Record whynot OpenBao lane apply evidence
This commit is contained in:
@@ -7,7 +7,7 @@ This is the next-session handoff for `CCR-2026-0001` and the
|
||||
|
||||
- CCR: `CCR-2026-0001`
|
||||
- Decision: `e6381a56-6b04-4fd5-b2de-f3ef59cde888`
|
||||
- Status: approved
|
||||
- Status: approved; non-secret OpenBao apply checks passed 2026-06-28
|
||||
- Front door: `template`, `resolvable=false`
|
||||
- Catalog id: `whynot-design-npm-publish`
|
||||
- Tenant/org: `coulomb`
|
||||
@@ -18,9 +18,11 @@ This is the next-session handoff for `CCR-2026-0001` and the
|
||||
`https://gitea.coulomb.social/api/packages/coulomb/npm/`
|
||||
|
||||
The operator reported that the Gitea token was generated and stored in OpenBao.
|
||||
Codex could not verify the metadata from the current token-helper identity:
|
||||
metadata lookup, policy read, and auth-role read all returned `403 permission
|
||||
denied`. No secret value was read or printed.
|
||||
Using the temporary operator token only for non-secret infrastructure work, Codex
|
||||
confirmed that the policy exists, the OIDC role exists with the whynot-design
|
||||
binding and redirect URIs, the secret metadata has the expected catalog id, and
|
||||
the `NPM_AUTH_TOKEN` field is present. No secret value was printed, recorded,
|
||||
or copied into Git, State Hub, chat, or workplans.
|
||||
|
||||
## Safety Rules
|
||||
|
||||
@@ -94,6 +96,10 @@ Role payload:
|
||||
```json
|
||||
{
|
||||
"role_type": "oidc",
|
||||
"allowed_redirect_uris": [
|
||||
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
|
||||
"http://localhost:8250/oidc/callback"
|
||||
],
|
||||
"user_claim": "sub",
|
||||
"groups_claim": "groups",
|
||||
"bound_claims": {
|
||||
@@ -111,6 +117,10 @@ role_payload_file="$(mktemp)"
|
||||
trap 'rm -f "$role_payload_file"' EXIT
|
||||
cat >"$role_payload_file" <<'JSON'
|
||||
{
|
||||
"allowed_redirect_uris": [
|
||||
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
|
||||
"http://localhost:8250/oidc/callback"
|
||||
],
|
||||
"bound_claims": {
|
||||
"groups": [
|
||||
"whynot-design"
|
||||
@@ -181,7 +191,8 @@ Only after these are true:
|
||||
|
||||
- secret metadata confirmed;
|
||||
- policy exists and is scoped to the corrected `coulomb/whynot-design` path;
|
||||
- OIDC role exists and binds only `groups=["whynot-design"]`;
|
||||
- OIDC role exists and binds only `groups=["whynot-design"]` with approved
|
||||
browser and local CLI callback URIs;
|
||||
- positive verification passed;
|
||||
- negative verification passed;
|
||||
|
||||
|
||||
@@ -35,6 +35,7 @@ Ops-warden batch follow-up:
|
||||
| Policy file | `openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl` |
|
||||
| OIDC auth mount | `netkingdom` |
|
||||
| OIDC role | `whynot-design-workload-kv-read` |
|
||||
| OIDC callback URIs | `https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback`, `http://localhost:8250/oidc/callback` |
|
||||
| Kubernetes auth role | `whynot-design-workload-kv-read` if an in-cluster service account consumes this lane |
|
||||
| flex-auth ref | `secret.read:whynot-design` if tenant policy requires pre-approval |
|
||||
|
||||
@@ -109,6 +110,14 @@ The role must attach only:
|
||||
workload-kv-read-whynot-design-npm-publish
|
||||
```
|
||||
|
||||
The OIDC role must include the browser and local CLI callback URIs accepted by
|
||||
OpenBao:
|
||||
|
||||
```text
|
||||
https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||||
http://localhost:8250/oidc/callback
|
||||
```
|
||||
|
||||
The whynot-design pilot claim is confirmed as `groups=whynot-design`. Before
|
||||
applying any changed role, re-confirm the KeyCape/NetKingdom claim that
|
||||
identifies the whynot-design caller. The role must bind to that claim; do not
|
||||
@@ -154,9 +163,25 @@ Positive verification:
|
||||
|
||||
1. Authenticate as the whynot-design caller using the approved OIDC or
|
||||
Kubernetes auth role.
|
||||
2. Fetch the field in an attended session or through `warden access --fetch`.
|
||||
2. Fetch the field in an attended session or through `warden access --exec`.
|
||||
3. Record only that the fetch succeeded; do not record the value.
|
||||
|
||||
Safe attended command shape before the dedicated ops-warden catalog id is
|
||||
activated:
|
||||
|
||||
```bash
|
||||
set +x
|
||||
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
|
||||
warden access "npm token" \
|
||||
--path platform/workloads/coulomb/whynot-design/npm-publish \
|
||||
--field NPM_AUTH_TOKEN \
|
||||
--no-policy \
|
||||
--exec -- sh -lc 'test -n "$NPM_AUTH_TOKEN"'
|
||||
```
|
||||
|
||||
Use `--no-policy` only while the local ops-warden config reports
|
||||
`policy.enabled=false`; remove it once the flex-auth gate is enforced.
|
||||
|
||||
Negative verification:
|
||||
|
||||
1. Authenticate as a non-whynot identity.
|
||||
|
||||
Reference in New Issue
Block a user