generated from coulomb/repo-seed
104 lines
3.5 KiB
Markdown
104 lines
3.5 KiB
Markdown
# Security Bootstrap Handover And Cleanup
|
|
|
|
Status: draft UX contract
|
|
Date: 2026-05-24
|
|
|
|
## Purpose
|
|
|
|
This document defines the post-king handover cleanup and reopen gates. It is
|
|
the product contract for `NET-WP-0016-T07`.
|
|
|
|
The platform can be assembled in MVP/prototype mode, but it should not be
|
|
treated as clean until bootstrap-era credentials, databases, tokens, and access
|
|
paths have been reviewed and reset or rotated.
|
|
|
|
## Handover Goal
|
|
|
|
The handover proves that:
|
|
|
|
- the king credential controls platform-root recovery;
|
|
- day-to-day setup access is scoped and revocable;
|
|
- OpenBao root-token disposition is known;
|
|
- bootstrap-era material has been reset or rotated;
|
|
- backups and restore work; and
|
|
- the platform can reopen under explicit custody.
|
|
|
|
## Cleanup Checklist
|
|
|
|
| Area | Required action |
|
|
| --- | --- |
|
|
| Gitea/admin accounts | Review admins, remove stale accounts, require MFA where available |
|
|
| IAM users | Review setup users, platform admins, tenant admins, and reviewers |
|
|
| Databases | Reset bootstrap passwords and rotate app credentials |
|
|
| OpenBao | Revoke or seal root token, verify non-root admin path, review policies |
|
|
| Kubernetes | Review service accounts, tokens, namespaces, and privileged bindings |
|
|
| SSH/access | Review keys, remove unknown keys, rotate setup access where needed |
|
|
| SOPS/age | Review recipients and emergency bundle handling |
|
|
| State Hub | Record non-secret decisions, progress, and remaining gates |
|
|
| Backups | Take snapshot and run restore drill before live secrets |
|
|
| Audit | Confirm durable audit routing or documented interim custody |
|
|
| Scans | Run host/workload checks available for the current environment |
|
|
|
|
## Reopen Gates
|
|
|
|
The platform may be marked reopened only when:
|
|
|
|
- king credential kit is complete;
|
|
- OpenBao is initialized and unsealed or approved for the next seal posture;
|
|
- root token is revoked or offline-sealed;
|
|
- non-root platform admin path exists;
|
|
- bootstrap databases and admin credentials are reset or rotated;
|
|
- no unknown platform admins remain;
|
|
- backup snapshot exists;
|
|
- restore drill has passed;
|
|
- audit handling is known;
|
|
- user lifecycle paths are documented; and
|
|
- remaining risk exceptions are listed with owners and dates.
|
|
|
|
## UX Shape
|
|
|
|
The handover screen should be a checklist with evidence rows:
|
|
|
|
```text
|
|
HANDOVER
|
|
|
|
Stage
|
|
S4 - Cleanup and hardening
|
|
|
|
Blocked
|
|
- Reopen platform: restore drill missing
|
|
- Live secrets: root-token disposition deferred
|
|
|
|
Evidence
|
|
- King credential kit: complete
|
|
- OpenBao preflight: passed
|
|
- Non-root admin path: pending
|
|
```
|
|
|
|
The UI should avoid a celebratory "complete" state. It should say "reopened
|
|
under custody" and list any remaining exceptions.
|
|
|
|
## Related Workplan Review
|
|
|
|
When `NET-WP-0016` closes, review related security and bootstrap workplans for
|
|
stale assumptions:
|
|
|
|
- `NET-WP-0015` for king credential and custody status;
|
|
- `NK-WP-0001` for older Vault and admin bootstrap language;
|
|
- `NK-WP-0004` for credential-management foundation alignment;
|
|
- `NK-WP-0005` for agent-driven bootstrap boundaries;
|
|
- `NK-WP-0006` for platform-root architecture language;
|
|
- `NK-WP-0007` for OpenBao and STS responsibility split;
|
|
- `NK-WP-0011` for future expanded-mode identity;
|
|
- `RAIL-PL-WP-0002` for OpenBao live ceremony gates; and
|
|
- any SSO/MFA bootstrap scripts that still assume MVP credentials are final.
|
|
|
|
Each review should result in one of:
|
|
|
|
- keep as-is;
|
|
- update stale language;
|
|
- add follow-up task;
|
|
- mark superseded; or
|
|
- archive/retire if the workplan is now represented by the guided bootstrap
|
|
experience.
|