2026-07-07 17:16:30 +02:00
id : CCR-2026-0004
kind : credential-change-request
schema_version : 1
request_type : workload-kv-read
title : Railiance offsite backup lane (Nextcloud WebDAV + age recovery)
status : active
created : '2026-07-07'
2026-07-16 23:26:28 +02:00
updated : '2026-07-16'
2026-07-07 17:16:30 +02:00
requester :
agent : grok
reason : Move railiance-backup / forgejo-backup credentials from hardcoded script
values into OpenBao custody per DISCTL-WP-0003 credential-separation policy.
review :
required : true
required_approvers :
- platform-operator
comments :
- at : '2026-07-07T15:00:00+00:00'
reviewer : bernd.worsch
decision : approved
comment : "Approved in chat \u2014 establish backup lane credentials in OpenBao\
\ for workstation forgejo-backup and railiance-backup tooling (Option A Nextcloud)."
target :
domain : financials
tenant : railiance
workload : backup
environment : production
purpose : age-encrypted offsite backup upload through Nextcloud WebDAV file drop
openbao :
mount : platform
kv_path : platform/workloads/railiance/backup/offsite-lane
fields :
- NC_WEBDAV_TOKEN
- NC_WEBDAV_URL
- AGE_PRIVATE_KEY
policy_name : workload-kv-read-railiance-backup-offsite-lane
policy_file : openbao/policies/workload-kv-read-railiance-backup-offsite-lane.hcl
auth :
method : oidc
mount : netkingdom
role : railiance-backup-workload-kv-read
allowed_redirect_uris :
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
- http://localhost:8250/oidc/callback
- http://127.0.0.1:8250/oidc/callback
oidc_scopes :
- openid
- profile
- email
- groups
user_claim : sub
groups_claim : groups
bound_claims :
groups :
- net-kingdom-admins
bound_claims_confirmed : true
policies :
- workload-kv-read-railiance-backup-offsite-lane
ttl : 15m
access_frontdoor :
type : ops-warden
catalog_id : railiance-backup-offsite-lane
selector : railiance backup nextcloud webdav token
command : warden access railiance-backup-offsite-lane --fetch NC_WEBDAV_TOKEN
2026-07-16 23:26:28 +02:00
resolvable : true
readiness : ready
2026-07-07 17:16:30 +02:00
delivery :
surface : operator-workstation
target : railiance-platform lib/railiance-backup-common.sh and forgejo-backup via
RAILIANCE_BACKUP_NC_TOKEN env (fetched through OpenBao or warden access)
risk :
classification : high
notes :
- NC_WEBDAV_TOKEN grants upload to the offsite backup file drop.
- "AGE_PRIVATE_KEY decrypts all age-encrypted backup artifacts \u2014 recovery escrow\
\ only."
- Credentials must not be stored on production hosts with delete permission.
- ops-warden must proxy reads as the caller and must not retain values.
verification :
positive :
- Approved net-kingdom-admins identity can read NC_WEBDAV_TOKEN and AGE_PRIVATE_KEY
through OpenBao or ops-warden without printing values.
negative :
- default-policy token denied on the KV data path.
activation_conditions :
- Policy and OIDC role applied with platform-admin/operator authority.
- Secret values provisioned through approved operator custody from existing sources.
- Positive and negative verification recorded with non-secret audit references.
evidence :
- at : '2026-07-07T15:14:59+00:00'
actor : grok
kind : delegated_metadata_apply
result : passed
details :
- Delegated metadata applier ran as grok using local bao CLI ambient authority.
- 'Policy metadata write : sys/policies/acl/workload-kv-read-railiance-backup-offsite-lane'
- 'Auth role metadata write : auth/netkingdom/role/railiance-backup-workload-kv-read'
- No secret values were read, written, printed, or accepted in argv.
- at : '2026-07-07T15:15:28+00:00'
actor : grok
kind : secret_provisioned
result : passed
details :
- KV path platform/workloads/railiance/backup/offsite-lane provisioned with NC_WEBDAV_TOKEN,
NC_WEBDAV_URL, AGE_PRIVATE_KEY; field presence verified without printing values
- 'Delegated metadata apply : policy workload-kv-read-railiance-backup-offsite-lane
and OIDC role railiance-backup-workload-kv-read'
2026-07-16 23:26:28 +02:00
- at : '2026-07-16T14:00:00+00:00'
actor : grok
kind : capabilities_safe_verify
result : passed
details :
- 'WP-0026 T07 : capabilities-safe re-verify on bao.coulomb.social (no secret values read).'
- 'Positive : token with policy workload-kv-read-railiance-backup-offsite-lane → capabilities read on platform/data/workloads/railiance/backup/offsite-lane.'
- 'Negative : default-policy token → deny on the same data path; token revoked after check.'
- 'Agent boundary : policy agent-high-risk-boundary → deny on data path, read on metadata path.'
- 'Field presence via JSON key inventory only (NC_WEBDAV_TOKEN, NC_WEBDAV_URL, AGE_PRIVATE_KEY); lengths recorded, values not printed.'
- 'EXPOSED taint set : custom_metadata exposed_at=2026-07-16T00:00:00Z exposed_version=2 (WP-0026 T05).'
- 'ops-warden catalog promoted draft→active; fetch_command pinned to NC_WEBDAV_TOKEN; resolvable=true; risk=high.'
2026-07-07 17:16:30 +02:00
lifecycle :
deactivate : Disable ops-warden catalog entry and detach OIDC role policy; rotate
Nextcloud file-drop token at provider.
rotate : Mint a new Nextcloud upload token, update NC_WEBDAV_TOKEN in OpenBao, and
record non-secret rotation evidence.
compromised : Deactivate front door, rotate Nextcloud token and age key, re-encrypt
and re-upload backup artifacts where feasible, record blast-radius notes.
state_hub :
workplan_id : DISCTL-WP-0003