T2: greenfield live proof against a fresh uninitialized OpenBao 2.5.5 —
caught and fixed 'bao operator unseal -' not reading stdin (now
'bao write sys/unseal key=-'); init and reseal-replay paths proven.
T3: attended-ceremony selectable — runbook, non-secret ceremony-record
template + validator, and a lab/production deployment profile that blocks
sops-held-automation in console selection, gates, and the init script.
T4: console gate + evidence flags for auto-unseal-transit (Helm seal stanza
prepared in railiance-platform).
Also: SCOPE.md refreshed to current repo state; adhoc fix for the broken
check-secrets Make target (unescaped $).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Fill .claude/rules/stack-and-commands.md (was an empty TODO template)
- Normalize workplan frontmatter statuses to canonical vocabulary
(completed/done -> finished) per ADR-001
- Repair glued frontmatter delimiter in NK-WP-0001 (superseded_by line)
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Align agent files with on-disk workplan prefixes (infer from workplan ids)
- Set workplan domain to registered domain_slug; add topic_slug where applicable
- Repair frontmatter delimiter formatting; migrate legacy task status literals
- Regenerate AGENTS.md, CLAUDE.md, and .claude/rules from State Hub templates
Set listing_visibility=unauth on netkingdom and keycape during OIDC configure
so the browser login mask can select KeyCape instead of falling back to token.
Document three init/unseal custody paths; default sops-held-automation for
fast rebuild cycles. Security bootstrap console lists models, blocks planned
attended-ceremony and auto-unseal-transit with hints, and gates init ceremony
on implemented selection. NET-WP-0020 tracks downstream SSH automation.
Add Operational SSH Path to platform architecture and move ops-warden
from out-of-scope to operational SSH dependency in responsibility-map.
Aligns with ops-warden WARDEN-WP-0006 stewardship work.
- Updated per convention (ADR-001 / AGENTS.md): after implementation complete, set status finished.
- Brief + hub workstream already set to finished by prior fix-consistency (C-13).
- This keeps file as source of truth.
- Followed by statehub sync.
- Extended computed validation pattern into main gates:
- Added keycape_openbao_client_deployed() (invokes verify-openbao-client.sh for live check).
- Updated 'KeyCape OpenBao client deployed' gate in build_gates to 'done' if metadata or validator succeeds (T08: UI now proves via validation not just manual flag).
- Added validate-keycape-client subparser, dispatch (prints source+live status), and make target.
- Updated printed available actions list to include it.
- Updated T08 workplan section: status done + detailed 2026-06-03 implementation note (extended from 0019 note; covers one key target as example, pattern for others like LLDAP/privacyIDEA/Authelia using existing verify-*.sh).
- T07 tests + console-test cover; console status gates now reflect more validator output.
- Pragmatic: progress log with task_id, file notes, commit.
- Brief/fix next (expect 8/9 done).
This fulfills T08: more gates compute from validators (ok/fail) rather than manual only; live setup can satisfy checks via the integrated commands.
- console.py print_status: added explicit 'Follow the NET-WP-0018 Smooth Bootstrap Guide' block after Next safe action, with doc path + lifecycle-guide/make entrypoint. Updated 'Available actions' #9 to note the guide.
- Previously refreshed lifecycle_guide T06 DRY-RUN to 0019 + new guide.
- workplan: T06 status done + detailed 2026-06-03 completion note (supersedes old 0019 'awaits' note); start note already present.
- Pragmatic: progress events (task_id), file notes, this commit.
- UI (status + guide print + 0019 actions/validators/runbooks) now guides the sequence from docs/smooth-bootstrap-guide.md and makes the recommended path clear/hard to go wrong-order.
T06 complete. Brief/fix next (expect 5/9).