Record whynot OpenBao lane apply evidence
This commit is contained in:
@@ -4,13 +4,13 @@ type: workplan
|
||||
title: "Workload KV Access Lanes for ops-warden Fetch"
|
||||
domain: financials
|
||||
repo: railiance-platform
|
||||
status: blocked
|
||||
status: active
|
||||
owner: codex
|
||||
topic_slug: railiance
|
||||
planning_priority: high
|
||||
planning_order: 6
|
||||
created: "2026-06-27"
|
||||
updated: "2026-06-27"
|
||||
updated: "2026-06-28"
|
||||
depends_on_workplans:
|
||||
- RAIL-PL-WP-0002
|
||||
- RAILIANCE-WP-0004
|
||||
@@ -152,11 +152,15 @@ denied with `403 permission denied` while writing the policy, so live policy
|
||||
application waits on an approved platform-admin/operator token or a narrow
|
||||
token-helper capability.
|
||||
|
||||
**2026-06-28:** Using the temporary operator token provided outside the repo,
|
||||
Codex applied/confirmed the live policy in OpenBao. The verification read of the
|
||||
policy succeeded and no secret values were printed or recorded.
|
||||
|
||||
## T03 - Define and apply auth bindings
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0006-T03
|
||||
status: wait
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "a217371a-0f85-40c6-b691-ac67834c86b5"
|
||||
```
|
||||
@@ -181,11 +185,17 @@ Acceptance:
|
||||
of the KeyCape/NetKingdom whynot-design bound claim or approved service-account
|
||||
subject; do not create an unbounded OIDC role.
|
||||
|
||||
**2026-06-28:** Created/confirmed
|
||||
`auth/netkingdom/role/whynot-design-workload-kv-read` with
|
||||
`groups=["whynot-design"]`, only the
|
||||
`workload-kv-read-whynot-design-npm-publish` policy, `ttl=15m`, and the approved
|
||||
browser/local CLI callback URIs.
|
||||
|
||||
## T04 - Provision the KV path without exposing the token
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0006-T04
|
||||
status: wait
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "c43724a3-c83e-4ab6-b7d1-e427fd93a9a9"
|
||||
```
|
||||
@@ -208,11 +218,17 @@ Acceptance:
|
||||
provisioning is waiting on an approved operator/OpenBao custody path for the
|
||||
actual `NPM_AUTH_TOKEN` value.
|
||||
|
||||
**2026-06-28:** Confirmed the OpenBao metadata at
|
||||
`platform/workloads/coulomb/whynot-design/npm-publish` includes
|
||||
`catalog-id=whynot-design-npm-publish` and that the `NPM_AUTH_TOKEN` field is
|
||||
present. The value was not printed, recorded, or copied into Git, State Hub,
|
||||
chat, or workplans.
|
||||
|
||||
## T05 - Verify caller-scoped fetch behavior
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0006-T05
|
||||
status: wait
|
||||
status: progress
|
||||
priority: high
|
||||
state_hub_task_id: "dc1f470b-e78a-48a9-9957-965aed47861f"
|
||||
```
|
||||
@@ -233,11 +249,16 @@ Acceptance:
|
||||
secret provisioning. The runbook requires positive and negative fetch evidence
|
||||
without printing the token value.
|
||||
|
||||
**2026-06-28:** Non-secret operator checks now pass for policy, auth role,
|
||||
metadata, and field presence. Remaining verification is the attended
|
||||
whynot-design OIDC positive check and a non-whynot denial check, both without
|
||||
printing the token.
|
||||
|
||||
## T06 - Coordinate ops-warden catalog activation
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0006-T06
|
||||
status: wait
|
||||
status: progress
|
||||
priority: high
|
||||
state_hub_task_id: "8e84ec19-01db-4baf-a532-de87e51d4994"
|
||||
```
|
||||
@@ -260,6 +281,11 @@ handoff payload for ops-warden and sent the pointers by State Hub message. The
|
||||
entry should remain draft/non-active until live OpenBao provisioning and
|
||||
verification complete.
|
||||
|
||||
**2026-06-28:** The generic `openbao-api-key` ops-warden access lane can proxy
|
||||
the check with explicit `--path` and `--field`, but the dedicated
|
||||
`whynot-design-npm-publish` route is not yet present in the ops-warden routing
|
||||
catalog. Keep activation pending until caller verification and catalog update.
|
||||
|
||||
## T07 - Decide whether to batch sibling workload-KV requests
|
||||
|
||||
```task
|
||||
|
||||
@@ -180,6 +180,10 @@ not `approved` and also refuses unconfirmed bound claims. Remaining T04 work is
|
||||
to add a richer diff against existing source artifacts and eventually bridge
|
||||
from reviewed plan to the interactive live applier.
|
||||
|
||||
**2026-06-28:** Added OIDC `allowed_redirect_uris` to the CCR contract and
|
||||
generated role payloads after live OpenBao rejected an OIDC role without
|
||||
callbacks. Unit coverage now checks the generated whynot-design role payload.
|
||||
|
||||
## T05 - Add chat/CLI approval commands
|
||||
|
||||
```task
|
||||
@@ -286,6 +290,12 @@ received `403 permission denied`. Prepared
|
||||
policy, auth-role, metadata verification, positive verification, negative
|
||||
verification, and activation without printing the token.
|
||||
|
||||
**2026-06-28:** With the temporary operator token, Codex applied/confirmed the
|
||||
OpenBao read policy and OIDC role, confirmed metadata `catalog-id`, and confirmed
|
||||
`NPM_AUTH_TOKEN` field presence without printing or recording the value. The CCR
|
||||
now records non-secret evidence for that apply check. Positive whynot-design and
|
||||
negative non-whynot caller verification still gate `active`/`ready`.
|
||||
|
||||
## T08 - Add deactivation, rotation, and compromise flows
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user