coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
net-kingdom/docs/security-bootstrap-handover-cleanup.md

3.5 KiB
Raw Permalink Blame History

Security Bootstrap Handover And Cleanup

Status: draft UX contract Date: 2026-05-24

Purpose

This document defines the post-king handover cleanup and reopen gates. It is the product contract for NET-WP-0016-T07.

The platform can be assembled in MVP/prototype mode, but it should not be treated as clean until bootstrap-era credentials, databases, tokens, and access paths have been reviewed and reset or rotated.

Handover Goal

The handover proves that:

  • the king credential controls platform-root recovery;
  • day-to-day setup access is scoped and revocable;
  • OpenBao root-token disposition is known;
  • bootstrap-era material has been reset or rotated;
  • backups and restore work; and
  • the platform can reopen under explicit custody.

Cleanup Checklist

Area Required action
Gitea/admin accounts Review admins, remove stale accounts, require MFA where available
IAM users Review setup users, platform admins, tenant admins, and reviewers
Databases Reset bootstrap passwords and rotate app credentials
OpenBao Revoke or seal root token, verify non-root admin path, review policies
Kubernetes Review service accounts, tokens, namespaces, and privileged bindings
SSH/access Review keys, remove unknown keys, rotate setup access where needed
SOPS/age Review recipients and emergency bundle handling
State Hub Record non-secret decisions, progress, and remaining gates
Backups Take snapshot and run restore drill before live secrets
Audit Confirm durable audit routing or documented interim custody
Scans Run host/workload checks available for the current environment

Reopen Gates

The platform may be marked reopened only when:

  • king credential kit is complete;
  • OpenBao is initialized and unsealed or approved for the next seal posture;
  • root token is revoked or offline-sealed;
  • non-root platform admin path exists;
  • bootstrap databases and admin credentials are reset or rotated;
  • no unknown platform admins remain;
  • backup snapshot exists;
  • restore drill has passed;
  • audit handling is known;
  • user lifecycle paths are documented; and
  • remaining risk exceptions are listed with owners and dates.

UX Shape

The handover screen should be a checklist with evidence rows:

HANDOVER

Stage
S4 - Cleanup and hardening

Blocked
- Reopen platform: restore drill missing
- Live secrets: root-token disposition deferred

Evidence
- King credential kit: complete
- OpenBao preflight: passed
- Non-root admin path: pending

The UI should avoid a celebratory "complete" state. It should say "reopened under custody" and list any remaining exceptions.

Related Workplan Review

When NET-WP-0016 closes, review related security and bootstrap workplans for stale assumptions:

  • NET-WP-0015 for king credential and custody status;
  • NK-WP-0001 for older Vault and admin bootstrap language;
  • NK-WP-0004 for credential-management foundation alignment;
  • NK-WP-0005 for agent-driven bootstrap boundaries;
  • NK-WP-0006 for platform-root architecture language;
  • NK-WP-0007 for OpenBao and STS responsibility split;
  • NK-WP-0011 for future expanded-mode identity;
  • RAIL-PL-WP-0002 for OpenBao live ceremony gates; and
  • any SSO/MFA bootstrap scripts that still assume MVP credentials are final.

Each review should result in one of:

  • keep as-is;
  • update stale language;
  • add follow-up task;
  • mark superseded; or
  • archive/retire if the workplan is now represented by the guided bootstrap experience.
Reference in New Issue View Git Blame Copy Permalink