id: CCR-2026-0002 kind: credential-change-request schema_version: 1 request_type: workload-kv-read title: issue-core runtime ingestion key lane status: active created: '2026-06-27' updated: '2026-07-02' requester: agent: ops-warden message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076 reason: Confirm and provision the issue-core workload KV lane requested in the ops-warden batch. review: required: true required_approvers: - platform-operator - issue-core-owner comments: - at: '2026-06-29T22:53:03+00:00' reviewer: codex decision: metadata_review_binding_confirmed comment: Live cluster metadata on 2026-06-30 confirms ExternalSecret issue-core/issue-core-runtime is Ready=True (SecretSynced) and maps ISSUE_CORE_API_KEY plus GITEA_BACKEND_TOKEN from platform/workloads/issue-core/issue-core/issue-core-runtime. The workload Deployment uses the default service account; OpenBao auth for this delivery path is the platform ClusterSecretStore/openbao role external-secrets-issue-core bound to service account external-secrets/external-secrets. Keep CCR status proposed until platform/operator and issue-core-owner approval. - at: '2026-07-02T09:59:54+00:00' reviewer: bernd.worsch decision: approved comment: 'Approved in chat (Claude Code coached-approvals session, 2026-07-02) acting as all required approvers: platform-operator, issue-core-owner. Field-set decision: keep both ISSUE_CORE_API_KEY and GITEA_BACKEND_TOKEN, matching the live ExternalSecret mapping.' target: domain: financials tenant: issue-core workload: issue-core environment: production purpose: issue-core runtime ingestion through OpenBao workload KV and External Secrets openbao: mount: platform kv_path: platform/workloads/issue-core/issue-core/issue-core-runtime fields: - ISSUE_CORE_API_KEY - GITEA_BACKEND_TOKEN policy_name: workload-kv-read-issue-core-runtime policy_file: openbao/policies/workload-kv-read-issue-core-runtime.hcl auth: method: kubernetes mount: kubernetes role: external-secrets-issue-core bound_claims: service_account_names: - external-secrets service_account_namespaces: - external-secrets bound_claims_confirmed: true policies: - workload-kv-read-issue-core-runtime ttl: 15m access_frontdoor: type: ops-warden catalog_id: issue-core-ingestion-api-key selector: issue-core ingestion API key command: warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY resolvable: true readiness: ready activation: verified-positive-and-negative-access-frontdoor-active-2026-07-02 delivery: surface: external-secrets target: ExternalSecret issue-core/issue-core-runtime -> Secret issue-core-runtime in the issue-core namespace risk: classification: high notes: - Grants read access to issue-core runtime ingestion credentials through the platform External Secrets path. - GITEA_BACKEND_TOKEN remains included because the live issue-core ExternalSecret maps it alongside ISSUE_CORE_API_KEY; remove it before approval only if the issue-core owner confirms it is no longer required. - The Kubernetes auth subject is the External Secrets operator service account external-secrets/external-secrets, with ClusterSecretStore usage limited to the issue-core namespace. - ops-warden must proxy reads as the caller and must not retain token values. verification: positive: - ExternalSecret issue-core/issue-core-runtime is Ready=True and syncs the configured fields without printing values. - Approved issue-core runtime can consume the resulting Kubernetes Secret without exposing values. negative: - A namespace outside the approved ClusterSecretStore condition cannot use this store to read the path. - A service account outside external-secrets/external-secrets cannot authenticate through the External Secrets OpenBao role. activation_conditions: - Policy applied with platform-admin/operator authority. - Kubernetes auth role bound to external-secrets/external-secrets for the issue-core External Secrets delivery path. - Secret values provisioned directly in OpenBao through approved operator custody. - Positive and negative verification recorded with non-secret audit ids or timestamps. evidence: - at: '2026-07-02T10:08:00+00:00' actor: bernd.worsch kind: delegated_metadata_apply result: passed details: - Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority. - 'Policy metadata write: sys/policies/acl/workload-kv-read-issue-core-runtime' - 'Auth role metadata write: auth/kubernetes/role/external-secrets-issue-core' - No secret values were read, written, printed, or accepted in argv. - at: '2026-07-02T18:49:04+00:00' actor: railiance-platform kind: frontdoor_activation result: passed details: - 'ops-warden promoted catalog id issue-core-ingestion-api-key to status active (ops-warden commit 364eb7d, reviewed 2026-07-02): entry is exec_capable and resolvable with zero-placeholder handoff; ops-warden proxies reads as the caller and holds no secret value. Promotion followed positive/negative verification recorded 2026-07-02.' lifecycle: deactivate: Disable ops-warden catalog entry and remove or detach auth role policy. rotate: Replace issue-core runtime secret values directly in OpenBao and record non-secret rotation evidence. compromised: Immediately deactivate access front door, rotate affected values, record blast-radius notes, and open incident follow-up tasks. state_hub: workplan_id: RAILIANCE-WP-0007 ops_warden_batch_message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076