The orchestration-layer analog of the IAM Profile, realizing the
playbook-contract dependency named in ADR-0007's meta-orchestration
refinement. NetKingdom owns the contract schema (consumer-defines-contract,
IAM Profile precedent); Railiance authors playbooks and publishes
conformant declarations; execution stays in Railiance (ADR-0007 unchanged).
Six tasks: ownership ADR + versioning; capability vocabulary (aligned to
the C0-C6 ladder + responsibility-map resource kinds); parameter format
(defaults, constraints, security-sensitivity); responsibility/trust-state
claims; catalog + consumption model + conformance validator; reference
adoption with one Railiance playbook. Status proposed; not yet registered.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Plan to make net-kingdom the canonical owner of the IAM Profile. A v0.1
draft exists in the-custodian canon (all-hubs, Custodian-flavored,
Keycloak as reference provider); this workplan relocates ownership and
evolves it to a provider-neutral, platform-neutral v0.2 that is tenant-
and agent-aware, carries explicit assurance evidence, specifies the claim
contract flex-auth consumes, and ships an executable conformance check.
Enables NK-WP-0011 (T6 conformance) and depends on NK-WP-0006 (recursive
tenant model). Status: proposed; not yet registered in the hub.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Set NK-WP-0001 status to canonical 'archived' (was non-canonical
'deferred', which the hub rejected). Backfill NK-WP-0011 workstream and
task ids from State Hub registration.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
NK-WP-0001-T04 (privacyIDEA, Keycloak path) -> cancelled, superseded by
NK-WP-0003-T04 in the deployed KeyCape stack. T05-T08 (Keycloak SSO,
realm/MFA flow, user mgmt, DR) -> cancelled and migrated to NK-WP-0011.
NK-WP-0011 reframes the deferred Keycloak work as expanded-mode enterprise
federation: Keycloak as an identity broker for Entra ID / AD / SAML that
issues IAM Profile-conformant tokens, refined against the current stack
(OpenBao runtime secrets, CloudNativePG, flex-auth/Topaz PDP, recursive
platform/tenant model) rather than the original greenfield assumptions.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Refine the recursive platform security architecture to make OpenBao the
canonical runtime secret authority, with SOPS/age, K8s Secrets, and the
emergency bundle reframed as bootstrap/delivery/break-glass mechanisms.
- credential-management standard v0.2: add OpenBao runtime authority
section, rotation rules, and prohibited patterns (OpenBao-as-PDP,
tenant platform-root)
- platform-identity-security-architecture: mark implemented; add
flex-auth/Topaz implications, Coulomb onboarding path, and a
production-readiness checklist
- NK-WP-0004/0005: document bootstrap-to-OpenBao handoff boundary
- NK-WP-0006/0007: status -> done with implementation reviews; add
recursive platform/tenant split and OpenBao broker/audit role for
object-storage STS vending
- NK-WP-0008: status -> done; repoint corpus to infospace-bench
- new ADR-0007 (orchestration boundary), ADR-0008 (STS vending
boundary), and the object-storage STS credential-vending architecture
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Added allow-traefik-to-acme-solver NetworkPolicy to sso and mfa namespaces.
The default-deny-all policy was blocking HTTP-01 challenge traffic from Traefik
to the cert-manager solver pods, causing all TLS certs to stay pending (502).
Workplan NK-WP-0003 updated: T02, T03, T04, T05, T06, T07, T08a all done on
RAILIANCE01 as of 2026-03-25. T08 (e2e auth test) is now unblocked.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All 3 KeyCape test packages pass (migration, negative, profile).
DNS resolves for all 4 subdomains; Go 1.22.10 available at ~/go/bin/go.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Pod Running with correct image and config. enckey, audit keys, pi-admin,
trigger-admin all created via agent bootstrap (NK-WP-0005).
Remaining: TLS cert + trigger-admin policy via WebUI.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- NK-WP-0003 T08: replace hardcoded /home/worsch/key-cape with
$(git rev-parse --show-toplevel)/../key-cape so acceptance tests
run correctly on any machine
- NK-WP-0005 T04: create .claude/commands/creds-init.md — the
autonomous credential bootstrap skill (reads creds-state.yaml,
resumes from current phase, honours emergency bundle gate)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
NK-WP-0005: mark all tasks done, status → done
NK-WP-0003: T01 marked done (NK-WP-0004/0005 complete); pre-conditions
updated; done criteria reflect agent-bootstrap model (no KeePassXC)
NK-WP-0001: status → deferred; T05-T08 (Keycloak) deferred indefinitely;
superseded_by: NK-WP-0003 added
Active work path is now NK-WP-0003 T02-T09.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the human-as-operator model from NK-WP-0004 with full agent
automation. Agent generates, encrypts (SOPS), injects into cluster,
and delivers a single emergency bundle (age key + break-glass passwords).
Human only stores that bundle in their personal password manager.
KeePassXC removed from operational path. creds-state.yaml redesigned
with agent_mode and emergency_bundle_delivered gate. Standard to be
updated to v0.2 (T07).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
