generated from coulomb/repo-seed
Add OpenBao authenticated proof runbook
This commit is contained in:
@@ -165,6 +165,18 @@ remained ready. T02 remains open for the authenticated `bao audit list` proof,
|
||||
durable audit shipping beyond the audit PVC, restore-drill evidence, emergency
|
||||
seal/unseal drill evidence, and the next independent escrow holder.
|
||||
|
||||
**2026-06-01:** Added a Railiance evidence-only helper for the authenticated
|
||||
OpenBao proof: `make openbao-verify-authenticated` prompts for an approved
|
||||
OpenBao token without echoing it and verifies `file/` audit visibility,
|
||||
`platform/` secrets, `kubernetes/` auth, `keycape/` auth, and a non-empty audit
|
||||
log without mutating OpenBao configuration. The helper can also reuse a
|
||||
still-valid pod token helper with
|
||||
`OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper`, avoiding token movement through
|
||||
the local shell. It is ready to run with the MFA-backed
|
||||
`platform-root`/`platform-admin` path. Durable audit shipping remains open; the
|
||||
audit PVC is not a durable sink and non-secret evidence hashes or State Hub
|
||||
notes are not substitutes for retained audit log custody.
|
||||
|
||||
### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user