3ab326b597
Clarifications on sops
2026-06-14 19:51:05 +02:00
443b585010
finished workplan
2026-06-05 13:10:37 +02:00
cc0cb03c1d
NET-WP-0018: fix archive prefix to 260604 (two-digit year 26 per convention and existing archived/ files like 260603-*)
2026-06-04 02:07:50 +02:00
280294b9c3
NET-WP-0018: archive finished workplan to archived/ (per ADR-001 / AGENTS.md convention)
...
- All tasks (T01-T09) complete, frontmatter status: finished, hub workstream finished.
- Move: workplans/NET-WP-0018-...md -> workplans/archived/20240604-NET-WP-0018-...
- Frontmatter id unchanged.
- Followed by statehub sync.
- T09 completion + 9/9 done.
2026-06-04 01:58:22 +02:00
9f82709b6d
NET-WP-0018: mark workplan frontmatter status: finished (all 9 tasks done per T09)
...
- Updated per convention (ADR-001 / AGENTS.md): after implementation complete, set status finished.
- Brief + hub workstream already set to finished by prior fix-consistency (C-13).
- This keeps file as source of truth.
- Followed by statehub sync.
2026-06-04 00:57:55 +02:00
875e50d573
NET-WP-0018 T09: Assess scratch-rebuild risk and define rehearsal plan
...
- Created docs/security-bootstrap-rebuild-risk-and-rehearsal.md (risk table 12+ items classified likelihood/impact/etc; UE adapters #1 HIGH per assessment 7 gaps; non-destructive rehearsal plan: scripted dry (creds-init --dry + 0019 orchestrator + make/console validate + T07/T08) then ns-isolated then parallel; rollback via cleanup/lock-offboard; prove via validators/evidence/status/tests; recs + coverage gaps documented; refs T02/T03/T05/T07/T08/0019/assessment/contract)
- Updated workplan T09 status:done + detailed 2026-06-04 completion note (reviews all prior T0x + live console/evidence/metadata exercised in T09; pragmatic infra used; 9/9 closes 0018)
- Frontmatter updated date
- No destructive; all per session protocol + pragmatic audit (file source per ADR-001)
- T07 tests + T08 validate-keycape + validate-onboarding-dry-run exercised OK as part of review
Refs: workstream 800f9f16-..., task a9e60fd5-...; will POST /progress/ + fix-consistency
2026-06-04 00:50:18 +02:00
4232e62a50
feat(NET-WP-0018-T08): integrate validations into the UI state model
...
- Extended computed validation pattern into main gates:
- Added keycape_openbao_client_deployed() (invokes verify-openbao-client.sh for live check).
- Updated 'KeyCape OpenBao client deployed' gate in build_gates to 'done' if metadata or validator succeeds (T08: UI now proves via validation not just manual flag).
- Added validate-keycape-client subparser, dispatch (prints source+live status), and make target.
- Updated printed available actions list to include it.
- Updated T08 workplan section: status done + detailed 2026-06-03 implementation note (extended from 0019 note; covers one key target as example, pattern for others like LLDAP/privacyIDEA/Authelia using existing verify-*.sh).
- T07 tests + console-test cover; console status gates now reflect more validator output.
- Pragmatic: progress log with task_id, file notes, commit.
- Brief/fix next (expect 8/9 done).
This fulfills T08: more gates compute from validators (ok/fail) rather than manual only; live setup can satisfy checks via the integrated commands.
2026-06-04 00:25:45 +02:00
a3eeda726a
chore(NET-WP-0018-T04): close T04 as fulfilled
...
- Updated workplan T04 status to done + completion note.
- Explained coverage: the 2026-06-03 note already documented that the persisted user-engine/net-kingdom integration assessment largely fulfills T04 (deep review of INTENT/SCOPE/boundaries for UE + NK + key-cape + railiance + OpenBao + state-hub; 7 gaps; recs for T07/T08).
- Work folded into T02 (UE section in arch doc), T03 (gap matrix row + refs), T07 (tests note), and cross-refs elsewhere.
- Why 'left out' of recent execution: medium priority vs. high-prio sequential deps (T02 arch -> T03 retrospective -> T05 guide -> T06 align -> T07 tests). Core review work was already done earlier (assessment persist + 0019 cross-links). No new unclear ownerships found requiring action now.
- Brief/fix next to reflect 7/9 done (T04 closed; open T08/T09).
2026-06-04 00:20:22 +02:00
e20b322a2e
feat(NET-WP-0018-T07): add automated tests for bootstrap UI sections and runbooks
...
- Created tools/security-bootstrap-console/tests/test_security_bootstrap_console.py (pytest-based, 8 tests covering templates (incl. 0019 dry-run fields), runbook_payloads (T06 entry), audit_core_posture, etc. per layered spec + 0019 note)
- Makefile: added security-bootstrap-console-test (pytest), security-bootstrap-scripts-syntax (bash -n for key sh scripts like dry-run-nonroot-user.sh); integrated into .PHONY and bootstrap lists
- Updated workplan T07 status done + detailed note with pragmatic refs
- Tests pass (python -m pytest)
- Commit + will sync/fix/progress
- Covers console UI, validators, 0019 polish artifacts (orchestrator, cmds, claims, evidence) as required for T07
T07 complete. 6/9 now.
2026-06-03 17:28:21 +02:00
0c66154966
feat(NET-WP-0018-T06): finish control surface alignment to T05 smooth guide
...
- console.py print_status: added explicit 'Follow the NET-WP-0018 Smooth Bootstrap Guide' block after Next safe action, with doc path + lifecycle-guide/make entrypoint. Updated 'Available actions' #9 to note the guide.
- Previously refreshed lifecycle_guide T06 DRY-RUN to 0019 + new guide.
- workplan: T06 status done + detailed 2026-06-03 completion note (supersedes old 0019 'awaits' note); start note already present.
- Pragmatic: progress events (task_id), file notes, this commit.
- UI (status + guide print + 0019 actions/validators/runbooks) now guides the sequence from docs/smooth-bootstrap-guide.md and makes the recommended path clear/hard to go wrong-order.
T06 complete. Brief/fix next (expect 5/9).
2026-06-03 17:11:26 +02:00
f3147186e9
feat(NET-WP-0018-T06): align control surface - refresh console lifecycle_guide T06 DRY-RUN to 0019 orchestrator + new smooth guide
...
- Updated print_lifecycle_guide in console.py: replaced old manual secret-mkdir steps (pre-0019) with preferred make security-bootstrap-onboarding-dry-run + dry-run-nonroot-user.sh + validate + claims + cleanup. References docs/smooth-bootstrap-guide.md Step 7 + NET-WP-0019.
- Workplan T06 start note + in_progress (alignment per T05 guide + T03 recs; leverages existing 0019 validators/console for passive->validator).
- Pragmatic: progress log, file notes, this commit.
- This makes the printed guide align with T05 consolidated guide, deprecates fragile manual path.
T06 alignment complete for guide/control surface. Next T07 tests (use new guide + 0019 as cases) or T04/T08.
2026-06-03 16:59:39 +02:00
13a0221c42
chore(NET-WP-0018-T05): mark T05 done in workplan (status block) after guide delivery
2026-06-03 16:57:49 +02:00
7da19ef767
feat(NET-WP-0018-T05): complete smooth bootstrap guide
...
- Created docs/smooth-bootstrap-guide.md as the single consolidated operator guide per T05 spec + T03 recs:
- Full sequence (prereqs, creds/king, privacyIDEA, LLDAP/user + MFA, KeyCape, OpenBao, lifecycle via 0019, reopen, handoff)
- Per-step evidence requirements + links to validate-*, 0019 dry-run, console subcmds/make
- Blocked conditions, next safe action, effective preview, actor classes
- References T02 runtime arch, T03 retrospective/matrix, console lifecycle-guide (incl. 0019), UX contracts, evidence templates
- Pragmatic note + update pointers for console guide
- Updated workplan T05 to done + completion note
- Pragmatic: progress (task_id), file notes, this commit
- Brief/fix next (expect 4/9 done: T02-T03 + T05; T04 medium can follow or parallel)
T05 complete. T06 (align control surface) next logical (uses this guide + T02/T03).
2026-06-03 16:56:10 +02:00
a3a63c6836
feat(NET-WP-0018-T03): complete retrospective and automation gap matrix
...
- Updated workplan: T03 status done + final 2026-06-03 completion note
- docs/security-bootstrap-retrospective.md now serves as the output: bumps from full history (incl. 0019 hygiene wins), gap matrix (audit, UE adapters, guide, tests, etc.), recs prioritizing T05 + using T02/T03 for later
- All via pragmatic: progress logs (task_id), file notes, this commit
- Brief/hub will reflect 3/9 via next fix-consistency (T02+T03 done)
T03 complete. Next: T05 (smooth guide) per retrospective recs and priorities.
2026-06-03 16:54:07 +02:00
3466c431dd
feat(NET-WP-0018-T03): initial retrospective + gap matrix (substantial draft)
...
- Created docs/security-bootstrap-retrospective.md:
- Exec summary (wins: S6, console/0019 automation, evidence discipline, T02 arch doc; gaps: UE adapters, consolidated guide, tests, proper audit)
- 9 bumps with diagnosis/now-automated?/remaining (realm, OIDC callbacks, LLDAP claims, OpenBao mapping, tokens, operator-state, secret taint pre-0019, audit correlation, etc.)
- Full gap matrix table (areas, current status incl. 0019/T02, remaining, priorities)
- Recommendations (T05 consolidate guide, T07/T08 use 0019+T02 as fixtures, T09 classify UE risk, continue pragmatic)
- Refs to T02 doc, 0017/0019 evidence, console, assessment gap 7, pragmatic records
- Updated workplan T03 with progress note (still in_progress for expansion)
- Pragmatic tracking: progress events (with task), file notes, commit
- Builds directly on T02 + prior 0017/0019 + Coordination pragmatic guidance
Feeds T05/T06/T08/T09. Next tasks can reference this + T02.
2026-06-03 16:31:08 +02:00
d09843c17e
feat(NET-WP-0018-T02): Document The Runtime Architecture
...
- Created docs/NetkingdomRuntimeArchitecture.md (comprehensive, specific-as-deployed):
- Planes (bootstrap/control/tenant + recursive trust)
- Identity/MFA/OIDC (lightweight key-cape: LLDAP/Authelia/privacyIDEA + KeyCape https://kc.coulomb.social ; clients, claims, groups)
- Authelia handoff, OpenBao OIDC+secrets path (SOPS/age -> runtime leases/K8s/audit)
- Bootstrap console/UI state (S6, gates, 0019 dry-run additions, web-ui, evidence)
- State Hub relation, k8s/DNS/routes/ingress/trust (concrete hosts/ns)
- Pragmatic audit paths (local-identity TSV, PVC+mock, State Hub/console)
- UE integration points + 7 gaps (per assessment + boundary contract refs)
- Operational assumptions + rebuild notes
- Updated NET-WP-0018 workplan: T02 status done + detailed 2026-06-03 completion note
- Used pragmatic tracking throughout (progress events with task_id 121ee797..., file notes, this commit)
- Per T02 spec + Coordination Notes guidance on pragmatic for impl/retrospect
This doc is now the baseline for T03 retrospective/gap matrix (incl. audit), T05 guide, T06/T08 control surface/validations, T09 risk assessment.
2026-06-03 16:27:22 +02:00
6e05946163
docs(NET-WP-0018): add explicit guidance in Coordination Notes on using pragmatic auditing/tracking infra (State Hub progress/decisions, workplan dated notes, git, console evidence/metadata, local audit) during 0018 implementation to feed T03 retrospective + optimization review
...
- References existing audit_core bootstrap risk acceptance (production sink deferred)
- Cross-refs T03 gap matrix (includes audit), T02 (document current pragmatic audit paths), assessment gap 7 (correlation), local-identity/audit.py, contract requirements
- Answers query: pragmatic is sufficient and intended for tracking the workplan work + retrospect; do not block on establishing full production Audit Core first (risk accepted for bootstrap phase)
- Per session protocol + ADR-001 (file first)
2026-06-03 16:17:46 +02:00
000d263bea
review(NET-WP-0018): update frontmatter, add Related section, and dated notes (2026-06-03) across T02-T09 for 0019 polish artifacts + user-engine/net-kingdom assessment
...
- T04: assessment fulfills UE boundary/intent/scope review (7 gaps detailed)
- T02/T03/T05/T06/T08/T09: note post-0017/0019 state, enablers (orchestrator, console subcmds, make targets, claims helper, evidence/validators, runbook exposure), remaining work, cross-refs to assessment
- T07 note enhanced with pointer to 0019 impl
- T01 note trimmed to pointer
- updated date + Related section
- Prepares for impl readiness assessment; no status changes (still 1/9 in file/hub pending tasks)
See docs/user-engine-netkingdom-integration-assessment.md and NET-WP-0019.
2026-06-03 11:47:41 +02:00
1721226427
docs: persist user-engine vs net-kingdom integration assessment (new doc + cross-references in SCOPE, boundary contract, guidance, responsibility map, 0018/0019 workplans). Also updated user-engine integration doc to reference it.
2026-06-03 10:33:31 +02:00
92bf7d1d1c
NET-WP-0019: implement T05 (OIDC claims helper + integration in script/console) and T06 (add dry-run to runbook_payloads for web-ui exposure; cross-link update in 0018 T07). Update workplan notes.
2026-06-03 07:10:56 +02:00
f56bca5b5d
NET-WP-0019: update workplan with implementation notes and task statuses after core polish (T01-T04 done).
2026-06-03 02:23:05 +02:00
140fff6773
NET-WP-0019: register T06-adjacent polish workplan + implement core (orchestrator script, safer secret fallback in create-user, console dry-run + cleanup commands, make targets, cross-link from 0017 T06). See workplan file for task status.
2026-06-03 02:17:55 +02:00
bcac6076cb
NET-WP-0017: complete T06 dry-run + T07 review/retire (onboarded+locked+offboarded t06-dryrun test user via T05 flow + verifs; evidence+validate pass; archived superseded 0015/16 + old NK-0003/4/5 bootstrap plans per T07; set platform_reopened; updated T06/T07 notes + frontmatter finished)
2026-06-03 02:01:38 +02:00
1f0e8490fd
NET-WP-0017: implement T05 first user lifecycle operator flow (console template+guide, evidence, validate support, docs integration)
2026-06-03 01:55:43 +02:00
5e7844debd
NET-WP-0017: complete T03 Close Trial Taint And Retire Bootstrap Admin Paths + T04 Harden (evidence, console template, metadata flags, inventories, reviews)
2026-06-03 01:50:29 +02:00
16b57fb773
Complete OpenBao emergency drill gate
2026-06-03 00:50:23 +02:00
c7bbdac03b
Record OpenBao restore drill evidence
2026-06-02 17:23:20 +02:00
eb973621e1
Record T02 audit posture progress
2026-06-02 02:02:05 +02:00
0ab7c14ec9
Add signed custody roster workflow
2026-06-02 01:11:42 +02:00
31e6d6660f
Add NET-WP-0017 T02 closure validator
2026-06-02 00:24:18 +02:00
cd82285efe
Require emergency drill evidence validation
2026-06-02 00:08:16 +02:00
6bd822ae71
Require concrete OpenBao restore evidence
2026-06-01 23:57:00 +02:00
8f5bfbe20e
Hand off durable audit fabric to audit-core
2026-06-01 23:44:04 +02:00
f6053f5c0b
Record OpenBao authenticated audit proof
2026-06-01 22:52:42 +02:00
dc4fe883a5
Add OpenBao authenticated proof runbook
2026-06-01 22:46:15 +02:00
1f09e6dcae
Record OpenBao audit rollout evidence
2026-06-01 22:30:33 +02:00
53f20bf3e6
Start OpenBao audit recovery closeout
2026-06-01 22:12:22 +02:00
9a8ec0d9a5
Finish NET-WP-0015 bootstrap handoff
2026-06-01 21:55:30 +02:00
8382a11e8e
Add bootstrap rebuild readiness workplan
2026-06-01 21:48:48 +02:00
c48e076429
Close OpenBao OIDC admin bootstrap path
2026-06-01 21:20:53 +02:00
e04603779c
Update OpenBao onboarding readiness handoff
2026-05-29 02:11:02 +02:00
733f77b448
Record State Hub IDs for onboarding readiness plan
2026-05-26 07:12:09 +02:00
9eabf6cd4d
Review OpenBao onboarding readiness workplans
2026-05-26 07:08:25 +02:00
1edcfbb17d
Use helper for OpenBao OIDC auth setup
2026-05-26 03:02:08 +02:00
a47c707a9a
Verify KeyCape discovery without container wget
2026-05-26 02:47:01 +02:00
59c924bc18
Patch KeyCape OpenBao client without bootstrap secrets
2026-05-26 02:36:04 +02:00
1267df148a
Harden KeyCape OpenBao client action
2026-05-26 02:22:24 +02:00
f3c8d70270
Split OpenBao admin identity tasks
2026-05-26 02:13:55 +02:00
9dc7e140b8
Refine OpenBao taint resolution
2026-05-26 01:50:57 +02:00
500e616202
Add OpenBao admin identity stage
2026-05-26 01:17:42 +02:00
