Files
net-kingdom/SCOPE.md
tegwick 85a781b7a4 NET-WP-0020 finished: attended-ceremony + auto-unseal-transit profiles, greenfield init/unseal proof
T2: greenfield live proof against a fresh uninitialized OpenBao 2.5.5 —
caught and fixed 'bao operator unseal -' not reading stdin (now
'bao write sys/unseal key=-'); init and reseal-replay paths proven.
T3: attended-ceremony selectable — runbook, non-secret ceremony-record
template + validator, and a lab/production deployment profile that blocks
sops-held-automation in console selection, gates, and the init script.
T4: console gate + evidence flags for auto-unseal-transit (Helm seal stanza
prepared in railiance-platform).
Also: SCOPE.md refreshed to current repo state; adhoc fix for the broken
check-secrets Make target (unescaped $).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 22:08:33 +02:00

165 lines
7.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# SCOPE
> This file helps you quickly understand what this repository is about,
> when it is relevant, and when it is not.
> It is intentionally lightweight and may be incomplete.
---
## One-liner
Platform domain for NetKingdom identity and security services — owns the IAM Profile specification, SSO/MFA platform (Keycloak), and bootstrap local-identity infrastructure for Kubernetes deployments.
---
## Core Idea
NetKingdom is a self-optimizing security platform for Kubernetes-based IT infrastructure. This repo owns identity at the platform level: the NetKingdom IAM Profile specification (the versioned OIDC/PKCE contract all applications target), the enterprise Keycloak-based SSO/MFA platform, and a lightweight file-based local-identity service for bootstrap environments before the full cluster is available.
---
## In Scope
- NetKingdom IAM Profile specification (versioned OIDC/PKCE contract;
canonical spec: `canon/standards/iam-profile_v0.2.md`)
- SSO/MFA Platform: Keycloak with LDAP/Entra federation, enterprise identity (NK-WP-0001, finished)
- Local Identity: file-based user store + minimal OIDC server for bootstrap phase (NK-WP-0002, finished)
- User Engine Boundary Contract: source-of-truth, membership,
application-onboarding, projection, authorization, and audit contracts for
`user-engine` integration (`canon/standards/user-engine-boundary-contract_v0.1.md`)
- Security bootstrapping: credential management, SOPS/age integration,
platform-root custody, OpenBao runtime secret authority
- OpenBao init/unseal custody models (NET-WP-0020): `sops-held-automation`
(lab, unattended greenfield rebuilds via `creds-bootstrap-agent` Phase 7b),
`attended-ceremony` (production, runbook + non-secret evidence records), and
`auto-unseal-transit` (production HA; seal stanza lives in
railiance-platform) — all gated by the security bootstrap console and a
lab/production deployment profile
- Security bootstrap console (`tools/security-bootstrap-console/`): custody
gates, roster, evidence validators, refuse-live-init boundary
- Architectural decisions (DECISIONS.md): identity source, secrets, GitOps, bootstrap user store
---
## Out of Scope
- Kubernetes runtime concerns → railiance-cluster
- Platform services (PostgreSQL, storage, caches) → railiance-platform
- Application deployments → railiance-apps
- KeyCape implementation details → key-cape
---
## Relevant When
- Setting up identity for a NetKingdom/Railiance deployment
- Designing or using the guided security bootstrap experience
- Applications need OIDC authentication; deciding between lightweight (KeyCape) and expanded (Keycloak) modes
- Bootstrap scenario: cluster not yet available, need minimal OIDC for dev/test/sandbox
- Reviewing IAM Profile specification or architectural identity decisions
---
## Not Relevant When
- Infrastructure provisioning (use railiance-infra)
- Platform services configuration (use railiance-platform)
- Application-level auth code (use the IAM Profile spec as reference only)
---
## Current State
- Status: active — core identity and bootstrap phases delivered; follow-on work proposed
- Implementation: NK-WP-0001 (SSO/MFA), NK-WP-0002 (local identity), the
security bootstrap arc (NET-WP-00150017, 0019), the IAM Profile spec
(NK-WP-0012), user-engine boundary contracts (NK-WP-0014), and OpenBao
unseal custody + SSH automation (NET-WP-0020) are all finished — see
`workplans/archived/`
- Open: NK-WP-0009 (security pattern tutorials) and NK-WP-0011 (enterprise
federation / SAML) are proposed, not yet started
- Stability: stabilizing — bootstrap/custody tooling is live-proven (greenfield
OpenBao init/unseal proof 2026-07-02); production custody models are gated
by evidence
- Usage: foundational authentication layer for all NetKingdom deployments
---
## How It Fits
- Upstream dependencies: KeyCape (lightweight IAM implementation), Authelia, Keycloak, LLDAP, privacyIDEA
- Downstream consumers: railiance (all Railiance deployments), applications targeting the NetKingdom IAM Profile
- Often used with: key-cape (lightweight mode), railiance-platform (identity services integration), railiance-cluster (deployed on Kubernetes)
---
## Terminology
- Preferred terms: NetKingdom IAM Profile, local identity, SSO/MFA platform, bootstrap, lightweight mode, expanded mode
- Also known as: "net-kingdom"
- Potentially confusing terms: "local identity" = file-based bootstrap store (not a full LDAP); "SSO/MFA platform" = production Keycloak deployment
---
## Related / Overlapping
- `key-cape` — lightweight IAM implementation (KeyCape orchestrates Authelia+LLDAP+privacyIDEA)
- `railiance-platform` — net-kingdom identity services integrate at the platform services layer
---
## Provided Capabilities
```capability
type: security
title: NetKingdom IAM Profile specification
description: Versioned OIDC/PKCE contract that all NetKingdom applications target — canonical v0.2 defines discovery, PKCE, token, JWKS, tenant, principal-type, assurance, and flex-auth claim inputs.
keywords: [iam, oidc, pkce, profile, specification, identity, authentication]
```
```capability
type: security
title: SSO/MFA platform (Keycloak)
description: Enterprise-grade Keycloak-based SSO with LDAP/Entra federation, MFA, and full OIDC/PKCE support for production deployments.
keywords: [sso, mfa, keycloak, ldap, entra, federation, oidc, enterprise]
```
```capability
type: security
title: OpenBao unseal custody models and bootstrap automation
description: Three gated init/unseal custody models — SOPS-held automation for unattended lab rebuilds (greenfield-proven), attended ceremony with non-secret evidence records for production, and transit/KMS auto-unseal for production HA — enforced by the security bootstrap console and a lab/production deployment profile.
keywords: [openbao, unseal, custody, bootstrap, sops, age, ceremony, transit, auto-unseal, console]
```
```capability
type: security
title: Bootstrap local identity service
description: Minimal file-based OIDC server for environments where the full cluster is not yet available — covers dev, test, and sandbox bootstrapping scenarios.
keywords: [bootstrap, local-identity, oidc, minimal, dev, sandbox]
```
---
## Getting Oriented
- Start with: `wiki/` (specifications and decisions), `DECISIONS.md` (key architectural choices D1D5)
- Key files / directories: `docs/platform-root-custody.md`, `sso-mfa/`
(SSO/MFA platform + bootstrap scripts), `local-identity/`,
`tools/security-bootstrap-console/`, `workplans/` (finished plans in
`workplans/archived/`)
- Entry points: `workplans/NK-WP-0009-netkingdom-security-pattern-tutorials.md`
and `workplans/NK-WP-0011-enterprise-federation-saml.md` (proposed next
work); finished context in `workplans/archived/`
- User-domain boundary contract:
`canon/standards/user-engine-boundary-contract_v0.1.md`
- User-engine integration assessment (intent/scope fit, gaps, and recommendations):
`docs/user-engine-netkingdom-integration-assessment.md`
- Bootstrap/custody entry points:
`docs/platform-root-custody.md`,
`docs/security-bootstrap-use-cases.md`,
`docs/openbao-unseal-custody-models.md` (three custody models + deployment
profile), and `docs/openbao-attended-ceremony-runbook.md` (production
ceremony); history of the custody/bootstrap arc in `workplans/archived/`
(NET-WP-00150017, 0019) and
`workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md`