net-kingdom/workplans/NK-WP-0009-netkingdom-security-pattern-tutorials.md

---
id: NK-WP-0009
type: workplan
title: NetKingdom Security Pattern Tutorials
domain: netkingdom
repo: net-kingdom
status: proposed
owner: codex
topic_slug: netkingdom
planning_priority: medium
planning_order: 9
created: 2026-05-17
updated: 2026-05-17
depends_on:
  - NK-WP-0008
state_hub_workstream_id: "66c9f1e9-6b2f-454b-a6d4-04e5fe42385a"
---

# NK-WP-0009 - NetKingdom Security Pattern Tutorials

## Goal

Build practical tutorials that show operators and developers how to
implement canonical NetKingdom security architecture patterns in
NetKingdom-enabled IT infrastructures.

Where NK-WP-0008 is the pattern library, this workplan is the hands-on
path: runnable examples, checklists, commands, manifests, verification
steps, and failure-mode exercises.

## Context

The platform needs more than architecture statements. A new deployment
should be able to answer:

- How do I issue identity tokens in lightweight mode versus expanded
  mode?
- How do I ask flex-auth for a resource decision?
- How do I vend temporary object-storage credentials?
- How do I deploy OpenBao and avoid secret zero traps?
- How do I use short-lived SSH certificates for agents and automations?
- How do I verify audit records and break-glass behavior?

Tutorials turn canonical patterns into repeatable implementation
practice without forcing every application repo to rediscover the same
steps.

## Scope

In scope:

- tutorial structure and style guide
- runnable or copy-pasteable examples
- local/dev and production variants where appropriate
- verification and rollback steps
- integration references to key-cape, flex-auth, ops-warden,
  ops-bridge, railiance-platform, and artifact-store

Out of scope:

- deploying live services directly from this repo
- replacing repo-specific operator runbooks
- hiding provider-specific security differences behind one generic
  command

## Tasks

```task
id: NK-WP-0009-T1
status: todo
priority: high
state_hub_task_id: "79150b07-f25d-4407-a118-e08b6e588d37"
```

Create a tutorial template with prerequisites, architecture context,
commands, manifests, verification, rollback, threat checks, and
cross-repo ownership notes.

```task
id: NK-WP-0009-T2
status: todo
priority: high
state_hub_task_id: "07647ba6-90e1-4569-947a-ebccce7a2d5e"
```

Write the first tutorial: "Vend temporary S3 credentials from a
NetKingdom identity token", covering key-cape/Keycloak identity,
flex-auth authorization, object-store STS exchange, and SDK consumer
configuration.

```task
id: NK-WP-0009-T3
status: todo
priority: high
state_hub_task_id: "0f34eda3-f1f3-4c49-9eba-36167b6c5ea9"
```

Write "Deploy OpenBao as the canonical secrets manager for a
NetKingdom-enabled Railiance platform", linking to the Railiance
Platform workplan and covering auth methods, secret engines, CSI/ESO
integration, leases, unseal, backup, and break-glass.

```task
id: NK-WP-0009-T4
status: todo
priority: medium
state_hub_task_id: "3c17d1ac-3232-43b4-b541-ea6538da2afb"
```

Write "Use short-lived SSH credentials for admins, agents, and
automations", using ops-warden and ops-bridge as the reference
implementation.

```task
id: NK-WP-0009-T5
status: todo
priority: medium
state_hub_task_id: "aff82173-0b8e-4216-855a-887ac68b63e0"
```

Write "Add a protected system to flex-auth", covering resource
manifests, action vocabulary, claim envelopes, policy packages,
decision envelopes, and delegated PDP options.

```task
id: NK-WP-0009-T6
status: todo
priority: medium
state_hub_task_id: "df427aa3-233f-4479-aed9-706676f8e87d"
```

Add tutorial verification fixtures or checklists so each tutorial has a
clear "done when" outcome and does not become prose-only guidance.

## Acceptance Criteria

- Tutorials are grouped under a stable docs path with a repeatable
  format.
- Each tutorial maps back to one or more NK-WP-0008 patterns.
- Tutorials name the owning repo for every concrete implementation
  step.
- Tutorials include verification and rollback guidance, not just happy
  path commands.