coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ed2cc17165342e1bf5d1da324113e421ddd6f7b8
net-kingdom/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md

7.0 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, created, updated, depends_on, state_hub_workstream_id
id type title domain repo status owner topic_slug created updated depends_on state_hub_workstream_id
NET-WP-0017 workplan IT Security Readiness For User Onboarding netkingdom net-kingdom active codex netkingdom 2026-05-26 2026-05-29
NET-WP-0015
NET-WP-0016
RAIL-PL-WP-0002
385de708-fd59-4bab-a4f4-28c1c476b3ea

NET-WP-0017 - IT Security Readiness For User Onboarding

Goal

Finish the remaining NetKingdom and Railiance security setup needed before ordinary platform users, tenant admins, or fabric admins are onboarded.

NET-WP-0015 established the king credential, OpenBao bootstrap ceremony, and guided control surface. This workplan is the narrower finish-line plan: routine admin access must use NetKingdom identity, bootstrap-era material must be retired or explicitly accepted, audit/recovery posture must be credible, and a first non-root onboarding dry run must prove the lifecycle model.

Current Evidence

  • platform-root exists in LLDAP, belongs to net-kingdom-admins, has MFA, and completed KeyCape OIDC login.
  • Railiance OpenBao is initialized, unsealed, and post-unseal verified.
  • OpenBao initial configuration was applied; platform/ KV and Kubernetes auth exist.
  • The initial OpenBao root token is recorded as revoked.
  • Trial unseal shares were rotated.
  • The KeyCape openbao-admin client is live and verified, including the public https://kc.coulomb.social route and certificate.
  • OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login is still pending.
  • Declarative/durable audit handling, residual taint closeout, cleanup/rotation, and the first ordinary-user onboarding dry run are still pending.

Tasks

T01 - Finish OIDC-Backed OpenBao Admin Login

id: NET-WP-0017-T01
status: in_progress
priority: high
state_hub_task_id: "9b087bbd-631b-4316-b94d-a8265a05b065"

Run the fixed OpenBao OIDC helper, record the non-secret completion flag, then verify platform-root can complete:

bao login -method=oidc -path=keycape role=platform-admin

The verification must prove the resulting OpenBao token has the intended platform-admin policy without relying on the initial root token or a manually minted temporary operator token.

2026-05-29: DNS and ACME issuance for kc.coulomb.social are healthy: cert-manager issued kc-tls, and sso-mfa/k8s/keycape/verify-openbao-client.sh passes against the live KeyCape route. configure-openbao-oidc.sh has applied the OpenBao auth/keycape OIDC configuration and platform-admin role. The remaining T01 gate is the human browser login with MFA and a token lookup that shows the expected OpenBao platform-admin policy.

T02 - Close OpenBao Audit And Recovery Production Gates

id: NET-WP-0017-T02
status: todo
priority: high
state_hub_task_id: "909944bd-843a-4a63-8c87-536cea052a88"

Resolve the remaining OpenBao production-trust gates:

  • configure audit declaratively if API-managed audit remains rejected;
  • confirm where audit logs are durably shipped beyond the audit PVC;
  • retain non-secret restore-drill evidence and repeat the drill if any material changed;
  • record emergency seal/unseal drill evidence; and
  • identify the next independent escrow holder for moving beyond temporary single-king custody.

T03 - Close Trial Taint And Retire Bootstrap Admin Paths

id: NET-WP-0017-T03
status: todo
priority: high
state_hub_task_id: "a6cd4325-8f3b-46bb-b810-ca816c35cb29"

Review all access paths created during the trial exposure and record the compromise response complete only after the operator has either rotated, revoked, reset, or explicitly accepted residual risk for:

  • temporary OpenBao platform-admin tokens;
  • bootstrap/root-token-derived paths;
  • early LLDAP/Authelia/KeyCape admin credentials;
  • local plaintext secret workspaces;
  • bootstrap service tokens; and
  • any copied command output or local shell history that may contain secret values.

T04 - Harden Bootstrap Infrastructure Before User Onboarding

id: NET-WP-0017-T04
status: todo
priority: high
state_hub_task_id: "12c31f76-68f4-4d2b-853a-f3185cfc761c"

Complete the minimum hardening before ordinary users are onboarded:

  • restrict direct administrative access to LLDAP and privacyIDEA to approved operator networks or tunnels;
  • verify no privileged login path bypasses MFA for platform-admin authority;
  • rotate or reset bootstrap-era database, admin, and service credentials that were created before custody was established;
  • confirm host/workload checks and vulnerability scans are run or explicitly deferred with owner/date; and
  • update the bootstrap console state to cleanup_complete only when these checks are recorded.

T05 - Implement First User Lifecycle Operator Flow

id: NET-WP-0017-T05
status: todo
priority: high
state_hub_task_id: "aec3ac45-18be-4b04-a863-0c8c70693739"

Turn the documented user lifecycle UX into the first practical operator flow for:

  • onboarding a scoped non-root user;
  • temporarily locking that user;
  • permanently offboarding that user;
  • reviewing credentials and MFA state; and
  • creating a fabric/tenant admin without platform-root authority.

The flow can begin as console/UI action cards, but it must show effective access before saving and must not expose secrets.

T06 - Run A Non-Root Onboarding Dry Run

id: NET-WP-0017-T06
status: todo
priority: high
state_hub_task_id: "c149b2f0-c9ee-4c95-a1df-b25ed0d20579"

Create a test or first real non-root user using the new lifecycle flow. Verify:

  • LLDAP identity and groups;
  • MFA enrollment through privacyIDEA;
  • KeyCape OIDC claims;
  • expected application or platform scope;
  • no platform-root or OpenBao root authority;
  • lock/offboard path can be exercised or simulated; and
  • non-secret audit/progress evidence is recorded.

This is the final gate before declaring the platform ready for normal user onboarding.

T07 - Review And Retire Superseded Bootstrap Workplans

id: NET-WP-0017-T07
status: todo
priority: medium
state_hub_task_id: "e9ceafb2-14c0-4352-9ac7-e31628feb045"

After T01-T06 complete, review NET-WP-0015, NET-WP-0016, RAIL-PL-WP-0002, and older NetKingdom credential/bootstrap workplans. Mark completed work finished or archived, and leave only longer-horizon items such as multi-custodian upgrade, enterprise federation, dynamic database credentials, object-storage STS vending, and application onboarding contracts.

Acceptance Criteria

  • Routine OpenBao administration works through NetKingdom/KeyCape OIDC and MFA.
  • The initial root token and temporary OpenBao admin tokens are not normal operating paths.
  • Audit, recovery, emergency seal, and restore evidence are recorded without secret values.
  • Bootstrap-era privileged credentials have been rotated, reset, revoked, or explicitly accepted as residual risk.
  • A non-root user onboarding dry run succeeds and proves lock/offboard/review paths.
  • The bootstrap console can honestly move beyond Admin Identity Integration into cleanup and reopening.
Reference in New Issue View Git Blame Copy Permalink