03/T04 own bootstrap
path retirement and credential reset/rotation; T07 owns final archive review.
`NET-WP-0018` now continues with architecture documentation, retrospective,
guide, UI automation, validations, and rebuild-risk assessment.
### T02 - Document The Runtime Architecture ### T02 - Document The Runtime Architecture
```task ```task