railiance-platform/credential-change-requests/CCR-2026-0006-forgejo-admin-api-token-lane.yaml

127 lines
4.8 KiB
YAML
Raw Normal View History

id: CCR-2026-0006
kind: credential-change-request
schema_version: 1
request_type: workload-kv-read
title: Forgejo operator/admin API token (PAT) lane
status: applied
created: '2026-07-12'
updated: '2026-07-12'
requester:
agent: grok
message_id: 54125f84-e9df-4fa0-9309-7370633a20d3
reason: Establish OpenBao custody for the Forgejo site-admin PAT currently dropped
at /tmp/forgejo-tegwick-api-token or FORGEJO_ADMIN_TOKEN on workstations. Drivers
include ACTIVITY-WP-0020 weekly package prune and railiance-apps / railiance-platform
Forgejo automation tools.
review:
required: true
required_approvers:
- platform-operator
comments:
- at: '2026-07-12T14:05:00+00:00'
reviewer: bernd.worsch
decision: approved
comment: "Approved in chat \u2014 establish Forgejo admin PAT lane at platform/workloads/forgejo/forgejo-admin\
\ (sibling to forgejo-mailer)."
target:
domain: infotech
tenant: coulomb
workload: forgejo
environment: production
purpose: Forgejo admin API token for package prune, registry ops, org webhooks,
and operator bootstrap on workstations and activity-core worker
openbao:
mount: platform
kv_path: platform/workloads/forgejo/forgejo-admin
fields:
- API_TOKEN
- API_USER
- API_BASE_URL
- TOKEN_SCOPES
- GENERATED_AT
policy_name: workload-kv-read-forgejo-admin
policy_file: openbao/policies/workload-kv-read-forgejo-admin.hcl
auth:
method: oidc
mount: netkingdom
role: forgejo-admin-workload-kv-read
allowed_redirect_uris:
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
- http://localhost:8250/oidc/callback
- http://127.0.0.1:8250/oidc/callback
oidc_scopes:
- openid
- profile
- email
- groups
user_claim: sub
groups_claim: groups
bound_claims:
groups:
- net-kingdom-admins
bound_claims_confirmed: true
policies:
- workload-kv-read-forgejo-admin
ttl: 15m
access_frontdoor:
type: ops-warden
catalog_id: forgejo-admin-api-token
selector: forgejo admin PAT package prune FORGEJO_ADMIN_TOKEN
command: warden access forgejo-admin-api-token --fetch API_TOKEN
resolvable: false
readiness: approved-pending-apply
delivery:
surface: operator-workstation
target: railiance-platform tools/cmd/forgejo-package-prune, activity-core weekly-forgejo-package-prune
shell resolver, and railiance-apps Forgejo tools (load_token pattern after lane
verified)
risk:
classification: high
notes:
- API_TOKEN is a Forgejo site-admin PAT for user tegwick (coulomb Owners).
- Grants package, repository, and admin API operations on forgejo.coulomb.social.
- Must not be stored on production hosts or pasted into Git, State Hub, or chat.
- ops-warden must proxy reads as the caller and must not retain values.
- Distinct from forgejo-mailer (SMTP) and railiance-backup-offsite-lane (WebDAV).
verification:
positive:
- Approved net-kingdom-admins identity can read API_TOKEN through OpenBao or warden
access without printing values in logs or hub messages.
- warden route find "forgejo admin pat" resolves to catalog id forgejo-admin-api-token.
negative:
- default-policy token denied on platform/data/workloads/forgejo/forgejo-admin.
activation_conditions:
- CCR approved by platform-operator.
- Policy and OIDC role applied with platform-admin or delegated applier authority.
- "PAT minted in attended Forgejo session (tegwick \u2192 Settings \u2192 Applications)\
\ and stored at platform/workloads/forgejo/forgejo-admin; metadata fields optional."
- Positive and negative verification recorded with non-secret audit references.
- ops-warden catalog entry promoted from draft after verification.
evidence:
- at: '2026-07-12T14:05:07+00:00'
actor: grok
kind: delegated_metadata_apply
result: passed
details:
- Delegated metadata applier ran as grok using local bao CLI ambient authority.
- 'Policy metadata write: sys/policies/acl/workload-kv-read-forgejo-admin'
- 'Auth role metadata write: auth/netkingdom/role/forgejo-admin-workload-kv-read'
- No secret values were read, written, printed, or accepted in argv.
- at: '2026-07-12T14:06:54+00:00'
actor: grok
kind: negative_verification
result: passed
details:
- default-policy token denied on platform/data/workloads/forgejo/forgejo-admin
(HTTP 403, 2026-07-12T14:06Z)
lifecycle:
deactivate: Disable ops-warden catalog entry and detach OIDC role policy; revoke
PAT in Forgejo and retire workstation file-drop path.
rotate: Mint a new PAT in Forgejo, update API_TOKEN in OpenBao, record non-secret
rotation evidence, and restart dependent automation after downstream consumers
load from OpenBao.
compromised: Revoke PAT in Forgejo immediately, deactivate front door, rotate, audit
package/webhook changes, record blast-radius notes.
state_hub:
workplan_id: ACTIVITY-WP-0020