generated from coulomb/repo-seed
bootstrapping guidance ui and missing stuff
This commit is contained in:
@@ -132,6 +132,58 @@ key must come from the authority that will verify login, not from the local
|
||||
metadata console. Custody approval now requires explicit non-secret
|
||||
confirmation that the factor was enrolled with its real verifier.
|
||||
|
||||
**2026-05-24:** Clarified credential placement in the UI and custody docs:
|
||||
the dedicated king account currently belongs in the lightweight NetKingdom
|
||||
identity path (LLDAP user, Authelia login, privacyIDEA MFA, KeyCape OIDC).
|
||||
OpenBao is the secrets/audit/admin-policy custody service after the ceremony,
|
||||
not the place where the human password or OTP seed lives.
|
||||
|
||||
**2026-05-24:** Expanded the local UI toward a NetKingdom control surface:
|
||||
the bootstrap flow now has action buttons for LLDAP, privacyIDEA, and KeyCape,
|
||||
plus non-secret progress saving for account creation, MFA enrollment, OIDC
|
||||
verification, and custody approval.
|
||||
|
||||
**2026-05-24:** Clarified the LLDAP first-user path in the UI and docs:
|
||||
LLDAP has no registration flow; the operator logs in as bootstrap `admin`
|
||||
using `LLDAP_LDAP_USER_PASS` from `net-kingdom/LLDAP/admin`, then creates the
|
||||
dedicated `platform-root` or `king` account and assigns the current lightweight
|
||||
admin group.
|
||||
|
||||
**2026-05-24:** Added explicit non-secret UI confirmations for the account
|
||||
having been created, assigned to `net-kingdom-admins`, stored in the password
|
||||
safe/offline packet, and later verified through the login path. Automated
|
||||
LLDAP detection is deferred because it would require authenticated access to
|
||||
LLDAP and should be built as an audited integration.
|
||||
|
||||
**2026-05-24:** Improved the KeyCape login-check path: the local bootstrap UI
|
||||
now acts as the `demo-app` OIDC callback, exposes `/oidc/start` and
|
||||
`/oidc/callback`, and adds hover-help text to the external action buttons.
|
||||
The live KeyCape rollout still needs the updated `keycape-config` Secret
|
||||
applied from decrypted `sso-mfa/bootstrap/secrets/` inputs. If the browser
|
||||
flow reaches Authelia but never presents an OTP challenge, KeyCape needs a
|
||||
browser MFA prompt surface before this gate can be marked verified.
|
||||
|
||||
**2026-05-24:** Filed `KEY-WP-0003` in the KeyCape repo for the current OIDC
|
||||
verification blocker. The immediate error
|
||||
`redirect_uri does not match any registered URI` means the local bootstrap
|
||||
callback is not yet registered in live KeyCape. The follow-up KeyCape work also
|
||||
covers the browser OTP challenge needed after Authelia password login.
|
||||
|
||||
**2026-05-24:** Implemented `KEY-WP-0003` in source. KeyCape now supports a
|
||||
dedicated `netkingdom-bootstrap-console` client, split browser/server Authelia
|
||||
URLs, and a browser OTP challenge before issuing the final OIDC code. The local
|
||||
control surface now uses that dedicated client. Live verification remains
|
||||
pending until the updated KeyCape image and regenerated `keycape-config` Secret
|
||||
are rolled out.
|
||||
|
||||
**2026-05-24:** Stepped back from ad hoc secret rollout and added the
|
||||
custodian age-key bootstrap model to the control surface. The UI now records
|
||||
the custodian public age recipient, a derived fingerprint, and a non-secret
|
||||
private-key custody reference while refusing to treat the private key as normal
|
||||
metadata. It also detects encrypted bootstrap bundle presence and plaintext
|
||||
`sso-mfa/bootstrap/secrets/` exposure. This is the intended foundation for
|
||||
trial-mode, custody-mode, unlock/apply, and later OpenBao handover flows.
|
||||
|
||||
### T04 - Complete Railiance OpenBao Bootstrap Ceremony
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user