diff --git a/credential-change-requests/CCR-2026-0007-binky-company-email-imap.yaml b/credential-change-requests/CCR-2026-0007-binky-company-email-imap.yaml index d6fabbb..ba9e76e 100644 --- a/credential-change-requests/CCR-2026-0007-binky-company-email-imap.yaml +++ b/credential-change-requests/CCR-2026-0007-binky-company-email-imap.yaml @@ -3,7 +3,7 @@ kind: credential-change-request schema_version: 1 request_type: workload-kv-read title: Binky company email IMAP credentials (tenant lane) -status: applied +status: active created: '2026-07-17' updated: '2026-07-17' requester: @@ -62,8 +62,8 @@ access_frontdoor: catalog_id: binky-company-email-imap selector: binky company email imap mailbox command: warden access binky-company-email-imap --out FILE - resolvable: false - readiness: applied-pending-provision + resolvable: true + readiness: ready delivery: surface: operator-workstation target: email-connect scan-mailbox via env IMAP_USERNAME/IMAP_PASSWORD (names only @@ -107,6 +107,28 @@ verification: - "Capabilities-safe: lane-policy token \u2192 read on tenants/data/.../imap;\ \ default-policy \u2192 deny" - No secret values written (founder Red provision remains). + - at: '2026-07-17T00:00:00+00:00' + actor: bernd.worsch + kind: secret_provisioned + result: passed + details: + - "Founder set IMAP fields via OpenBao UI (version \u22652; not placeholder)." + - platform-admin policy extended with tenants/* for UI visibility (2026-07-17). + - at: '2026-07-17T00:00:00+00:00' + actor: grok + kind: capabilities_safe_verify + result: passed + details: + - "lane-policy token \u2192 read on tenants/data/binky/company-email/imap" + - "default-policy token \u2192 deny" + - Field presence keys IMAP_USERNAME + IMAP_PASSWORD; no values printed + - "ops-warden catalog promoted draft\u2192active; resolvable=true" + - at: '2026-07-17T00:00:00+00:00' + actor: grok + kind: frontdoor_activation + result: passed + details: + - catalog id binky-company-email-imap status=active resolvable=true risk=high lifecycle: deactivate: Disable ops-warden catalog entry and detach OIDC role policy; rotate mailbox password at provider. diff --git a/docs/workload-kv-access-lanes.md b/docs/workload-kv-access-lanes.md index da63522..617df71 100644 --- a/docs/workload-kv-access-lanes.md +++ b/docs/workload-kv-access-lanes.md @@ -385,7 +385,7 @@ CCR applier allowlist accepts `mount: tenants` and paths under `tenants/` | Read policy | `workload-kv-read-binky-company-email-imap` | | Policy file | `openbao/policies/workload-kv-read-binky-company-email-imap.hcl` | | OIDC role | `binky-company-email-imap-workload-kv-read` | -| Front-door readiness | draft / applied-pending-provision (values: founder Red) | +| Front-door readiness | active, resolvable=true (provisioned 2026-07-17) | | Risk | high | ```bash