Record whynot OpenBao lane apply evidence
This commit is contained in:
parent
3ef25cb787
commit
271aa94642
8 changed files with 134 additions and 12 deletions
|
|
@ -7,7 +7,7 @@ This is the next-session handoff for `CCR-2026-0001` and the
|
|||
|
||||
- CCR: `CCR-2026-0001`
|
||||
- Decision: `e6381a56-6b04-4fd5-b2de-f3ef59cde888`
|
||||
- Status: approved
|
||||
- Status: approved; non-secret OpenBao apply checks passed 2026-06-28
|
||||
- Front door: `template`, `resolvable=false`
|
||||
- Catalog id: `whynot-design-npm-publish`
|
||||
- Tenant/org: `coulomb`
|
||||
|
|
@ -18,9 +18,11 @@ This is the next-session handoff for `CCR-2026-0001` and the
|
|||
`https://gitea.coulomb.social/api/packages/coulomb/npm/`
|
||||
|
||||
The operator reported that the Gitea token was generated and stored in OpenBao.
|
||||
Codex could not verify the metadata from the current token-helper identity:
|
||||
metadata lookup, policy read, and auth-role read all returned `403 permission
|
||||
denied`. No secret value was read or printed.
|
||||
Using the temporary operator token only for non-secret infrastructure work, Codex
|
||||
confirmed that the policy exists, the OIDC role exists with the whynot-design
|
||||
binding and redirect URIs, the secret metadata has the expected catalog id, and
|
||||
the `NPM_AUTH_TOKEN` field is present. No secret value was printed, recorded,
|
||||
or copied into Git, State Hub, chat, or workplans.
|
||||
|
||||
## Safety Rules
|
||||
|
||||
|
|
@ -94,6 +96,10 @@ Role payload:
|
|||
```json
|
||||
{
|
||||
"role_type": "oidc",
|
||||
"allowed_redirect_uris": [
|
||||
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
|
||||
"http://localhost:8250/oidc/callback"
|
||||
],
|
||||
"user_claim": "sub",
|
||||
"groups_claim": "groups",
|
||||
"bound_claims": {
|
||||
|
|
@ -111,6 +117,10 @@ role_payload_file="$(mktemp)"
|
|||
trap 'rm -f "$role_payload_file"' EXIT
|
||||
cat >"$role_payload_file" <<'JSON'
|
||||
{
|
||||
"allowed_redirect_uris": [
|
||||
"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
|
||||
"http://localhost:8250/oidc/callback"
|
||||
],
|
||||
"bound_claims": {
|
||||
"groups": [
|
||||
"whynot-design"
|
||||
|
|
@ -181,7 +191,8 @@ Only after these are true:
|
|||
|
||||
- secret metadata confirmed;
|
||||
- policy exists and is scoped to the corrected `coulomb/whynot-design` path;
|
||||
- OIDC role exists and binds only `groups=["whynot-design"]`;
|
||||
- OIDC role exists and binds only `groups=["whynot-design"]` with approved
|
||||
browser and local CLI callback URIs;
|
||||
- positive verification passed;
|
||||
- negative verification passed;
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue