Record whynot OpenBao lane apply evidence

This commit is contained in:
tegwick 2026-06-28 12:41:39 +02:00
parent 3ef25cb787
commit 271aa94642
8 changed files with 134 additions and 12 deletions

View file

@ -180,6 +180,10 @@ not `approved` and also refuses unconfirmed bound claims. Remaining T04 work is
to add a richer diff against existing source artifacts and eventually bridge
from reviewed plan to the interactive live applier.
**2026-06-28:** Added OIDC `allowed_redirect_uris` to the CCR contract and
generated role payloads after live OpenBao rejected an OIDC role without
callbacks. Unit coverage now checks the generated whynot-design role payload.
## T05 - Add chat/CLI approval commands
```task
@ -286,6 +290,12 @@ received `403 permission denied`. Prepared
policy, auth-role, metadata verification, positive verification, negative
verification, and activation without printing the token.
**2026-06-28:** With the temporary operator token, Codex applied/confirmed the
OpenBao read policy and OIDC role, confirmed metadata `catalog-id`, and confirmed
`NPM_AUTH_TOKEN` field presence without printing or recording the value. The CCR
now records non-secret evidence for that apply check. Positive whynot-design and
negative non-whynot caller verification still gate `active`/`ready`.
## T08 - Add deactivation, rotation, and compromise flows
```task