generated from coulomb/repo-seed
57 lines
3.4 KiB
Markdown
57 lines
3.4 KiB
Markdown
# Security Bootstrap Related Workplan Review
|
|
|
|
Status: closeout review for `NET-WP-0016`
|
|
Date: 2026-05-24
|
|
|
|
## Purpose
|
|
|
|
This review closes `NET-WP-0016-T08`. It classifies related NetKingdom and
|
|
Railiance workplans after the guided security bootstrap experience became the
|
|
canonical operator-facing path.
|
|
|
|
## Review Results
|
|
|
|
| Workplan | Result | Action |
|
|
| --- | --- | --- |
|
|
| `NK-WP-0001` SSO/MFA Platform | Retired historical reference | Leave archived. Its HashiCorp Vault and single-credential language is historical only. Active paths are `NK-WP-0003`, `NK-WP-0011`, `RAIL-PL-WP-0002`, `NET-WP-0015`, and `NET-WP-0016`. |
|
|
| `NK-WP-0004` Credential Management Foundation | Keep as low-level bootstrap foundation | Added closeout note. SOPS/age and generated bundles remain useful substrate tooling, but the operator-facing path is now the guided bootstrap experience. |
|
|
| `NK-WP-0005` Agent-Driven Credential Bootstrap | Keep as automation substrate, supersede as product UX | Added closeout note. Agent automation remains useful, but "zero human ops" must not apply to king custody or live OpenBao init. |
|
|
| `NK-WP-0006` Recursive Platform Identity And Security Architecture | Keep | Already aligned with platform-root, OpenBao, and tenant boundary model. No retirement. |
|
|
| `NK-WP-0007` Object Storage STS Credential Vending | Keep | Already prevents OpenBao root/admin authority from becoming storage policy. No retirement. |
|
|
| `NK-WP-0011` Enterprise Federation And SAML | Keep proposed | Expanded-mode Keycloak should consume OpenBao and king-custody gates; no bootstrap ownership moves here. |
|
|
| `NET-WP-0015` King Credential And OpenBao Identity Bootstrap | Keep active | Continues the concrete king credential, custody mode, OpenBao ceremony, and reopen work. |
|
|
| `RAIL-PL-WP-0002` OpenBao Platform Secrets Service | Keep active | Updated stale `human:tegwick` root-custodian wording to the setup-operator plus king-credential model. |
|
|
| `RAILIANCE-WP-0003` Apps PostgreSQL Shared Cluster | Keep active | Bootstrap DB role remains acceptable as platform substrate, but handover cleanup must rotate or review bootstrap-era credentials before live use. |
|
|
|
|
## Retired Assumptions
|
|
|
|
- A day-to-day Gitea/email identity is not platform root of trust.
|
|
- "Zero human ops" does not apply to king credential custody.
|
|
- HashiCorp Vault is not the target runtime secret authority.
|
|
- KeePassXC is optional personal/offline storage, not the canonical platform
|
|
authority.
|
|
- Temporary bootstrap credentials are not production credentials.
|
|
|
|
## Current Canonical Path
|
|
|
|
1. Low-trust setup operator assembles infrastructure.
|
|
2. Guided bootstrap console shows stage, gates, next safe action, and local
|
|
custody-mode approval.
|
|
3. King credential kit is created or imported.
|
|
4. OpenBao ceremony is run as a human-attended event.
|
|
5. Root token is revoked or sealed offline.
|
|
6. Bootstrap-era credentials and access paths are reset or rotated.
|
|
7. Restore, audit, and scan/check gates pass.
|
|
8. Platform reopens under king credential oversight.
|
|
9. Multi-custodian control is added later without redesign.
|
|
|
|
## Follow-Ups
|
|
|
|
- `NET-WP-0015` remains the active place for king credential creation and live
|
|
OpenBao ceremony gates.
|
|
- `NET-WP-0016` remains closed; `NET-WP-0015` now carries the live approval and
|
|
OpenBao ceremony gates.
|
|
- The first local web UI exists as the custody approval surface. Later product
|
|
work should extend it into the full user, fabric, audit, and handover console
|
|
only after the first ceremony has been exercised.
|