coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
net-kingdom/docs/security-bootstrap-related-workplan-review.md

3.4 KiB
Raw Permalink Blame History

Security Bootstrap Related Workplan Review

Status: closeout review for NET-WP-0016 Date: 2026-05-24

Purpose

This review closes NET-WP-0016-T08. It classifies related NetKingdom and Railiance workplans after the guided security bootstrap experience became the canonical operator-facing path.

Review Results

Workplan Result Action
NK-WP-0001 SSO/MFA Platform Retired historical reference Leave archived. Its HashiCorp Vault and single-credential language is historical only. Active paths are NK-WP-0003, NK-WP-0011, RAIL-PL-WP-0002, NET-WP-0015, and NET-WP-0016.
NK-WP-0004 Credential Management Foundation Keep as low-level bootstrap foundation Added closeout note. SOPS/age and generated bundles remain useful substrate tooling, but the operator-facing path is now the guided bootstrap experience.
NK-WP-0005 Agent-Driven Credential Bootstrap Keep as automation substrate, supersede as product UX Added closeout note. Agent automation remains useful, but "zero human ops" must not apply to king custody or live OpenBao init.
NK-WP-0006 Recursive Platform Identity And Security Architecture Keep Already aligned with platform-root, OpenBao, and tenant boundary model. No retirement.
NK-WP-0007 Object Storage STS Credential Vending Keep Already prevents OpenBao root/admin authority from becoming storage policy. No retirement.
NK-WP-0011 Enterprise Federation And SAML Keep proposed Expanded-mode Keycloak should consume OpenBao and king-custody gates; no bootstrap ownership moves here.
NET-WP-0015 King Credential And OpenBao Identity Bootstrap Keep active Continues the concrete king credential, custody mode, OpenBao ceremony, and reopen work.
RAIL-PL-WP-0002 OpenBao Platform Secrets Service Keep active Updated stale human:tegwick root-custodian wording to the setup-operator plus king-credential model.
RAILIANCE-WP-0003 Apps PostgreSQL Shared Cluster Keep active Bootstrap DB role remains acceptable as platform substrate, but handover cleanup must rotate or review bootstrap-era credentials before live use.

Retired Assumptions

  • A day-to-day Gitea/email identity is not platform root of trust.
  • "Zero human ops" does not apply to king credential custody.
  • HashiCorp Vault is not the target runtime secret authority.
  • KeePassXC is optional personal/offline storage, not the canonical platform authority.
  • Temporary bootstrap credentials are not production credentials.

Current Canonical Path

  1. Low-trust setup operator assembles infrastructure.
  2. Guided bootstrap console shows stage, gates, next safe action, and local custody-mode approval.
  3. King credential kit is created or imported.
  4. OpenBao ceremony is run as a human-attended event.
  5. Root token is revoked or sealed offline.
  6. Bootstrap-era credentials and access paths are reset or rotated.
  7. Restore, audit, and scan/check gates pass.
  8. Platform reopens under king credential oversight.
  9. Multi-custodian control is added later without redesign.

Follow-Ups

  • NET-WP-0015 remains the active place for king credential creation and live OpenBao ceremony gates.
  • NET-WP-0016 remains closed; NET-WP-0015 now carries the live approval and OpenBao ceremony gates.
  • The first local web UI exists as the custody approval surface. Later product work should extend it into the full user, fabric, audit, and handover console only after the first ceremony has been exercised.
Reference in New Issue View Git Blame Copy Permalink