--- id: NET-WP-0017 type: workplan title: "IT Security Readiness For User Onboarding" domain: netkingdom repo: net-kingdom status: active owner: codex topic_slug: netkingdom created: "2026-05-26" updated: "2026-05-29" depends_on: - NET-WP-0015 - NET-WP-0016 - RAIL-PL-WP-0002 state_hub_workstream_id: "385de708-fd59-4bab-a4f4-28c1c476b3ea" --- # NET-WP-0017 - IT Security Readiness For User Onboarding ## Goal Finish the remaining NetKingdom and Railiance security setup needed before ordinary platform users, tenant admins, or fabric admins are onboarded. `NET-WP-0015` established the king credential, OpenBao bootstrap ceremony, and guided control surface. This workplan is the narrower finish-line plan: routine admin access must use NetKingdom identity, bootstrap-era material must be retired or explicitly accepted, audit/recovery posture must be credible, and a first non-root onboarding dry run must prove the lifecycle model. ## Current Evidence - `platform-root` exists in LLDAP, belongs to `net-kingdom-admins`, has MFA, and completed KeyCape OIDC login. - Railiance OpenBao is initialized, unsealed, and post-unseal verified. - OpenBao initial configuration was applied; `platform/` KV and Kubernetes auth exist. - The initial OpenBao root token is recorded as revoked. - Trial unseal shares were rotated. - The KeyCape `openbao-admin` client is live and verified, including the public `https://kc.coulomb.social` route and certificate. - OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login is still pending. - Declarative/durable audit handling, residual taint closeout, cleanup/rotation, and the first ordinary-user onboarding dry run are still pending. ## Tasks ### T01 - Finish OIDC-Backed OpenBao Admin Login ```task id: NET-WP-0017-T01 status: in_progress priority: high state_hub_task_id: "9b087bbd-631b-4316-b94d-a8265a05b065" ``` Run the fixed OpenBao OIDC helper, record the non-secret completion flag, then verify `platform-root` can complete: ```bash bao login -method=oidc -path=keycape role=platform-admin ``` The verification must prove the resulting OpenBao token has the intended `platform-admin` policy without relying on the initial root token or a manually minted temporary operator token. **2026-05-29:** DNS and ACME issuance for `kc.coulomb.social` are healthy: cert-manager issued `kc-tls`, and `sso-mfa/k8s/keycape/verify-openbao-client.sh` passes against the live KeyCape route. `configure-openbao-oidc.sh` has applied the OpenBao `auth/keycape` OIDC configuration and `platform-admin` role. The remaining T01 gate is the human browser login with MFA and a token lookup that shows the expected OpenBao `platform-admin` policy. ### T02 - Close OpenBao Audit And Recovery Production Gates ```task id: NET-WP-0017-T02 status: todo priority: high state_hub_task_id: "909944bd-843a-4a63-8c87-536cea052a88" ``` Resolve the remaining OpenBao production-trust gates: - configure audit declaratively if API-managed audit remains rejected; - confirm where audit logs are durably shipped beyond the audit PVC; - retain non-secret restore-drill evidence and repeat the drill if any material changed; - record emergency seal/unseal drill evidence; and - identify the next independent escrow holder for moving beyond temporary single-king custody. ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths ```task id: NET-WP-0017-T03 status: todo priority: high state_hub_task_id: "a6cd4325-8f3b-46bb-b810-ca816c35cb29" ``` Review all access paths created during the trial exposure and record the compromise response complete only after the operator has either rotated, revoked, reset, or explicitly accepted residual risk for: - temporary OpenBao `platform-admin` tokens; - bootstrap/root-token-derived paths; - early LLDAP/Authelia/KeyCape admin credentials; - local plaintext secret workspaces; - bootstrap service tokens; and - any copied command output or local shell history that may contain secret values. ### T04 - Harden Bootstrap Infrastructure Before User Onboarding ```task id: NET-WP-0017-T04 status: todo priority: high state_hub_task_id: "12c31f76-68f4-4d2b-853a-f3185cfc761c" ``` Complete the minimum hardening before ordinary users are onboarded: - restrict direct administrative access to LLDAP and privacyIDEA to approved operator networks or tunnels; - verify no privileged login path bypasses MFA for platform-admin authority; - rotate or reset bootstrap-era database, admin, and service credentials that were created before custody was established; - confirm host/workload checks and vulnerability scans are run or explicitly deferred with owner/date; and - update the bootstrap console state to `cleanup_complete` only when these checks are recorded. ### T05 - Implement First User Lifecycle Operator Flow ```task id: NET-WP-0017-T05 status: todo priority: high state_hub_task_id: "aec3ac45-18be-4b04-a863-0c8c70693739" ``` Turn the documented user lifecycle UX into the first practical operator flow for: - onboarding a scoped non-root user; - temporarily locking that user; - permanently offboarding that user; - reviewing credentials and MFA state; and - creating a fabric/tenant admin without platform-root authority. The flow can begin as console/UI action cards, but it must show effective access before saving and must not expose secrets. ### T06 - Run A Non-Root Onboarding Dry Run ```task id: NET-WP-0017-T06 status: todo priority: high state_hub_task_id: "c149b2f0-c9ee-4c95-a1df-b25ed0d20579" ``` Create a test or first real non-root user using the new lifecycle flow. Verify: - LLDAP identity and groups; - MFA enrollment through privacyIDEA; - KeyCape OIDC claims; - expected application or platform scope; - no platform-root or OpenBao root authority; - lock/offboard path can be exercised or simulated; and - non-secret audit/progress evidence is recorded. This is the final gate before declaring the platform ready for normal user onboarding. ### T07 - Review And Retire Superseded Bootstrap Workplans ```task id: NET-WP-0017-T07 status: todo priority: medium state_hub_task_id: "e9ceafb2-14c0-4352-9ac7-e31628feb045" ``` After T01-T06 complete, review `NET-WP-0015`, `NET-WP-0016`, `RAIL-PL-WP-0002`, and older NetKingdom credential/bootstrap workplans. Mark completed work finished or archived, and leave only longer-horizon items such as multi-custodian upgrade, enterprise federation, dynamic database credentials, object-storage STS vending, and application onboarding contracts. ## Acceptance Criteria - Routine OpenBao administration works through NetKingdom/KeyCape OIDC and MFA. - The initial root token and temporary OpenBao admin tokens are not normal operating paths. - Audit, recovery, emergency seal, and restore evidence are recorded without secret values. - Bootstrap-era privileged credentials have been rotated, reset, revoked, or explicitly accepted as residual risk. - A non-root user onboarding dry run succeeds and proves lock/offboard/review paths. - The bootstrap console can honestly move beyond Admin Identity Integration into cleanup and reopening.