diff --git a/tools/security-bootstrap-console/security_bootstrap_console.py b/tools/security-bootstrap-console/security_bootstrap_console.py index 95e5863..5bde744 100755 --- a/tools/security-bootstrap-console/security_bootstrap_console.py +++ b/tools/security-bootstrap-console/security_bootstrap_console.py @@ -1849,6 +1849,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]: audit_list_command = token_prompt_command("bao audit list") secrets_list_command = token_prompt_command("bao secrets list") auth_list_command = token_prompt_command("bao auth list") + authenticated_readiness_command = ( + "make -C ../railiance-platform openbao-verify-authenticated\n\n" + "# If a previous attended OIDC login stored a still-valid token in the pod helper, use:\n" + "make -C ../railiance-platform openbao-verify-authenticated " + "OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper" + ) platform_admin_token_command = token_prompt_command( "bao token create -policy=platform-admin -period=24h -orphan" ) @@ -1958,6 +1964,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]: auth_list_command, downstream_taint, ), + action( + "OpenBao authenticated readiness proof", + "Run the Railiance evidence-only verifier for file audit, platform secrets, Kubernetes auth, KeyCape auth, and audit-log write state. The default path prompts for a token without echoing it; the token-helper variant avoids local token movement when a valid pod helper token already exists.", + authenticated_readiness_command, + downstream_taint, + ), action( "Create platform-admin token", "Create a renewable 24-hour non-root OpenBao token with the platform-admin policy. The emitted token is secret; store it immediately through the approved operator secret path.", diff --git a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md index 1f4f9c1..0c17d60 100644 --- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md +++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md @@ -165,6 +165,18 @@ remained ready. T02 remains open for the authenticated `bao audit list` proof, durable audit shipping beyond the audit PVC, restore-drill evidence, emergency seal/unseal drill evidence, and the next independent escrow holder. +**2026-06-01:** Added a Railiance evidence-only helper for the authenticated +OpenBao proof: `make openbao-verify-authenticated` prompts for an approved +OpenBao token without echoing it and verifies `file/` audit visibility, +`platform/` secrets, `kubernetes/` auth, `keycape/` auth, and a non-empty audit +log without mutating OpenBao configuration. The helper can also reuse a +still-valid pod token helper with +`OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper`, avoiding token movement through +the local shell. It is ready to run with the MFA-backed +`platform-root`/`platform-admin` path. Durable audit shipping remains open; the +audit PVC is not a durable sink and non-secret evidence hashes or State Hub +notes are not substitutes for retained audit log custody. + ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths ```task