RAILIANCE-WP-0005-T09 done: audit references + unwrap-once evidence
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -367,7 +367,7 @@ now ranks the broker lane first. Live smoke already proven via
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0005-T09
|
||||
status: progress
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "78d1db83-12fb-4ac2-95eb-54c91ac125b5"
|
||||
```
|
||||
@@ -389,6 +389,16 @@ coverage for local lease files. Offline validation is passing. T09 is `wait`
|
||||
until live OpenBao audit evidence, response-wrap unwrap-once evidence, and
|
||||
negative live mint checks can be collected.
|
||||
|
||||
**2026-07-02:** T09 closed. Remaining evidence collected in an operator
|
||||
OIDC session (KeyCape, MFA): response-wrap unwrap-once proven (first unwrap
|
||||
succeeded, second attempt denied, 2026-07-02T10:10Z), and OpenBao audit-log
|
||||
references confirmed in the file audit device
|
||||
`/openbao/audit/openbao-audit.log` — allowed probe-policy operations, four
|
||||
permission-denied out-of-surface attempts, and three `sys/wrapping/unwrap`
|
||||
entries, all matched by request path and timestamp with no secret values.
|
||||
Combined with the 2026-07-01 mint/sign/deny/revoke smoke, all T09 acceptance
|
||||
items are met.
|
||||
|
||||
**2026-07-01:** Live verification moved forward. make credential-tests passed 50 tests. make openbao-verify-token-grants-smoke minted a child token with policy warden-sign, proved it can sign via ssh/sign/agt-role, proved it cannot read policy metadata, and revoked it by accessor. make credential-exec-ops-warden-smoke passed with the child-only PATH hook, proving the flex-auth allow/deny smoke and vault-backed ops-warden signing path without manual VAULT_TOKEN paste. T09 is progress; remaining evidence is OpenBao audit-log reference collection plus response-wrap unwrap-once verification.
|
||||
|
||||
## T10 - Rollout and migration
|
||||
|
||||
Reference in New Issue
Block a user