diff --git a/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md b/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md index 1d0c42e..d3c213e 100644 --- a/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md +++ b/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md @@ -367,7 +367,7 @@ now ranks the broker lane first. Live smoke already proven via ```task id: RAILIANCE-WP-0005-T09 -status: progress +status: done priority: high state_hub_task_id: "78d1db83-12fb-4ac2-95eb-54c91ac125b5" ``` @@ -389,6 +389,16 @@ coverage for local lease files. Offline validation is passing. T09 is `wait` until live OpenBao audit evidence, response-wrap unwrap-once evidence, and negative live mint checks can be collected. +**2026-07-02:** T09 closed. Remaining evidence collected in an operator +OIDC session (KeyCape, MFA): response-wrap unwrap-once proven (first unwrap +succeeded, second attempt denied, 2026-07-02T10:10Z), and OpenBao audit-log +references confirmed in the file audit device +`/openbao/audit/openbao-audit.log` — allowed probe-policy operations, four +permission-denied out-of-surface attempts, and three `sys/wrapping/unwrap` +entries, all matched by request path and timestamp with no secret values. +Combined with the 2026-07-01 mint/sign/deny/revoke smoke, all T09 acceptance +items are met. + **2026-07-01:** Live verification moved forward. make credential-tests passed 50 tests. make openbao-verify-token-grants-smoke minted a child token with policy warden-sign, proved it can sign via ssh/sign/agt-role, proved it cannot read policy metadata, and revoked it by accessor. make credential-exec-ops-warden-smoke passed with the child-only PATH hook, proving the flex-auth allow/deny smoke and vault-backed ops-warden signing path without manual VAULT_TOKEN paste. T09 is progress; remaining evidence is OpenBao audit-log reference collection plus response-wrap unwrap-once verification. ## T10 - Rollout and migration