Review OpenBao onboarding readiness workplans

workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md

@@ -8,7 +8,7 @@ status: active
 owner: codex
 topic_slug: netkingdom
 created: "2026-05-24"
-updated: "2026-05-24"
+updated: "2026-05-26"
 depends_on:
   - NK-WP-0006
   - NK-WP-0012
@@ -111,7 +111,7 @@ blocked under T03.
 
 ```task
 id: NET-WP-0015-T03
-status: blocked
+status: done
 priority: high
 state_hub_task_id: "56a6266a-4acd-41e6-a395-85e90a5c35c6"
 ```
@@ -353,11 +353,17 @@ metadata. It also detects encrypted bootstrap bundle presence and plaintext
 `sso-mfa/bootstrap/secrets/` exposure. This is the intended foundation for
 trial-mode, custody-mode, unlock/apply, and later OpenBao handover flows.
 
+**2026-05-26:** Closed this custody-approval task after review against the
+live bootstrap metadata: `platform-root` is recorded as the king credential,
+MFA and KeyCape OIDC login are verified, and `temporary-single-king` custody is
+explicitly approved for the pre-production OpenBao bootstrap. Remaining
+hardening and user-onboarding readiness work is tracked in `NET-WP-0017`.
+
 ### T04 - Complete Railiance OpenBao Bootstrap Ceremony
 
 ```task
 id: NET-WP-0015-T04
-status: blocked
+status: done
 priority: high
 state_hub_task_id: "2102366e-064b-4071-8b6a-574d9d37d109"
 ```
@@ -367,11 +373,19 @@ the king credential model, enable audit and the first mounts/policies, create a
 non-root `platform-admin` access path, and revoke or offline-escrow the initial
 root token.
 
+**2026-05-26:** Closed the bootstrap ceremony portion after live verification:
+Railiance OpenBao is initialized, unsealed, and post-unseal verified; initial
+configuration was applied; the initial OpenBao root token is recorded as
+revoked; trial unseal shares were rotated; and restore-drill confirmation is
+recorded in the bootstrap metadata. Declarative audit/durable audit shipping
+and routine OIDC admin access remain follow-up readiness gates under
+`NET-WP-0017` and `RAIL-PL-WP-0002`.
+
 ### T05 - Provision First NetKingdom Admin Identity
 
 ```task
 id: NET-WP-0015-T05
-status: todo
+status: done
 priority: high
 state_hub_task_id: "d2a81d7b-9964-4bd5-9b8c-ef1324e02cd4"
 ```
@@ -383,6 +397,12 @@ for `platform-root`, `platform-admin`, `netkingdom-admin`, and
 `railiance-platform-admin`. `tegwick` may receive delegated day-to-day admin
 roles later, but must be revocable without losing root custody.
 
+**2026-05-26:** Closed for the bootstrap identity scope: the dedicated
+`platform-root` user is recorded as created, assigned to
+`net-kingdom-admins`, stored outside this repo, enrolled for MFA, and verified
+through KeyCape OIDC. Richer IAM-profile claims for ordinary user onboarding
+remain part of the user-onboarding readiness work in `NET-WP-0017`.
+
 ### T06 - Bind OpenBao Admin Auth To NetKingdom IAM
 
 ```task
@@ -396,11 +416,18 @@ Replace temporary operator tokens with NetKingdom IAM-backed OpenBao admin
 auth when the issuer and claim mapping are ready. The OpenBao root token must
 not be the normal admin path.
 
+**2026-05-26:** The KeyCape `openbao-admin` client is code-defined, patched
+into the live `keycape-config` Secret, rolled out, and verified without
+requiring decrypted bootstrap secrets. This task remains in progress because
+OpenBao `auth/keycape` still needs the fixed helper command to complete and
+the MFA-backed `bao login -method=oidc -path=keycape role=platform-admin` path
+still needs verification.
+
 ### T07 - Verify Recovery, Audit, And Rotation
 
 ```task
 id: NET-WP-0015-T07
-status: todo
+status: in_progress
 priority: medium
 state_hub_task_id: "aa40cbb4-36d3-405d-b59d-0c21ae8c9539"
 ```
@@ -409,6 +436,11 @@ Confirm snapshot/restore drill, durable audit-log handling, root-token
 disposition, unseal/recovery rotation expectations, and the follow-up owner
 for adding at least one additional human escrow holder.
 
+**2026-05-26:** Root-token disposition, unseal-key rotation, post-unseal
+verification, and restore-drill confirmation are recorded. This task remains
+open for declarative audit configuration/durable audit shipping, residual
+taint-response closeout, and the next independent escrow holder.
+
 ### T08 - Reset, Rotate, And Reopen Under King Oversight
 
 ```task

workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md

@@ -0,0 +1,192 @@
+---
+id: NET-WP-0017
+type: workplan
+title: "IT Security Readiness For User Onboarding"
+domain: netkingdom
+repo: net-kingdom
+status: active
+owner: codex
+topic_slug: netkingdom
+created: "2026-05-26"
+updated: "2026-05-26"
+depends_on:
+  - NET-WP-0015
+  - NET-WP-0016
+  - RAIL-PL-WP-0002
+---
+
+# NET-WP-0017 - IT Security Readiness For User Onboarding
+
+## Goal
+
+Finish the remaining NetKingdom and Railiance security setup needed before
+ordinary platform users, tenant admins, or fabric admins are onboarded.
+
+`NET-WP-0015` established the king credential, OpenBao bootstrap ceremony, and
+guided control surface. This workplan is the narrower finish-line plan: routine
+admin access must use NetKingdom identity, bootstrap-era material must be
+retired or explicitly accepted, audit/recovery posture must be credible, and a
+first non-root onboarding dry run must prove the lifecycle model.
+
+## Current Evidence
+
+- `platform-root` exists in LLDAP, belongs to `net-kingdom-admins`, has MFA,
+  and completed KeyCape OIDC login.
+- Railiance OpenBao is initialized, unsealed, and post-unseal verified.
+- OpenBao initial configuration was applied; `platform/` KV and Kubernetes auth
+  exist.
+- The initial OpenBao root token is recorded as revoked.
+- Trial unseal shares were rotated.
+- The KeyCape `openbao-admin` client is live and verified.
+- OpenBao OIDC auth configuration and MFA-backed OpenBao admin login are still
+  pending.
+- Declarative/durable audit handling, residual taint closeout, cleanup/rotation,
+  and the first ordinary-user onboarding dry run are still pending.
+
+## Tasks
+
+### T01 - Finish OIDC-Backed OpenBao Admin Login
+
+```task
+id: NET-WP-0017-T01
+status: in_progress
+priority: high
+```
+
+Run the fixed OpenBao OIDC helper, record the non-secret completion flag, then
+verify `platform-root` can complete:
+
+```bash
+bao login -method=oidc -path=keycape role=platform-admin
+```
+
+The verification must prove the resulting OpenBao token has the intended
+`platform-admin` policy without relying on the initial root token or a manually
+minted temporary operator token.
+
+### T02 - Close OpenBao Audit And Recovery Production Gates
+
+```task
+id: NET-WP-0017-T02
+status: todo
+priority: high
+```
+
+Resolve the remaining OpenBao production-trust gates:
+
+- configure audit declaratively if API-managed audit remains rejected;
+- confirm where audit logs are durably shipped beyond the audit PVC;
+- retain non-secret restore-drill evidence and repeat the drill if any
+  material changed;
+- record emergency seal/unseal drill evidence; and
+- identify the next independent escrow holder for moving beyond temporary
+  single-king custody.
+
+### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
+
+```task
+id: NET-WP-0017-T03
+status: todo
+priority: high
+```
+
+Review all access paths created during the trial exposure and record the
+compromise response complete only after the operator has either rotated,
+revoked, reset, or explicitly accepted residual risk for:
+
+- temporary OpenBao `platform-admin` tokens;
+- bootstrap/root-token-derived paths;
+- early LLDAP/Authelia/KeyCape admin credentials;
+- local plaintext secret workspaces;
+- bootstrap service tokens; and
+- any copied command output or local shell history that may contain secret
+  values.
+
+### T04 - Harden Bootstrap Infrastructure Before User Onboarding
+
+```task
+id: NET-WP-0017-T04
+status: todo
+priority: high
+```
+
+Complete the minimum hardening before ordinary users are onboarded:
+
+- restrict direct administrative access to LLDAP and privacyIDEA to approved
+  operator networks or tunnels;
+- verify no privileged login path bypasses MFA for platform-admin authority;
+- rotate or reset bootstrap-era database, admin, and service credentials that
+  were created before custody was established;
+- confirm host/workload checks and vulnerability scans are run or explicitly
+  deferred with owner/date; and
+- update the bootstrap console state to `cleanup_complete` only when these
+  checks are recorded.
+
+### T05 - Implement First User Lifecycle Operator Flow
+
+```task
+id: NET-WP-0017-T05
+status: todo
+priority: high
+```
+
+Turn the documented user lifecycle UX into the first practical operator flow
+for:
+
+- onboarding a scoped non-root user;
+- temporarily locking that user;
+- permanently offboarding that user;
+- reviewing credentials and MFA state; and
+- creating a fabric/tenant admin without platform-root authority.
+
+The flow can begin as console/UI action cards, but it must show effective
+access before saving and must not expose secrets.
+
+### T06 - Run A Non-Root Onboarding Dry Run
+
+```task
+id: NET-WP-0017-T06
+status: todo
+priority: high
+```
+
+Create a test or first real non-root user using the new lifecycle flow. Verify:
+
+- LLDAP identity and groups;
+- MFA enrollment through privacyIDEA;
+- KeyCape OIDC claims;
+- expected application or platform scope;
+- no platform-root or OpenBao root authority;
+- lock/offboard path can be exercised or simulated; and
+- non-secret audit/progress evidence is recorded.
+
+This is the final gate before declaring the platform ready for normal user
+onboarding.
+
+### T07 - Review And Retire Superseded Bootstrap Workplans
+
+```task
+id: NET-WP-0017-T07
+status: todo
+priority: medium
+```
+
+After T01-T06 complete, review `NET-WP-0015`, `NET-WP-0016`,
+`RAIL-PL-WP-0002`, and older NetKingdom credential/bootstrap workplans.
+Mark completed work finished or archived, and leave only longer-horizon items
+such as multi-custodian upgrade, enterprise federation, dynamic database
+credentials, object-storage STS vending, and application onboarding contracts.
+
+## Acceptance Criteria
+
+- Routine OpenBao administration works through NetKingdom/KeyCape OIDC and MFA.
+- The initial root token and temporary OpenBao admin tokens are not normal
+  operating paths.
+- Audit, recovery, emergency seal, and restore evidence are recorded without
+  secret values.
+- Bootstrap-era privileged credentials have been rotated, reset, revoked, or
+  explicitly accepted as residual risk.
+- A non-root user onboarding dry run succeeds and proves lock/offboard/review
+  paths.
+- The bootstrap console can honestly move beyond Admin Identity Integration
+  into cleanup and reopening.