Add credential-change delegated applier flow
This commit is contained in:
@@ -156,6 +156,12 @@ scripts/credential-change.py needs-changes CCR-2026-0001 --reviewer <name> --com
|
||||
make credential-change-sync-decision CREDENTIAL_CHANGE=CCR-2026-0001
|
||||
make credential-change-apply-plan CREDENTIAL_CHANGE=CCR-2026-0001
|
||||
make credential-change-operator-commands CREDENTIAL_CHANGE=CCR-2026-0001
|
||||
make credential-change-runbook CREDENTIAL_CHANGE=CCR-2026-0001
|
||||
scripts/credential-change.py runbook CCR-2026-0001 --execute-metadata --actor <operator> --confirm "APPLY CCR-2026-0001"
|
||||
scripts/credential-change.py record-evidence CCR-2026-0001 --actor <operator> --kind positive_verification --result passed --detail "<non-secret audit reference>" --record-state-hub
|
||||
make credential-change-lifecycle-plan CREDENTIAL_CHANGE=CCR-2026-0001 CREDENTIAL_CHANGE_LIFECYCLE_ACTION=deactivate
|
||||
scripts/credential-change.py lifecycle-event CCR-2026-0001 --action compromise --actor <operator> --reason "<non-secret reason>" --detail "<non-secret evidence>" --blast-radius "<non-secret scope>" --follow-up "<task/ref>" --record-state-hub
|
||||
scripts/credential-change.py import-inventory CCR-YYYY-NNNN --title "existing lane" --tenant <tenant> --workload <workload> --environment production --purpose "<purpose>" --kv-path platform/workloads/<tenant>/<workload>/<purpose> --field <FIELD_NAME> --auth-method oidc --auth-mount netkingdom --auth-role <role> --bound-claim groups=<group> --bound-claims-confirmed --frontdoor-type ops-warden --catalog-id <catalog-id> --reason "Imported existing lane without secret values"
|
||||
```
|
||||
|
||||
`apply-plan` and `operator-commands` are intentionally guarded: they refuse
|
||||
@@ -229,6 +235,15 @@ The interactive runbook is the operator bridge:
|
||||
8. record non-secret evidence;
|
||||
9. notify downstream front doors such as ops-warden.
|
||||
|
||||
`credential-change.py runbook <CCR>` renders the checklist and exact final
|
||||
confirmation phrase. `--execute-metadata` is intentionally opt-in and requires
|
||||
that phrase; it uses the local `bao` CLI with ambient approved operator
|
||||
authority, writes only policy/auth metadata, and records a non-secret
|
||||
`metadata_apply` evidence entry. Secret value provisioning stays outside the
|
||||
script through approved OpenBao/operator custody. Verification, activation, and
|
||||
manual custody events are recorded with `record-evidence`, whose comments are
|
||||
scanned for known secret markers before the CCR file or State Hub is updated.
|
||||
|
||||
This lets operators safely drive privileged work without needing to remember
|
||||
every OpenBao command.
|
||||
|
||||
@@ -241,6 +256,16 @@ Every active CCR needs a deactivate and rotate path:
|
||||
- `compromised`: emergency state requiring immediate disablement, rotation,
|
||||
blast-radius notes, and incident follow-up.
|
||||
|
||||
`lifecycle-plan` renders the attended checklist for each case, including the
|
||||
front-door state change and OpenBao metadata disable commands for deactivation
|
||||
or compromise. `lifecycle-event` records the non-secret lifecycle event in the
|
||||
CCR, sets the CCR status, and marks the access front door disabled, pending
|
||||
verification, or compromised as appropriate. For compromise events it accepts
|
||||
non-secret blast-radius notes and follow-up task references. Existing lanes that
|
||||
predate CCRs can be imported with `import-inventory`, which writes a CCR and
|
||||
matching read-policy artifact from metadata only; it never asks for or stores
|
||||
the secret value.
|
||||
|
||||
The workflow must support marking an existing credential or lane as compromised
|
||||
even when the original request predates this system.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user