Refine the recursive platform security architecture to make OpenBao the
canonical runtime secret authority, with SOPS/age, K8s Secrets, and the
emergency bundle reframed as bootstrap/delivery/break-glass mechanisms.
- credential-management standard v0.2: add OpenBao runtime authority
section, rotation rules, and prohibited patterns (OpenBao-as-PDP,
tenant platform-root)
- platform-identity-security-architecture: mark implemented; add
flex-auth/Topaz implications, Coulomb onboarding path, and a
production-readiness checklist
- NK-WP-0004/0005: document bootstrap-to-OpenBao handoff boundary
- NK-WP-0006/0007: status -> done with implementation reviews; add
recursive platform/tenant split and OpenBao broker/audit role for
object-storage STS vending
- NK-WP-0008: status -> done; repoint corpus to infospace-bench
- new ADR-0007 (orchestration boundary), ADR-0008 (STS vending
boundary), and the object-storage STS credential-vending architecture
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
NK-WP-0005: mark all tasks done, status → done
NK-WP-0003: T01 marked done (NK-WP-0004/0005 complete); pre-conditions
updated; done criteria reflect agent-bootstrap model (no KeePassXC)
NK-WP-0001: status → deferred; T05-T08 (Keycloak) deferred indefinitely;
superseded_by: NK-WP-0003 added
Active work path is now NK-WP-0003 T02-T09.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the human-as-operator model from NK-WP-0004 with full agent
automation. Agent generates, encrypts (SOPS), injects into cluster,
and delivers a single emergency bundle (age key + break-glass passwords).
Human only stores that bundle in their personal password manager.
KeePassXC removed from operational path. creds-state.yaml redesigned
with agent_mode and emergency_bundle_delivered gate. Standard to be
updated to v0.2 (T07).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
