diff --git a/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md b/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md index df29ab1..1d0c42e 100644 --- a/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md +++ b/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md @@ -238,7 +238,7 @@ and completed without manual token paste. T04 is `done`. ```task id: RAILIANCE-WP-0005-T05 -status: wait +status: done priority: high state_hub_task_id: "66f3cd6d-7520-4584-90b8-672866ef3490" ``` @@ -270,6 +270,16 @@ approved issuer token. `response-wrap`, `local-token-file`, and `kubernetes-auth` still need live evidence. T05 is `progress`. +**2026-07-01 follow-up:** Completed the remaining delivery-mode proof. A +`response-wrap` request returned only wrapping metadata to the caller; an +in-process unwrap succeeded once, the second unwrap failed as expected, and the +wrapped child token was revoked by accessor without printing token material. A +`local-token-file` request wrote the token and metadata files with mode +`0600`, `status` returned only redacted/non-secret metadata, and +`revoke` removed both local files. `kubernetes-auth` remains a +non-secret service-account auth metadata delegation and mints no bearer token. +T05 is `done`. + ## T06 - Integrate KeyCape identity and agent subject binding ```task @@ -357,7 +367,7 @@ now ranks the broker lane first. Live smoke already proven via ```task id: RAILIANCE-WP-0005-T09 -status: wait +status: progress priority: high state_hub_task_id: "78d1db83-12fb-4ac2-95eb-54c91ac125b5" ``` @@ -385,7 +395,7 @@ negative live mint checks can be collected. ```task id: RAILIANCE-WP-0005-T10 -status: wait +status: progress priority: medium state_hub_task_id: "44ce4082-fa8f-44d0-8f86-172d14ecfb0e" ```