RAILIANCE-WP-0005-T09 done: audit references + unwrap-once evidence

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 12:13:38 +02:00
parent 7fc334f67d
commit b26a04cab3

View File

@@ -367,7 +367,7 @@ now ranks the broker lane first. Live smoke already proven via
```task
id: RAILIANCE-WP-0005-T09
status: progress
status: done
priority: high
state_hub_task_id: "78d1db83-12fb-4ac2-95eb-54c91ac125b5"
```
@@ -389,6 +389,16 @@ coverage for local lease files. Offline validation is passing. T09 is `wait`
until live OpenBao audit evidence, response-wrap unwrap-once evidence, and
negative live mint checks can be collected.
**2026-07-02:** T09 closed. Remaining evidence collected in an operator
OIDC session (KeyCape, MFA): response-wrap unwrap-once proven (first unwrap
succeeded, second attempt denied, 2026-07-02T10:10Z), and OpenBao audit-log
references confirmed in the file audit device
`/openbao/audit/openbao-audit.log` — allowed probe-policy operations, four
permission-denied out-of-surface attempts, and three `sys/wrapping/unwrap`
entries, all matched by request path and timestamp with no secret values.
Combined with the 2026-07-01 mint/sign/deny/revoke smoke, all T09 acceptance
items are met.
**2026-07-01:** Live verification moved forward. make credential-tests passed 50 tests. make openbao-verify-token-grants-smoke minted a child token with policy warden-sign, proved it can sign via ssh/sign/agt-role, proved it cannot read policy metadata, and revoked it by accessor. make credential-exec-ops-warden-smoke passed with the child-only PATH hook, proving the flex-auth allow/deny smoke and vault-backed ops-warden signing path without manual VAULT_TOKEN paste. T09 is progress; remaining evidence is OpenBao audit-log reference collection plus response-wrap unwrap-once verification.
## T10 - Rollout and migration