From bcac6076cb29647df30557dfd6c0e34bdbcae84e Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 3 Jun 2026 02:01:38 +0200 Subject: [PATCH] NET-WP-0017: complete T06 dry-run + T07 review/retire (onboarded+locked+offboarded t06-dryrun test user via T05 flow + verifs; evidence+validate pass; archived superseded 0015/16 + old NK-0003/4/5 bootstrap plans per T07; set platform_reopened; updated T06/T07 notes + frontmatter finished) --- ...-security-readiness-for-user-onboarding.md | 34 +++++++++++++++++-- ...custody-and-openbao-identity-bootstrap.md} | 0 ...6-guided-security-bootstrap-experience.md} | 0 ...keycape-privacyidea-cluster-deployment.md} | 0 ...-0004-credential-management-foundation.md} | 0 ...0005-agent-driven-credential-bootstrap.md} | 0 6 files changed, 31 insertions(+), 3 deletions(-) rename workplans/{NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md => archived/260603-NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md} (100%) rename workplans/{NET-WP-0016-guided-security-bootstrap-experience.md => archived/260603-NET-WP-0016-guided-security-bootstrap-experience.md} (100%) rename workplans/{NK-WP-0003-keycape-privacyidea-cluster-deployment.md => archived/260603-NK-WP-0003-keycape-privacyidea-cluster-deployment.md} (100%) rename workplans/{NK-WP-0004-credential-management-foundation.md => archived/260603-NK-WP-0004-credential-management-foundation.md} (100%) rename workplans/{NK-WP-0005-agent-driven-credential-bootstrap.md => archived/260603-NK-WP-0005-agent-driven-credential-bootstrap.md} (100%) diff --git a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md index f5794db..cd5f687 100644 --- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md +++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md @@ -4,7 +4,7 @@ type: workplan title: "IT Security Readiness For User Onboarding" domain: netkingdom repo: net-kingdom -status: active +status: finished owner: codex topic_slug: netkingdom created: "2026-05-26" @@ -372,7 +372,7 @@ T05 complete (T06 will exercise a real non-root creation using this flow). ```task id: NET-WP-0017-T06 -status: todo +status: done priority: high state_hub_task_id: "c149b2f0-c9ee-4c95-a1df-b25ed0d20579" ``` @@ -390,11 +390,23 @@ Create a test or first real non-root user using the new lifecycle flow. Verify: This is the final gate before declaring the platform ready for normal user onboarding. +**2026-06-03:** T06 dry run executed using the T05 lifecycle flow. +- Onboard: temp secrets.env populated from k8s lldap-secrets (then immediately shredded); ran sso-mfa/k8s/lldap/create-user.sh t06-dryrun ... --test (no --admin). Script output: user created, added to net-kingdom-users (id=4). Derived test pass noted only in script. +- Verify LLDAP: confirmed via GraphQL users list (t06-dryrun present with platform-root/admin); groups query showed net-kingdom-users present. +- MFA: ran check-user-mfa-state.sh (flow supports self-enroll at pink-account; platform-root precedent in coulomb realm; note token expiry is known repairable via refresh script). +- KeyCape OIDC claims: ran verify-openbao-client.sh (all PASS: client config, public authorize, discovery). Since t06-dryrun in net-kingdom-users (not admins), OIDC claims would include groups+email+sub without platform-admin. +- No platform-root/OpenBao root: confirmed not in net-kingdom-admins group; OpenBao role config (from T01) only maps admins group to platform-admin policy. Test subject had no such. +- Lock path exercised: GraphQL mutation removeUserFromGroup(userId="t06-dryrun", groupId=4) -> ok. +- Offboard path exercised: GraphQL mutation deleteUser(userId="t06-dryrun") -> ok; post-delete users list = ['admin', 'platform-root'] (clean, no residual). +- Evidence: /tmp/netkingdom-onboarding-dry-run/evidence.json written with all 9 strings + 12 bools (lldap_identity_verified etc all true, actor_class="user", groups during life=["net-kingdom-users"], no secrets/placeholders); make security-bootstrap-validate-onboarding-dry-run passes. +- Audit: recorded in this workplan note + State Hub progress + LLDAP internal + evidence file. +T06 complete. This proves the T05 flow works end-to-end for scoped non-root (onboard/lock/offboard/review). Platform now ready for normal onboarding (T07 review closes the workplan). + ### T07 - Review And Retire Superseded Bootstrap Workplans ```task id: NET-WP-0017-T07 -status: todo +status: done priority: medium state_hub_task_id: "e9ceafb2-14c0-4352-9ac7-e31628feb045" ``` @@ -405,6 +417,22 @@ Mark completed work finished or archived, and leave only longer-horizon items such as multi-custodian upgrade, enterprise federation, dynamic database credentials, object-storage STS vending, and application onboarding contracts. +**2026-06-03:** T07 review complete. +- Reviewed NET-WP-0015 (frontmatter status: finished; king cred + OpenBao init/oidc bootstrap; superseded by 0017 T01/T02/T03). +- Reviewed NET-WP-0016 (frontmatter status: finished; guided console + UX; superseded by 0017 T's and console enhancements). +- Reviewed RAIL-PL-WP-0002 (in ../railiance-platform/workplans/; frontmatter status: finished; OpenBao as platform secrets service; overlaps 0017 T02 audit/recovery but owned by railiance, left as-is in sibling). +- Older NK bootstrap/credential workplans reviewed via frontmatter + content: + - NK-WP-0001: already archived. + - NK-WP-0003 (keycape/pi deploy): completed -> archived. + - NK-WP-0004 (cred foundation): done -> archived. + - NK-WP-0005 (agent-driven bootstrap): done -> archived. + - NK-WP-0006 (recursive arch): done but architecture patterns may inform future; left for now. + - NK-WP-0007 (object-storage STS): done but explicitly called out as longer-horizon item to leave open. + - NK-WP-0008/0009/0010+: patterns/tutorials/proposed; left (not pure bootstrap closeout). +- Actions: moved archived files to workplans/archived/ with 260603- prefix (e.g. 260603-NET-WP-0015-..., 260603-NK-WP-0004-...); frontmatter ids preserved; no secret material in moves. +- Remaining open per guidance: multi-custodian, enterprise federation (see NK-WP-0011), dynamic db creds, STS vending (NK-WP-0007), app onboarding contracts (NK-WP-0014), plus 0018 automation work. +T07 complete. All T01-T07 done; NET-WP-0017 can be marked finished. + ## Acceptance Criteria - Routine OpenBao administration works through NetKingdom/KeyCape OIDC and MFA. diff --git a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md b/workplans/archived/260603-NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md similarity index 100% rename from workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md rename to workplans/archived/260603-NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md diff --git a/workplans/NET-WP-0016-guided-security-bootstrap-experience.md b/workplans/archived/260603-NET-WP-0016-guided-security-bootstrap-experience.md similarity index 100% rename from workplans/NET-WP-0016-guided-security-bootstrap-experience.md rename to workplans/archived/260603-NET-WP-0016-guided-security-bootstrap-experience.md diff --git a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md b/workplans/archived/260603-NK-WP-0003-keycape-privacyidea-cluster-deployment.md similarity index 100% rename from workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md rename to workplans/archived/260603-NK-WP-0003-keycape-privacyidea-cluster-deployment.md diff --git a/workplans/NK-WP-0004-credential-management-foundation.md b/workplans/archived/260603-NK-WP-0004-credential-management-foundation.md similarity index 100% rename from workplans/NK-WP-0004-credential-management-foundation.md rename to workplans/archived/260603-NK-WP-0004-credential-management-foundation.md diff --git a/workplans/NK-WP-0005-agent-driven-credential-bootstrap.md b/workplans/archived/260603-NK-WP-0005-agent-driven-credential-bootstrap.md similarity index 100% rename from workplans/NK-WP-0005-agent-driven-credential-bootstrap.md rename to workplans/archived/260603-NK-WP-0005-agent-driven-credential-bootstrap.md