--- id: NK-WP-0009 type: workplan title: NetKingdom Security Pattern Tutorials domain: netkingdom repo: net-kingdom status: proposed owner: codex topic_slug: netkingdom planning_priority: medium planning_order: 9 created: 2026-05-17 updated: 2026-05-17 depends_on: - NK-WP-0008 state_hub_workstream_id: "66c9f1e9-6b2f-454b-a6d4-04e5fe42385a" --- # NK-WP-0009 - NetKingdom Security Pattern Tutorials ## Goal Build practical tutorials that show operators and developers how to implement canonical NetKingdom security architecture patterns in NetKingdom-enabled IT infrastructures. Where NK-WP-0008 is the pattern library, this workplan is the hands-on path: runnable examples, checklists, commands, manifests, verification steps, and failure-mode exercises. ## Context The platform needs more than architecture statements. A new deployment should be able to answer: - How do I issue identity tokens in lightweight mode versus expanded mode? - How do I ask flex-auth for a resource decision? - How do I vend temporary object-storage credentials? - How do I deploy OpenBao and avoid secret zero traps? - How do I use short-lived SSH certificates for agents and automations? - How do I verify audit records and break-glass behavior? Tutorials turn canonical patterns into repeatable implementation practice without forcing every application repo to rediscover the same steps. ## Scope In scope: - tutorial structure and style guide - runnable or copy-pasteable examples - local/dev and production variants where appropriate - verification and rollback steps - integration references to key-cape, flex-auth, ops-warden, ops-bridge, railiance-platform, and artifact-store Out of scope: - deploying live services directly from this repo - replacing repo-specific operator runbooks - hiding provider-specific security differences behind one generic command ## Tasks ```task id: NK-WP-0009-T1 status: todo priority: high state_hub_task_id: "79150b07-f25d-4407-a118-e08b6e588d37" ``` Create a tutorial template with prerequisites, architecture context, commands, manifests, verification, rollback, threat checks, and cross-repo ownership notes. ```task id: NK-WP-0009-T2 status: todo priority: high state_hub_task_id: "07647ba6-90e1-4569-947a-ebccce7a2d5e" ``` Write the first tutorial: "Vend temporary S3 credentials from a NetKingdom identity token", covering key-cape/Keycloak identity, flex-auth authorization, object-store STS exchange, and SDK consumer configuration. ```task id: NK-WP-0009-T3 status: todo priority: high state_hub_task_id: "0f34eda3-f1f3-4c49-9eba-36167b6c5ea9" ``` Write "Deploy OpenBao as the canonical secrets manager for a NetKingdom-enabled Railiance platform", linking to the Railiance Platform workplan and covering auth methods, secret engines, CSI/ESO integration, leases, unseal, backup, and break-glass. ```task id: NK-WP-0009-T4 status: todo priority: medium state_hub_task_id: "3c17d1ac-3232-43b4-b541-ea6538da2afb" ``` Write "Use short-lived SSH credentials for admins, agents, and automations", using ops-warden and ops-bridge as the reference implementation. ```task id: NK-WP-0009-T5 status: todo priority: medium state_hub_task_id: "aff82173-0b8e-4216-855a-887ac68b63e0" ``` Write "Add a protected system to flex-auth", covering resource manifests, action vocabulary, claim envelopes, policy packages, decision envelopes, and delegated PDP options. ```task id: NK-WP-0009-T6 status: todo priority: medium state_hub_task_id: "df427aa3-233f-4479-aed9-706676f8e87d" ``` Add tutorial verification fixtures or checklists so each tutorial has a clear "done when" outcome and does not become prose-only guidance. ## Acceptance Criteria - Tutorials are grouped under a stable docs path with a repeatable format. - Each tutorial maps back to one or more NK-WP-0008 patterns. - Tutorials name the owning repo for every concrete implementation step. - Tutorials include verification and rollback guidance, not just happy path commands.