bootstrapping guidance ui and missing stuff

2026-05-24 17:04:15 +02:00
parent 1d0b0e7330
commit d555a33695
10 changed files with 913 additions and 36 deletions
--- a/docs/platform-root-custody.md
+++ b/docs/platform-root-custody.md
@@ -76,6 +76,54 @@ break-glass material. The preferred end state is:
 - Routine access flows through NetKingdom IAM claims and scoped OpenBao
  policies.

+## Where The King Credential Lives
+
+The king credential is an identity and custody record, not an OpenBao password.
+In the current lightweight NetKingdom stack, the practical placement is:
+
+| Part | Current home | Notes |
+| --- | --- | --- |
+| User record | LLDAP | dedicated `platform-root` or `king` user, separate from `tegwick` |
+| Password login | Authelia over LLDAP | day-to-day email is notification-only |
+| TOTP / token enrollment | privacyIDEA | QR/setup key comes from privacyIDEA self-service |
+| privacyIDEA administration | `pi-admin` | setup and repair account, not the king credential |
+| IAM Profile / OIDC token | KeyCape | target issuer for normal platform identity claims |
+| Secret custody and audit | OpenBao | initialized after custody approval; not the human identity provider |
+
+OpenBao enters the story after custody approval: it holds platform secrets,
+unseal/recovery material handling, audit, policies, and temporary or future
+admin auth methods. It should not be used as the place where the human king
+password or OTP seed lives.
+
+LLDAP deliberately has no public registration flow. The first-user process is
+administrator-provisioned:
+
+1. Log in to `https://lldap.coulomb.social` as `admin`.
+2. Retrieve `LLDAP_LDAP_USER_PASS` from the operator password safe entry
+   `net-kingdom/LLDAP/admin`.
+3. Create the dedicated `platform-root` or `king` user.
+4. Add the user to `net-kingdom-admins` for the current lightweight path.
+5. Store the new account password only in the password safe or offline custody
+   packet.
+6. Use `pi-admin` in privacyIDEA to confirm that the LLDAP resolver can see
+   the new user and that self-enrollment is allowed.
+7. Log in to privacyIDEA self-service as `platform-root` and enroll the TOTP
+   token there. The QR/setup key belongs only in the authenticator and custody
+   storage, never in this repo, State Hub, chat, or the local control surface.
+8. Verify the OIDC login path through a registered KeyCape client. KeyCape is
+   an issuer, not a dashboard; the root URL may return `404` while discovery,
+   health, authorize, token, and userinfo endpoints are healthy.
+
+The local control surface records this as non-secret progress: account
+reference, group assignment confirmation, password-safe confirmation, and later
+login-path verification. It does not read or store the password, OTP seed, QR
+code, or recovery codes.
+
+Do not use a successful `platform-admin` login as proof of `platform-root`
+custody unless the recorded king credential was intentionally changed to
+`platform-admin`. `platform-admin` is the later non-root operator path; it is
+useful, but it is not the same as proving the platform-root custody identity.
+
 ## Trust Progression

 The platform moves through explicit trust stages:
--- a/docs/security-bootstrap-age-custody.md
+++ b/docs/security-bootstrap-age-custody.md
@@ -0,0 +1,72 @@
+# Bootstrap Age Custody
+
+Status: draft control-surface contract
+Date: 2026-05-24
+
+## Purpose
+
+The custodian age keypair is the bootstrap envelope key for NetKingdom security
+setup. It is not a login account and it is not the runtime secret manager.
+
+The public key may be stored in the control surface and used by automation to
+encrypt generated bootstrap bundles. The private key is supplied only during an
+explicit unlock/apply or recovery ceremony.
+
+## Minimal Secret Model
+
+The minimal human-held secret set is:
+
+| Secret | Home | Notes |
+| --- | --- | --- |
+| Custodian age private key | Password safe or offline custody packet | Used to decrypt bootstrap bundles for an attended apply/recovery ceremony |
+| Platform-root password | Password safe or offline custody packet | Dedicated custody identity, not day-to-day account |
+| Platform-root OTP/recovery | Authenticator plus offline recovery | Not stored in Git, State Hub, or bootstrap metadata |
+| OpenBao recovery/unseal material | OpenBao custody packet | Created only after custody approval |
+
+Everything else should be generated, encrypted to the custodian public key,
+applied to the cluster, then shredded or rotated into OpenBao once OpenBao is
+available.
+
+## Trial Versus Custody Mode
+
+Trial mode uses throwaway values to document the steps, UI, failure modes, and
+operator instructions. Nothing created in trial mode should be trusted as live
+security material.
+
+Custody mode uses real generated secrets. The expected lifecycle is:
+
+1. Register the custodian public age recipient in the control surface.
+2. Generate or recover bootstrap secrets.
+3. Encrypt the bundle to the custodian public key.
+4. Apply secrets to the cluster during an attended ceremony.
+5. Shred plaintext `sso-mfa/bootstrap/secrets/`.
+6. Record only non-secret fingerprints, timestamps, and state transitions.
+
+## Control Surface Rules
+
+The NetKingdom control surface may store:
+
+- custodian public age recipient;
+- public-key fingerprint;
+- private-key location reference, such as a password-safe entry label;
+- encrypted bundle path and file count;
+- whether plaintext bootstrap secrets are currently present; and
+- non-secret apply/verification status.
+
+It must not store:
+
+- `AGE-SECRET-KEY-1...` private key material;
+- generated passwords;
+- OTP seeds;
+- OpenBao root tokens or unseal shares;
+- decrypted bootstrap files; or
+- screenshots of secret output.
+
+## Current Tooling Alignment
+
+`sso-mfa/bootstrap/encrypt-secrets.sh` should accept an age public recipient
+directly. Encryption does not require the private key.
+
+`sso-mfa/bootstrap/decrypt-secrets.sh` requires the private key path and should
+be used only in an explicit unlock/apply ceremony. After apply, plaintext files
+must be shredded.
--- a/docs/security-bootstrap-king-credential-kit.md
+++ b/docs/security-bootstrap-king-credential-kit.md
@@ -53,12 +53,18 @@ The UI may record:
 | Field | Example |
 | --- | --- |
 | Credential label | `platform-root` |
+| Identity account home | `lldap` |
+| Identity account reference | `platform-root@lldap` |
+| Identity account created | `true` only after the dedicated account exists |
+| Identity group reference | `net-kingdom-admins` |
+| Identity group confirmed | `true` only after the account is assigned to the group |
 | Custody posture | `temporary-single-king` or `two-of-three-planned` |
 | Notification contact | `bernd.worsch@gmail.com` |
 | Setup operator | `tegwick` |
 | Created date | `2026-05-24` |
 | Review date | date for next custody review |
 | Storage class | `password-safe`, `offline-paper`, `hardware-token`, or similar |
+| Password safe confirmed | `true` only after the credential is stored outside this UI |
 | MFA class | `totp`, `webauthn`, `hardware-token`, or similar |
 | MFA enrolled confirmed | `true` only after the factor is enrolled with its verifier |
 | MFA enrollment source | non-secret source label such as `identity-provider` or `hardware-registration` |
@@ -86,6 +92,16 @@ Suggested label: `platform-root`.
 The UI should explain that this is not a normal user and not a day-to-day admin
 account. It is rare root custody.

+### 1a. Create The Identity Account
+
+In the current lightweight stack, create the dedicated account in LLDAP and
+record only a non-secret reference such as `platform-root@lldap`. The password
+belongs in the operator password safe or offline custody packet, not in the
+bootstrap metadata.
+
+For the first lightweight path, assign the account to `net-kingdom-admins`.
+This is a non-secret membership fact and may be recorded as confirmed.
+
 ### 2. Choose Storage

 Allowed first-version choices:
@@ -116,6 +132,14 @@ must not generate an orphan OTP seed because it would not authenticate
 anything. The console records only that enrollment completed and where,
 without storing the seed, QR code, recovery codes, or screenshots.

+In the current NetKingdom lightweight stack, `pi-admin` is the privacyIDEA
+administrator for checking the LLDAP resolver, realm, and self-enrollment
+policy. It is not the king credential. The preferred flow is to log in to the
+privacyIDEA self-service portal as `platform-root` and enroll the token there.
+If the self-service flow is not working yet, `pi-admin` may assign a token as
+an admin-assisted fallback, but the seed and recovery values still remain out
+of the bootstrap metadata.
+
 ### 4. Prepare Recovery

 The operator confirms that recovery codes or equivalent recovery material exist
@@ -155,7 +179,10 @@ The software must not fill secret fields.
 The king credential kit is complete when:

 - the credential label exists;
+- the dedicated identity account exists;
+- the required admin group assignment is confirmed;
 - storage choice is recorded;
+- the password is confirmed stored outside this UI;
 - second factor is enrolled with its real verifier and confirmed;
 - recovery material is confirmed;
 - custody mode is selected;