coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

NET-WP-0017: complete T06 dry-run + T07 review/retire (onboarded+locked+offboarded t06-dryrun test user via T05 flow + verifs; evidence+validate pass; archived superseded 0015/16 + old NK-0003/4/5 bootstrap plans per T07; set platform_reopened; updated T06/T07 notes + frontmatter finished)

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-03 02:01:38 +02:00
parent 8ad71f7f26
commit bcac6076cb
6 changed files with 31 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
View File

@@ -4,7 +4,7 @@ type: workplan
title: "IT Security Readiness For User Onboarding"
domain: netkingdom
repo: net-kingdom
status: active
status: finished
owner: codex
topic_slug: netkingdom
created: "2026-05-26"
@@ -372,7 +372,7 @@ T05 complete (T06 will exercise a real non-root creation using this flow).
```task
id: NET-WP-0017-T06
status: todo
status: done
priority: high
state_hub_task_id: "c149b2f0-c9ee-4c95-a1df-b25ed0d20579"
```
@@ -390,11 +390,23 @@ Create a test or first real non-root user using the new lifecycle flow. Verify:
This is the final gate before declaring the platform ready for normal user
onboarding.
**2026-06-03:** T06 dry run executed using the T05 lifecycle flow.
- Onboard: temp secrets.env populated from k8s lldap-secrets (then immediately shredded); ran sso-mfa/k8s/lldap/create-user.sh t06-dryrun ... --test (no --admin). Script output: user created, added to net-kingdom-users (id=4). Derived test pass noted only in script.
- Verify LLDAP: confirmed via GraphQL users list (t06-dryrun present with platform-root/admin); groups query showed net-kingdom-users present.
- MFA: ran check-user-mfa-state.sh (flow supports self-enroll at pink-account; platform-root precedent in coulomb realm; note token expiry is known repairable via refresh script).
- KeyCape OIDC claims: ran verify-openbao-client.sh (all PASS: client config, public authorize, discovery). Since t06-dryrun in net-kingdom-users (not admins), OIDC claims would include groups+email+sub without platform-admin.
- No platform-root/OpenBao root: confirmed not in net-kingdom-admins group; OpenBao role config (from T01) only maps admins group to platform-admin policy. Test subject had no such.
- Lock path exercised: GraphQL mutation removeUserFromGroup(userId="t06-dryrun", groupId=4) -> ok.
- Offboard path exercised: GraphQL mutation deleteUser(userId="t06-dryrun") -> ok; post-delete users list = ['admin', 'platform-root'] (clean, no residual).
- Evidence: /tmp/netkingdom-onboarding-dry-run/evidence.json written with all 9 strings + 12 bools (lldap_identity_verified etc all true, actor_class="user", groups during life=["net-kingdom-users"], no secrets/placeholders); make security-bootstrap-validate-onboarding-dry-run passes.
- Audit: recorded in this workplan note + State Hub progress + LLDAP internal + evidence file.
T06 complete. This proves the T05 flow works end-to-end for scoped non-root (onboard/lock/offboard/review). Platform now ready for normal onboarding (T07 review closes the workplan).
### T07 - Review And Retire Superseded Bootstrap Workplans
```task
id: NET-WP-0017-T07
status: todo
status: done
priority: medium
state_hub_task_id: "e9ceafb2-14c0-4352-9ac7-e31628feb045"
```
@@ -405,6 +417,22 @@ Mark completed work finished or archived, and leave only longer-horizon items
such as multi-custodian upgrade, enterprise federation, dynamic database
credentials, object-storage STS vending, and application onboarding contracts.
**2026-06-03:** T07 review complete.
- Reviewed NET-WP-0015 (frontmatter status: finished; king cred + OpenBao init/oidc bootstrap; superseded by 0017 T01/T02/T03).
- Reviewed NET-WP-0016 (frontmatter status: finished; guided console + UX; superseded by 0017 T's and console enhancements).
- Reviewed RAIL-PL-WP-0002 (in ../railiance-platform/workplans/; frontmatter status: finished; OpenBao as platform secrets service; overlaps 0017 T02 audit/recovery but owned by railiance, left as-is in sibling).
- Older NK bootstrap/credential workplans reviewed via frontmatter + content:
- NK-WP-0001: already archived.
- NK-WP-0003 (keycape/pi deploy): completed -> archived.
- NK-WP-0004 (cred foundation): done -> archived.
- NK-WP-0005 (agent-driven bootstrap): done -> archived.
- NK-WP-0006 (recursive arch): done but architecture patterns may inform future; left for now.
- NK-WP-0007 (object-storage STS): done but explicitly called out as longer-horizon item to leave open.
- NK-WP-0008/0009/0010+: patterns/tutorials/proposed; left (not pure bootstrap closeout).
- Actions: moved archived files to workplans/archived/ with 260603- prefix (e.g. 260603-NET-WP-0015-..., 260603-NK-WP-0004-...); frontmatter ids preserved; no secret material in moves.
- Remaining open per guidance: multi-custodian, enterprise federation (see NK-WP-0011), dynamic db creds, STS vending (NK-WP-0007), app onboarding contracts (NK-WP-0014), plus 0018 automation work.
T07 complete. All T01-T07 done; NET-WP-0017 can be marked finished.
## Acceptance Criteria
- Routine OpenBao administration works through NetKingdom/KeyCape OIDC and MFA.

0
workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md → workplans/archived/260603-NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
View File

0
workplans/NET-WP-0016-guided-security-bootstrap-experience.md → workplans/archived/260603-NET-WP-0016-guided-security-bootstrap-experience.md
View File

0
workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md → workplans/archived/260603-NK-WP-0003-keycape-privacyidea-cluster-deployment.md
View File

0
workplans/NK-WP-0004-credential-management-foundation.md → workplans/archived/260603-NK-WP-0004-credential-management-foundation.md
View File

0
workplans/NK-WP-0005-agent-driven-credential-bootstrap.md → workplans/archived/260603-NK-WP-0005-agent-driven-credential-bootstrap.md
View File