CCR-2026-0004: capabilities-safe verify + agent high-risk boundary
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 1s

Record WP-0026 T07 promotion evidence (no secret values), mark the
offsite backup lane front door resolvable/ready, and add OpenBao policy
agent-high-risk-boundary for coding-agent metadata-only access.
This commit is contained in:
tegwick 2026-07-16 23:26:28 +02:00
parent e9e631fbf4
commit 347226eb36
2 changed files with 63 additions and 3 deletions

View file

@ -5,7 +5,7 @@ request_type: workload-kv-read
title: Railiance offsite backup lane (Nextcloud WebDAV + age recovery)
status: active
created: '2026-07-07'
updated: '2026-07-07'
updated: '2026-07-16'
requester:
agent: grok
reason: Move railiance-backup / forgejo-backup credentials from hardcoded script
@ -62,8 +62,8 @@ access_frontdoor:
catalog_id: railiance-backup-offsite-lane
selector: railiance backup nextcloud webdav token
command: warden access railiance-backup-offsite-lane --fetch NC_WEBDAV_TOKEN
resolvable: false
readiness: applied-pending-verify
resolvable: true
readiness: ready
delivery:
surface: operator-workstation
target: railiance-platform lib/railiance-backup-common.sh and forgejo-backup via
@ -105,6 +105,19 @@ verification:
NC_WEBDAV_URL, AGE_PRIVATE_KEY; field presence verified without printing values
- 'Delegated metadata apply: policy workload-kv-read-railiance-backup-offsite-lane
and OIDC role railiance-backup-workload-kv-read'
- at: '2026-07-16T14:00:00+00:00'
actor: grok
kind: capabilities_safe_verify
result: passed
details:
- 'WP-0026 T07: capabilities-safe re-verify on bao.coulomb.social (no secret values read).'
- 'Positive: token with policy workload-kv-read-railiance-backup-offsite-lane → capabilities read on platform/data/workloads/railiance/backup/offsite-lane.'
- 'Negative: default-policy token → deny on the same data path; token revoked after check.'
- 'Agent boundary: policy agent-high-risk-boundary → deny on data path, read on metadata path.'
- 'Field presence via JSON key inventory only (NC_WEBDAV_TOKEN, NC_WEBDAV_URL, AGE_PRIVATE_KEY); lengths recorded, values not printed.'
- 'EXPOSED taint set: custom_metadata exposed_at=2026-07-16T00:00:00Z exposed_version=2 (WP-0026 T05).'
- 'ops-warden catalog promoted draft→active; fetch_command pinned to NC_WEBDAV_TOKEN; resolvable=true; risk=high.'
lifecycle:
deactivate: Disable ops-warden catalog entry and detach OIDC role policy; rotate
Nextcloud file-drop token at provider.