Record whynot OpenBao lane apply evidence

This commit is contained in:
2026-06-28 12:41:39 +02:00
parent 3ef25cb787
commit 271aa94642
8 changed files with 134 additions and 12 deletions

View File

@@ -55,6 +55,9 @@ openbao:
method: oidc
mount: netkingdom
role: whynot-design-workload-kv-read
allowed_redirect_uris:
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
- http://localhost:8250/oidc/callback
user_claim: sub
groups_claim: groups
bound_claims:
@@ -91,6 +94,16 @@ verification:
- OIDC role bound to confirmed whynot-design claim or approved service account.
- Secret value provisioned directly in OpenBao through approved operator custody.
- Positive and negative verification recorded with non-secret audit ids or timestamps.
evidence:
- at: '2026-06-28T10:37:42+00:00'
actor: codex
kind: non_secret_openbao_apply_check
result: passed
details:
- Policy read succeeded for workload-kv-read-whynot-design-npm-publish.
- OIDC role read showed the whynot-design bound claim, read policy, and callback URIs.
- Metadata read showed catalog-id whynot-design-npm-publish.
- Secret field presence check found NPM_AUTH_TOKEN without printing or recording the value.
lifecycle:
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation