version: 1
updated: "2026-06-27"
owner_repo: railiance-platform
owner_domain: financials
workplan_id: RAILIANCE-WP-0005
state_hub_workstream_id: 2731fece-6c49-45b8-ab8a-4ea6c04ac603

delivery_modes:
  allowed_known:
    - exec-env
    - response-wrap
    - local-token-file
    - kubernetes-auth
  denied_known:
    - chat
    - state-hub-body
    - git
    - command-line-token-argument
    - llm-prompt

grant_classes:
  - self-service
  - approval-required
  - break-glass

grants:
  - id: ops-warden/warden-sign
    title: Ops Warden OpenBao SSH signing smoke token
    status: pilot
    grant_class: self-service
    credential_type: openbao-token
    issuer: openbao
    audience: ops-warden
    description: >
      Short-lived OpenBao child token for ops-warden SSH signing smoke tests.
      The token may only use the warden-sign policy and must not be treated as
      an ops-warden-owned secret.
    openbao:
      namespace: openbao
      token_role: warden-sign
      issuer_policy: credential-broker-warden-sign-issuer
      policies:
        - warden-sign
      disallowed_policies:
        - root
        - platform-admin
      mount_paths:
        - ssh/sign/adm-role
        - ssh/sign/agt-role
        - ssh/sign/atm-role
        - ssh/roles
    ttl:
      default: 15m
      max: 1h
      renewable: false
      requires_human_above: 1h
    actors:
      allowed_types:
        - human-operator
        - approved-agent
        - ci-runner
      required_subject_binding: keycape-or-kubernetes-service-account
    authorization:
      flex_auth_required: false
      flex_auth_mode: optional-preflight
      approval_required: false
      purpose_required: true
      allowed_purpose_examples:
        - flex-auth-openbao-smoke
        - ops-warden-production-sign-smoke
    delivery:
      allowed:
        - exec-env
        - response-wrap
        - local-token-file
        - kubernetes-auth
      preferred: exec-env
      denied:
        - chat
        - state-hub-body
        - git
        - command-line-token-argument
        - llm-prompt
      exec_env:
        variable: VAULT_TOKEN
        child_only: true
        redact_logs: true
      response_wrap:
        ttl: 5m
        unwrap_once: true
      local_token_file:
        directory: .local/credential-leases
        mode: "0600"
      kubernetes_auth:
        mount: auth/kubernetes
        role: credential-broker-warden-sign
        audience: openbao
        service_account_names:
          - credential-broker
          - ops-warden-smoke
        namespaces:
          - openbao
          - ops-warden
    audit:
      openbao_audit_required: true
      state_hub_metadata_allowed: true
      record_secret_values: false
      metadata_fields:
        - grant_id
        - actor
        - subject
        - purpose
        - requested_ttl
        - issued_ttl
        - delivery_mode
        - lease_accessor
        - decision_id
        - status
    revocation:
      required: true
      by_accessor: true
      on_exec_exit: true
      on_denied_request: false