Record OpenBao authenticated audit proof

2026-06-01 22:52:42 +02:00
parent dc4fe883a5
commit f6053f5c0b
1 changed files with 12 additions and 0 deletions
--- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
+++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
@@ -177,6 +177,18 @@ the local shell. It is ready to run with the MFA-backed
 audit PVC is not a durable sink and non-secret evidence hashes or State Hub
 notes are not substitutes for retained audit log custody.

+**2026-06-01:** Completed the authenticated OpenBao proof through the
+MFA-backed KeyCape path without printing token material. A fresh
+`bao login -no-print -method=oidc -path=keycape role=platform-admin` browser
+flow cached the pod token helper, then `make openbao-verify-authenticated
+OPENBAO_VERIFY_AUTH_ARGS=--use-token-helper` passed. Evidence: OpenBao is
+unsealed on `2.5.4`, `file/` audit is visible, `platform/` secrets are visible,
+`kubernetes/` and `keycape/` auth methods are visible, and the audit log grew
+from 7969 bytes to 23330 bytes during the check. The cached verifier token was
+then revoked with `bao token revoke -self`. T02 remains open for durable audit
+shipping beyond the audit PVC, restore-drill evidence, emergency seal/unseal
+drill evidence, and the next independent escrow holder.
+
 ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths

 ```task