net-kingdom/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md

id, type, title, domain, repo, status, owner, topic_slug, created, updated, depends_on

id	type	title	domain	repo	status	owner	topic_slug	created	updated	depends_on
NET-WP-0017	workplan	IT Security Readiness For User Onboarding	netkingdom	net-kingdom	active	codex	netkingdom	2026-05-26	2026-05-26	NET-WP-0015 NET-WP-0016 RAIL-PL-WP-0002

NET-WP-0017 - IT Security Readiness For User Onboarding

Goal

Finish the remaining NetKingdom and Railiance security setup needed before ordinary platform users, tenant admins, or fabric admins are onboarded.

NET-WP-0015 established the king credential, OpenBao bootstrap ceremony, and guided control surface. This workplan is the narrower finish-line plan: routine admin access must use NetKingdom identity, bootstrap-era material must be retired or explicitly accepted, audit/recovery posture must be credible, and a first non-root onboarding dry run must prove the lifecycle model.

Current Evidence

• platform-root exists in LLDAP, belongs to net-kingdom-admins, has MFA, and completed KeyCape OIDC login.
• Railiance OpenBao is initialized, unsealed, and post-unseal verified.
• OpenBao initial configuration was applied; platform/ KV and Kubernetes auth exist.
• The initial OpenBao root token is recorded as revoked.
• Trial unseal shares were rotated.
• The KeyCape openbao-admin client is live and verified.
• OpenBao OIDC auth configuration and MFA-backed OpenBao admin login are still pending.
• Declarative/durable audit handling, residual taint closeout, cleanup/rotation, and the first ordinary-user onboarding dry run are still pending.

Tasks

T01 - Finish OIDC-Backed OpenBao Admin Login

id: NET-WP-0017-T01
status: in_progress
priority: high

Run the fixed OpenBao OIDC helper, record the non-secret completion flag, then verify platform-root can complete:

bao login -method=oidc -path=keycape role=platform-admin

The verification must prove the resulting OpenBao token has the intended platform-admin policy without relying on the initial root token or a manually minted temporary operator token.

T02 - Close OpenBao Audit And Recovery Production Gates

id: NET-WP-0017-T02
status: todo
priority: high

Resolve the remaining OpenBao production-trust gates:

• configure audit declaratively if API-managed audit remains rejected;
• confirm where audit logs are durably shipped beyond the audit PVC;
• retain non-secret restore-drill evidence and repeat the drill if any material changed;
• record emergency seal/unseal drill evidence; and
• identify the next independent escrow holder for moving beyond temporary single-king custody.

T03 - Close Trial Taint And Retire Bootstrap Admin Paths

id: NET-WP-0017-T03
status: todo
priority: high

Review all access paths created during the trial exposure and record the compromise response complete only after the operator has either rotated, revoked, reset, or explicitly accepted residual risk for:

• temporary OpenBao platform-admin tokens;
• bootstrap/root-token-derived paths;
• early LLDAP/Authelia/KeyCape admin credentials;
• local plaintext secret workspaces;
• bootstrap service tokens; and
• any copied command output or local shell history that may contain secret values.

T04 - Harden Bootstrap Infrastructure Before User Onboarding

id: NET-WP-0017-T04
status: todo
priority: high

Complete the minimum hardening before ordinary users are onboarded:

• restrict direct administrative access to LLDAP and privacyIDEA to approved operator networks or tunnels;
• verify no privileged login path bypasses MFA for platform-admin authority;
• rotate or reset bootstrap-era database, admin, and service credentials that were created before custody was established;
• confirm host/workload checks and vulnerability scans are run or explicitly deferred with owner/date; and
• update the bootstrap console state to cleanup_complete only when these checks are recorded.

T05 - Implement First User Lifecycle Operator Flow

id: NET-WP-0017-T05
status: todo
priority: high

Turn the documented user lifecycle UX into the first practical operator flow for:

• onboarding a scoped non-root user;
• temporarily locking that user;
• permanently offboarding that user;
• reviewing credentials and MFA state; and
• creating a fabric/tenant admin without platform-root authority.

The flow can begin as console/UI action cards, but it must show effective access before saving and must not expose secrets.

T06 - Run A Non-Root Onboarding Dry Run

id: NET-WP-0017-T06
status: todo
priority: high

Create a test or first real non-root user using the new lifecycle flow. Verify:

• LLDAP identity and groups;
• MFA enrollment through privacyIDEA;
• KeyCape OIDC claims;
• expected application or platform scope;
• no platform-root or OpenBao root authority;
• lock/offboard path can be exercised or simulated; and
• non-secret audit/progress evidence is recorded.

This is the final gate before declaring the platform ready for normal user onboarding.

T07 - Review And Retire Superseded Bootstrap Workplans

id: NET-WP-0017-T07
status: todo
priority: medium

After T01-T06 complete, review NET-WP-0015, NET-WP-0016, RAIL-PL-WP-0002, and older NetKingdom credential/bootstrap workplans. Mark completed work finished or archived, and leave only longer-horizon items such as multi-custodian upgrade, enterprise federation, dynamic database credentials, object-storage STS vending, and application onboarding contracts.

Acceptance Criteria

• Routine OpenBao administration works through NetKingdom/KeyCape OIDC and MFA.
• The initial root token and temporary OpenBao admin tokens are not normal operating paths.
• Audit, recovery, emergency seal, and restore evidence are recorded without secret values.
• Bootstrap-era privileged credentials have been rotated, reset, revoked, or explicitly accepted as residual risk.
• A non-root user onboarding dry run succeeds and proves lock/offboard/review paths.
• The bootstrap console can honestly move beyond Admin Identity Integration into cleanup and reopening.