Add OpenBao authenticated proof runbook

2026-06-01 22:46:15 +02:00
parent 1f09e6dcae
commit dc4fe883a5
2 changed files with 24 additions and 0 deletions
--- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
+++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
@@ -165,6 +165,18 @@ remained ready. T02 remains open for the authenticated `bao audit list` proof,
 durable audit shipping beyond the audit PVC, restore-drill evidence, emergency
 seal/unseal drill evidence, and the next independent escrow holder.

+**2026-06-01:** Added a Railiance evidence-only helper for the authenticated
+OpenBao proof: `make openbao-verify-authenticated` prompts for an approved
+OpenBao token without echoing it and verifies `file/` audit visibility,
+`platform/` secrets, `kubernetes/` auth, `keycape/` auth, and a non-empty audit
+log without mutating OpenBao configuration. The helper can also reuse a
+still-valid pod token helper with
+`OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper`, avoiding token movement through
+the local shell. It is ready to run with the MFA-backed
+`platform-root`/`platform-admin` path. Durable audit shipping remains open; the
+audit PVC is not a durable sink and non-secret evidence hashes or State Hub
+notes are not substitutes for retained audit log custody.
+
 ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths

 ```task