---
id: NET-WP-0015
type: workplan
title: "King Credential And OpenBao Identity Bootstrap"
domain: netkingdom
repo: net-kingdom
status: active
owner: codex
topic_slug: netkingdom
created: "2026-05-24"
updated: "2026-05-24"
depends_on:
  - NK-WP-0006
  - NK-WP-0012
state_hub_workstream_id: "6b9c25e4-1008-429a-8de6-54361872c0dd"
---

# NET-WP-0015 - King Credential And OpenBao Identity Bootstrap

## Goal

Define and execute the first safe bridge between low-trust setup operations, a
dedicated king credential, NetKingdom identity, and Railiance OpenBao
bootstrap.

The revised decision is that `tegwick` / `bernd.worsch@gmail.com` is the
initial accountable setup operator and notification contact, not the long-term
platform root of trust. The actual platform-root authority should move to a
separate king credential before OpenBao becomes live secret custody.

## Context

Railiance owns OpenBao deployment and operations. NetKingdom owns the identity,
custody, and security semantics that say who can administer the platform and
how that authority transitions from bootstrap material into normal IAM claims.

The platform is still in MVP/prototype bootstrap. That means early databases,
admin accounts, tokens, and access paths must be treated as potentially
contaminated by convenience. The platform should be assembled in low-trust
mode, then handed over to the king credential, reset/rotated, checked, and
reopened under explicit custody.

## Scope

In scope:

- record the setup operator/contact identity;
- define the separate king credential target;
- define the temporary single-operator king custody exception;
- specify target NetKingdom IAM claims for the first admin identity;
- coordinate the OpenBao initialization prerequisites with Railiance;
- define the transition from OpenBao root token to scoped admin access; and
- add follow-up gates for independent escrow, OIDC/JWT admin auth,
  reset/rotation, scan checks, and restore verification.

Out of scope:

- storing any secret material in this repo;
- running `bao operator init` from an unattended agent session;
- deploying key-cape, Keycloak, privacyIDEA, or OpenBao itself; and
- granting tenant administrators platform-root authority.

## Tasks

### T01 - Record Setup Operator And King Credential Model

```task
id: NET-WP-0015-T01
status: done
priority: high
state_hub_task_id: "60659e25-fed1-478e-b8a3-4bc7b2f3846b"
```

Record `tegwick` / `bernd.worsch@gmail.com` / Gitea `tegwick` as the initial
setup operator and contact. Define the separate king credential as the actual
platform-root target.

**2026-05-24:** Added `docs/platform-root-custody.md` and updated
`docs/platform-identity-security-architecture.md` plus `SCOPE.md`.

**2026-05-24:** Revised the custody model: `tegwick` is no longer modeled as
the platform root of trust. The day-to-day account can assemble and observe the
platform, while a dedicated king credential receives final custody after the
guided bootstrap path is ready.

### T02 - Define King Credential Kit

```task
id: NET-WP-0015-T02
status: done
priority: high
state_hub_task_id: "1a1c45a2-be66-4667-89f8-581f4fe9970b"
```

Define the first king credential kit: dedicated identity name, local/offline
password-safe storage, second factor, recovery-code handling, no email secret
transfer, no day-to-day browsing/Git use, and operator instructions clear
enough for a non-expert.

**2026-05-24:** Defined the v1 kit in
`docs/security-bootstrap-king-credential-kit.md`: label `platform-root`, setup
operator/contact `tegwick`, notification-only email
`bernd.worsch@gmail.com`, local password safe plus offline custody packet,
TOTP/WebAuthn/hardware-token second factor, no day-to-day use, and no email or
Git secret transfer. Added
`examples/security-bootstrap/king-credential-metadata.example.json` plus
console validation for non-secret kit metadata. Custody-mode approval remains
blocked under T03.

### T03 - Approve King Custody Mode

```task
id: NET-WP-0015-T03
status: blocked
priority: high
state_hub_task_id: "56a6266a-4acd-41e6-a395-85e90a5c35c6"
```

Choose either the preferred independent two-of-three king custody model or an
explicit temporary single-operator king credential exception for pre-production
bootstrap. Do not run OpenBao initialization until this choice is recorded.

**2026-05-24:** Added local approval surfaces for this human gate:
`approve-custody-mode` for the CLI and `web-ui` for the localhost console.
Both write non-secret metadata only and keep live OpenBao initialization as a
separate attended ceremony. Current recommended approval mode is
`temporary-single-king`; `two-of-three-planned` records the target state but
does not unblock live init.

**2026-05-24:** Tightened MFA handling after review: a TOTP QR code or setup
key must come from the authority that will verify login, not from the local
metadata console. Custody approval now requires explicit non-secret
confirmation that the factor was enrolled with its real verifier.

### T04 - Complete Railiance OpenBao Bootstrap Ceremony

```task
id: NET-WP-0015-T04
status: blocked
priority: high
state_hub_task_id: "2102366e-064b-4071-8b6a-574d9d37d109"
```

Coordinate with `RAIL-PL-WP-0002-T03` to initialize and unseal OpenBao under
the king credential model, enable audit and the first mounts/policies, create a
non-root `platform-admin` access path, and revoke or offline-escrow the initial
root token.

### T05 - Provision First NetKingdom Admin Identity

```task
id: NET-WP-0015-T05
status: todo
priority: high
state_hub_task_id: "d2a81d7b-9964-4bd5-9b8c-ef1324e02cd4"
```

Provision the first king/admin identity in the selected NetKingdom IAM
implementation. The target claims are `tenant=platform`,
`principal_type=human` or `break_glass`, MFA-backed assurance, and groups/roles
for `platform-root`, `platform-admin`, `netkingdom-admin`, and
`railiance-platform-admin`. `tegwick` may receive delegated day-to-day admin
roles later, but must be revocable without losing root custody.

### T06 - Bind OpenBao Admin Auth To NetKingdom IAM

```task
id: NET-WP-0015-T06
status: todo
priority: medium
state_hub_task_id: "ef97f3cb-9792-4b9d-bd2b-8871d368a50f"
```

Replace temporary operator tokens with NetKingdom IAM-backed OpenBao admin
auth when the issuer and claim mapping are ready. The OpenBao root token must
not be the normal admin path.

### T07 - Verify Recovery, Audit, And Rotation

```task
id: NET-WP-0015-T07
status: todo
priority: medium
state_hub_task_id: "aa40cbb4-36d3-405d-b59d-0c21ae8c9539"
```

Confirm snapshot/restore drill, durable audit-log handling, root-token
disposition, unseal/recovery rotation expectations, and the follow-up owner
for adding at least one additional human escrow holder.

### T08 - Reset, Rotate, And Reopen Under King Oversight

```task
id: NET-WP-0015-T08
status: todo
priority: high
state_hub_task_id: "e6a60dca-547b-4493-a36c-f6b668d1bf52"
```

After the king credential accepts custody, reset or rotate bootstrap-era
database credentials, admin passwords, service tokens, OpenBao tokens, and
temporary access paths. Run host/workload checks and reopen the platform only
after the new custody state is verified.

## Acceptance Criteria

- The setup operator and king credential model are recorded without secret
  values.
- The custody mode is explicit before OpenBao initialization.
- OpenBao root-token use is limited to bootstrap or break-glass handling.
- Routine admin access has a non-root path and a target NetKingdom IAM path.
- Production readiness has a clear gate for independent escrow, audit, restore,
  reset/rotation, and reopening under king oversight.