3ab326b597
Clarifications on sops
2026-06-14 19:51:05 +02:00
4232e62a50
feat(NET-WP-0018-T08): integrate validations into the UI state model
...
- Extended computed validation pattern into main gates:
- Added keycape_openbao_client_deployed() (invokes verify-openbao-client.sh for live check).
- Updated 'KeyCape OpenBao client deployed' gate in build_gates to 'done' if metadata or validator succeeds (T08: UI now proves via validation not just manual flag).
- Added validate-keycape-client subparser, dispatch (prints source+live status), and make target.
- Updated printed available actions list to include it.
- Updated T08 workplan section: status done + detailed 2026-06-03 implementation note (extended from 0019 note; covers one key target as example, pattern for others like LLDAP/privacyIDEA/Authelia using existing verify-*.sh).
- T07 tests + console-test cover; console status gates now reflect more validator output.
- Pragmatic: progress log with task_id, file notes, commit.
- Brief/fix next (expect 8/9 done).
This fulfills T08: more gates compute from validators (ok/fail) rather than manual only; live setup can satisfy checks via the integrated commands.
2026-06-04 00:25:45 +02:00
e20b322a2e
feat(NET-WP-0018-T07): add automated tests for bootstrap UI sections and runbooks
...
- Created tools/security-bootstrap-console/tests/test_security_bootstrap_console.py (pytest-based, 8 tests covering templates (incl. 0019 dry-run fields), runbook_payloads (T06 entry), audit_core_posture, etc. per layered spec + 0019 note)
- Makefile: added security-bootstrap-console-test (pytest), security-bootstrap-scripts-syntax (bash -n for key sh scripts like dry-run-nonroot-user.sh); integrated into .PHONY and bootstrap lists
- Updated workplan T07 status done + detailed note with pragmatic refs
- Tests pass (python -m pytest)
- Commit + will sync/fix/progress
- Covers console UI, validators, 0019 polish artifacts (orchestrator, cmds, claims, evidence) as required for T07
T07 complete. 6/9 now.
2026-06-03 17:28:21 +02:00
140fff6773
NET-WP-0019: register T06-adjacent polish workplan + implement core (orchestrator script, safer secret fallback in create-user, console dry-run + cleanup commands, make targets, cross-link from 0017 T06). See workplan file for task status.
2026-06-03 02:17:55 +02:00
fe052f3a37
polish: T06-adjacent improvements to lifecycle flow (add onboarding-dry-run-template + concrete T06 dry-run execution section in lifecycle-guide; wiring for parser/dispatch/status/Makefile for consistency with T05)
2026-06-03 02:11:56 +02:00
1f0e8490fd
NET-WP-0017: implement T05 first user lifecycle operator flow (console template+guide, evidence, validate support, docs integration)
2026-06-03 01:55:43 +02:00
5e7844debd
NET-WP-0017: complete T03 Close Trial Taint And Retire Bootstrap Admin Paths + T04 Harden (evidence, console template, metadata flags, inventories, reviews)
2026-06-03 01:50:29 +02:00
0ab7c14ec9
Add signed custody roster workflow
2026-06-02 01:11:42 +02:00
31e6d6660f
Add NET-WP-0017 T02 closure validator
2026-06-02 00:24:18 +02:00
c48e076429
Close OpenBao OIDC admin bootstrap path
2026-06-01 21:20:53 +02:00
1d0b0e7330
openbao king credential bootstrapping
2026-05-24 09:26:02 +02:00
8e720dd78a
Implement NK-WP-0013 playbook capability contract
2026-05-22 14:49:25 +02:00
c3f721397a
Implement NK-WP-0012 IAM profile specification
2026-05-22 14:35:31 +02:00
95656f2324
feat(creds): NK-WP-0005 — agent-driven credential bootstrap
...
Implements all 7 tasks from NK-WP-0005:
T01: creds-state.yaml → schema_version: 2, agent_mode: true
Replaces keepass_confirmed with emergency_bundle_delivered,
adds phase tracking fields for fully automated flow.
T02: creds-bootstrap-agent.sh — single entrypoint for autonomous
bootstrap. 10 phases, idempotent re-runs via state file.
Only human touchpoint: emergency bundle confirmation gate.
T03: emergency-bundle.sh — assembles and displays emergency bundle
(age key + break-glass passwords + ops bundle location).
Writes temp file, shreds on confirmation, clears screen.
Supports --reprint for re-delivery.
T04: ~/.claude/commands/creds-init.md — /creds-init skill replaces
/creds-bootstrap. Fully autonomous execution via the agent.
T05: Makefile — creds-agent-init, creds-agent-status,
creds-emergency-reprint targets.
T06: creds-rotate.sh — --non-interactive flag for agent-driven
rotation. Auto-confirms all gates; tracks last_rotated_<key>
in creds-state.yaml. LLDAP web UI step prints warning in
non-interactive mode.
T07: canon/standards/credential-management_v0.2.md — updated
standard: KeePassXC removed from operational path, agent
bootstrap as Phase 0, emergency bundle section, prohibited
patterns updated.
Also: creds-status.sh handles both schema v1 (legacy) and v2.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-21 08:38:52 +00:00
c10d7d2f8a
feat(creds): implement NK-WP-0004 Credential Management Foundation
...
- .sops.yaml + keys/age.pub: SOPS age encryption for all secrets/ paths
- .gitignore: broad secrets/ catch-all (any depth)
- .githooks/pre-commit: blocks unencrypted secrets/, *.env outside bootstrap/,
and known plaintext patterns (PI_SECRET_KEY=, LLDAP_JWT_SECRET=, etc.)
- Makefile: full credential lifecycle (creds-init/generate/bundle/apply/verify/
status/rotate) + SOPS helpers (sops-setup/edit/encrypt/decrypt/rotate/check-secrets)
+ hooks/hooks-test
- creds-apply.sh: runs create-secrets.sh in dependency order (postgresql → lldap →
authelia → privacyidea), skips keycape with printed instructions, updates state
- creds-verify.sh: checks all K8s secrets exist, updates creds-state.yaml
- creds-status.sh: human-readable state table from creds-state.yaml
- creds-rotate.sh: guided rotation for all 9 secret types with impact descriptions
and atomic multi-component update sequences
- creds-state.yaml: committable state file tracking generation, bundle, KeePassXC
confirmation, per-component apply status, enckey and pi-admin bootstrap flags
NK-WP-0003-T01 unblocked. /creds-bootstrap skill registered separately.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-20 23:39:35 +00:00
