diff --git a/credential-change-requests/CCR-2026-0004-railiance-backup-offsite-lane.yaml b/credential-change-requests/CCR-2026-0004-railiance-backup-offsite-lane.yaml index 8482d78..eb6f5c9 100644 --- a/credential-change-requests/CCR-2026-0004-railiance-backup-offsite-lane.yaml +++ b/credential-change-requests/CCR-2026-0004-railiance-backup-offsite-lane.yaml @@ -5,7 +5,7 @@ request_type: workload-kv-read title: Railiance offsite backup lane (Nextcloud WebDAV + age recovery) status: active created: '2026-07-07' -updated: '2026-07-07' +updated: '2026-07-16' requester: agent: grok reason: Move railiance-backup / forgejo-backup credentials from hardcoded script @@ -62,8 +62,8 @@ access_frontdoor: catalog_id: railiance-backup-offsite-lane selector: railiance backup nextcloud webdav token command: warden access railiance-backup-offsite-lane --fetch NC_WEBDAV_TOKEN - resolvable: false - readiness: applied-pending-verify + resolvable: true + readiness: ready delivery: surface: operator-workstation target: railiance-platform lib/railiance-backup-common.sh and forgejo-backup via @@ -105,6 +105,19 @@ verification: NC_WEBDAV_URL, AGE_PRIVATE_KEY; field presence verified without printing values - 'Delegated metadata apply: policy workload-kv-read-railiance-backup-offsite-lane and OIDC role railiance-backup-workload-kv-read' + - at: '2026-07-16T14:00:00+00:00' + actor: grok + kind: capabilities_safe_verify + result: passed + details: + - 'WP-0026 T07: capabilities-safe re-verify on bao.coulomb.social (no secret values read).' + - 'Positive: token with policy workload-kv-read-railiance-backup-offsite-lane → capabilities read on platform/data/workloads/railiance/backup/offsite-lane.' + - 'Negative: default-policy token → deny on the same data path; token revoked after check.' + - 'Agent boundary: policy agent-high-risk-boundary → deny on data path, read on metadata path.' + - 'Field presence via JSON key inventory only (NC_WEBDAV_TOKEN, NC_WEBDAV_URL, AGE_PRIVATE_KEY); lengths recorded, values not printed.' + - 'EXPOSED taint set: custom_metadata exposed_at=2026-07-16T00:00:00Z exposed_version=2 (WP-0026 T05).' + - 'ops-warden catalog promoted draft→active; fetch_command pinned to NC_WEBDAV_TOKEN; resolvable=true; risk=high.' + lifecycle: deactivate: Disable ops-warden catalog entry and detach OIDC role policy; rotate Nextcloud file-drop token at provider. diff --git a/openbao/policies/agent-high-risk-boundary.hcl b/openbao/policies/agent-high-risk-boundary.hcl new file mode 100644 index 0000000..6299491 --- /dev/null +++ b/openbao/policies/agent-high-risk-boundary.hcl @@ -0,0 +1,47 @@ +# Agent coding read-boundary for high-risk secret lanes (WARDEN-WP-0026 T04). +# +# Coding agents (Claude/Codex/Grok sessions, automated workers) MUST NOT hold +# raw data-read on high-risk recovery/upload/admin secrets. This policy is the +# allow-list they *may* carry for those paths: metadata + capabilities only. +# Operator OIDC roles keep the full workload-kv-read-* policies separately. +# +# High-risk set (must stay in sync with ops-warden catalog risk: high): +# - railiance backup offsite (WebDAV upload + age recovery escrow) +# - forgejo admin PAT +# - openrouter LLM provider key (provider spend + prompt-adjacent) +# +# Apply live: `bao policy write agent-high-risk-boundary openbao/policies/agent-high-risk-boundary.hcl` +# Attach to agent AppRoles / tokens; never attach workload-kv-read-* for these paths +# to the same identity. + +# --- railiance-backup-offsite-lane --- +path "platform/data/workloads/railiance/backup/offsite-lane" { + capabilities = ["deny"] +} +path "platform/metadata/workloads/railiance/backup/offsite-lane" { + capabilities = ["read"] +} + +# --- forgejo-admin --- +path "platform/data/workloads/forgejo/forgejo-admin" { + capabilities = ["deny"] +} +path "platform/metadata/workloads/forgejo/forgejo-admin" { + capabilities = ["read"] +} + +# --- openrouter-llm-connect --- +path "platform/data/workloads/activity-core/llm-connect/llm-connect-provider-secrets" { + capabilities = ["deny"] +} +path "platform/metadata/workloads/activity-core/llm-connect/llm-connect-provider-secrets" { + capabilities = ["read"] +} + +# Capabilities introspection (no secret values) +path "sys/capabilities-self" { + capabilities = ["update"] +} +path "auth/token/lookup-self" { + capabilities = ["read"] +}