Record credential broker delivery proof

This commit is contained in:
2026-07-01 23:42:17 +02:00
parent 38936d8fd6
commit 797a957e42

View File

@@ -238,7 +238,7 @@ and completed without manual token paste. T04 is `done`.
```task
id: RAILIANCE-WP-0005-T05
status: wait
status: done
priority: high
state_hub_task_id: "66f3cd6d-7520-4584-90b8-672866ef3490"
```
@@ -270,6 +270,16 @@ approved issuer token.
`response-wrap`, `local-token-file`, and `kubernetes-auth` still need live
evidence. T05 is `progress`.
**2026-07-01 follow-up:** Completed the remaining delivery-mode proof. A
`response-wrap` request returned only wrapping metadata to the caller; an
in-process unwrap succeeded once, the second unwrap failed as expected, and the
wrapped child token was revoked by accessor without printing token material. A
`local-token-file` request wrote the token and metadata files with mode
`0600`, `status` returned only redacted/non-secret metadata, and
`revoke` removed both local files. `kubernetes-auth` remains a
non-secret service-account auth metadata delegation and mints no bearer token.
T05 is `done`.
## T06 - Integrate KeyCape identity and agent subject binding
```task
@@ -357,7 +367,7 @@ now ranks the broker lane first. Live smoke already proven via
```task
id: RAILIANCE-WP-0005-T09
status: wait
status: progress
priority: high
state_hub_task_id: "78d1db83-12fb-4ac2-95eb-54c91ac125b5"
```
@@ -385,7 +395,7 @@ negative live mint checks can be collected.
```task
id: RAILIANCE-WP-0005-T10
status: wait
status: progress
priority: medium
state_hub_task_id: "44ce4082-fa8f-44d0-8f86-172d14ecfb0e"
```