Record whynot OpenBao lane apply evidence
This commit is contained in:
parent
3ef25cb787
commit
271aa94642
8 changed files with 134 additions and 12 deletions
|
|
@ -180,6 +180,10 @@ not `approved` and also refuses unconfirmed bound claims. Remaining T04 work is
|
|||
to add a richer diff against existing source artifacts and eventually bridge
|
||||
from reviewed plan to the interactive live applier.
|
||||
|
||||
**2026-06-28:** Added OIDC `allowed_redirect_uris` to the CCR contract and
|
||||
generated role payloads after live OpenBao rejected an OIDC role without
|
||||
callbacks. Unit coverage now checks the generated whynot-design role payload.
|
||||
|
||||
## T05 - Add chat/CLI approval commands
|
||||
|
||||
```task
|
||||
|
|
@ -286,6 +290,12 @@ received `403 permission denied`. Prepared
|
|||
policy, auth-role, metadata verification, positive verification, negative
|
||||
verification, and activation without printing the token.
|
||||
|
||||
**2026-06-28:** With the temporary operator token, Codex applied/confirmed the
|
||||
OpenBao read policy and OIDC role, confirmed metadata `catalog-id`, and confirmed
|
||||
`NPM_AUTH_TOKEN` field presence without printing or recording the value. The CCR
|
||||
now records non-secret evidence for that apply check. Positive whynot-design and
|
||||
negative non-whynot caller verification still gate `active`/`ready`.
|
||||
|
||||
## T08 - Add deactivation, rotation, and compromise flows
|
||||
|
||||
```task
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue