diff --git a/docs/openbao.md b/docs/openbao.md index 70d1bd9..f9dba30 100644 --- a/docs/openbao.md +++ b/docs/openbao.md @@ -272,7 +272,8 @@ Before any live application secrets move into OpenBao: custody. The drill must prove that a fresh OpenBao instance can restore the snapshot, unseal, and read a test secret. 5. Decide where audit logs are shipped durably. The audit PVC alone is not a - durable audit sink. + durable audit sink. The interim `audit-core` mock file backend can prove API + and setup wiring, but it writes to `/tmp` and is not production retention. 6. Run: ```bash @@ -306,6 +307,12 @@ such as an encrypted platform backup/export path or the future centralized logging stack. Do not treat non-secret hashes, screenshots, or State Hub notes as substitutes for retained audit log custody. +Interim integration status: `/home/worsch/audit-core` provides a mock +Audit Core backend that writes JSONL records under +`/tmp/audit-core/audit-YYYYMMDDTHH.jsonl` and deletes files older than seven +days. Use it only to wire interfaces and setup validation before the durable +Audit Core archive exists. + Monitoring baseline: - pod readiness and liveness from Kubernetes probes diff --git a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md index ef2c141..c32669e 100644 --- a/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md +++ b/workplans/RAIL-PL-WP-0002-openbao-platform-secrets-service.md @@ -286,6 +286,14 @@ OpenBao is unsealed on `2.5.4`, `bao audit list` shows `file/`, workplan. The cached verifier token was then revoked with `bao token revoke -self`. +**2026-06-01:** Durable tenant-aware audit retention is now a separate +`audit-core` product/repo instead of a Railiance OpenBao bootstrap subtask. The +initial Audit Core mock backend writes JSONL events under +`/tmp/audit-core/audit-YYYYMMDDTHH.jsonl` and removes files older than seven +days; it is suitable for interface wiring and setup validation only. Railiance +still owns the OpenBao file audit device and PVC, while production retention, +tenant policy, and tamper-evident archive belong to Audit Core. + ### T07 - Cross-Repo Transition Tasks ```task