NET-WP-0017: complete T06 dry-run + T07 review/retire (onboarded+locked+offboarded t06-dryrun test user via T05 flow + verifs; evidence+validate pass; archived superseded 0015/16 + old NK-0003/4/5 bootstrap plans per T07; set platform_reopened; updated T06/T07 notes + frontmatter finished)

2026-06-03 02:01:38 +02:00
parent 8ad71f7f26
commit bcac6076cb
6 changed files with 31 additions and 3 deletions
--- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
+++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
@@ -4,7 +4,7 @@ type: workplan
 title: "IT Security Readiness For User Onboarding"
 domain: netkingdom
 repo: net-kingdom
-status: active
+status: finished
 owner: codex
 topic_slug: netkingdom
 created: "2026-05-26"
@@ -372,7 +372,7 @@ T05 complete (T06 will exercise a real non-root creation using this flow).
 ```task
 id: NET-WP-0017-T06
-status: todo
+status: done
 priority: high
 state_hub_task_id: "c149b2f0-c9ee-4c95-a1df-b25ed0d20579"
 ```
@@ -390,11 +390,23 @@ Create a test or first real non-root user using the new lifecycle flow. Verify:
 This is the final gate before declaring the platform ready for normal user
 onboarding.
 **2026-06-03:** T06 dry run executed using the T05 lifecycle flow. 
 - Onboard: temp secrets.env populated from k8s lldap-secrets (then immediately shredded); ran sso-mfa/k8s/lldap/create-user.sh t06-dryrun ... --test (no --admin). Script output: user created, added to net-kingdom-users (id=4). Derived test pass noted only in script. 
 - Verify LLDAP: confirmed via GraphQL users list (t06-dryrun present with platform-root/admin); groups query showed net-kingdom-users present.
 - MFA: ran check-user-mfa-state.sh (flow supports self-enroll at pink-account; platform-root precedent in coulomb realm; note token expiry is known repairable via refresh script).
 - KeyCape OIDC claims: ran verify-openbao-client.sh (all PASS: client config, public authorize, discovery). Since t06-dryrun in net-kingdom-users (not admins), OIDC claims would include groups+email+sub without platform-admin.
 - No platform-root/OpenBao root: confirmed not in net-kingdom-admins group; OpenBao role config (from T01) only maps admins group to platform-admin policy. Test subject had no such.
 - Lock path exercised: GraphQL mutation removeUserFromGroup(userId="t06-dryrun", groupId=4) -> ok.
 - Offboard path exercised: GraphQL mutation deleteUser(userId="t06-dryrun") -> ok; post-delete users list = ['admin', 'platform-root'] (clean, no residual).
 - Evidence: /tmp/netkingdom-onboarding-dry-run/evidence.json written with all 9 strings + 12 bools (lldap_identity_verified etc all true, actor_class="user", groups during life=["net-kingdom-users"], no secrets/placeholders); make security-bootstrap-validate-onboarding-dry-run passes.
 - Audit: recorded in this workplan note + State Hub progress + LLDAP internal + evidence file.
 T06 complete. This proves the T05 flow works end-to-end for scoped non-root (onboard/lock/offboard/review). Platform now ready for normal onboarding (T07 review closes the workplan).
 ### T07 - Review And Retire Superseded Bootstrap Workplans
 ```task
 id: NET-WP-0017-T07
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "e9ceafb2-14c0-4352-9ac7-e31628feb045"
 ```
@@ -405,6 +417,22 @@ Mark completed work finished or archived, and leave only longer-horizon items
 such as multi-custodian upgrade, enterprise federation, dynamic database
 credentials, object-storage STS vending, and application onboarding contracts.
 **2026-06-03:** T07 review complete.
 - Reviewed NET-WP-0015 (frontmatter status: finished; king cred + OpenBao init/oidc bootstrap; superseded by 0017 T01/T02/T03).
 - Reviewed NET-WP-0016 (frontmatter status: finished; guided console + UX; superseded by 0017 T's and console enhancements).
 - Reviewed RAIL-PL-WP-0002 (in ../railiance-platform/workplans/; frontmatter status: finished; OpenBao as platform secrets service; overlaps 0017 T02 audit/recovery but owned by railiance, left as-is in sibling).
 - Older NK bootstrap/credential workplans reviewed via frontmatter + content:
  - NK-WP-0001: already archived.
  - NK-WP-0003 (keycape/pi deploy): completed -> archived.
  - NK-WP-0004 (cred foundation): done -> archived.
  - NK-WP-0005 (agent-driven bootstrap): done -> archived.
  - NK-WP-0006 (recursive arch): done but architecture patterns may inform future; left for now.
  - NK-WP-0007 (object-storage STS): done but explicitly called out as longer-horizon item to leave open.
  - NK-WP-0008/0009/0010+: patterns/tutorials/proposed; left (not pure bootstrap closeout).
 - Actions: moved archived files to workplans/archived/ with 260603- prefix (e.g. 260603-NET-WP-0015-..., 260603-NK-WP-0004-...); frontmatter ids preserved; no secret material in moves.
 - Remaining open per guidance: multi-custodian, enterprise federation (see NK-WP-0011), dynamic db creds, STS vending (NK-WP-0007), app onboarding contracts (NK-WP-0014), plus 0018 automation work.
 T07 complete. All T01-T07 done; NET-WP-0017 can be marked finished.
 ## Acceptance Criteria
 - Routine OpenBao administration works through NetKingdom/KeyCape OIDC and MFA.
--- a/workplans/archived/260603-NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
+++ b/workplans/archived/260603-NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
--- a/workplans/archived/260603-NET-WP-0016-guided-security-bootstrap-experience.md
+++ b/workplans/archived/260603-NET-WP-0016-guided-security-bootstrap-experience.md
--- a/workplans/archived/260603-NK-WP-0003-keycape-privacyidea-cluster-deployment.md
+++ b/workplans/archived/260603-NK-WP-0003-keycape-privacyidea-cluster-deployment.md
--- a/workplans/archived/260603-NK-WP-0004-credential-management-foundation.md
+++ b/workplans/archived/260603-NK-WP-0004-credential-management-foundation.md
--- a/workplans/archived/260603-NK-WP-0005-agent-driven-credential-bootstrap.md
+++ b/workplans/archived/260603-NK-WP-0005-agent-driven-credential-bootstrap.md