CCR-2026-0004: capabilities-safe verify + agent high-risk boundary
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 1s

Record WP-0026 T07 promotion evidence (no secret values), mark the
offsite backup lane front door resolvable/ready, and add OpenBao policy
agent-high-risk-boundary for coding-agent metadata-only access.
This commit is contained in:
tegwick 2026-07-16 23:26:28 +02:00
parent e9e631fbf4
commit 347226eb36
2 changed files with 63 additions and 3 deletions

View file

@ -0,0 +1,47 @@
# Agent coding read-boundary for high-risk secret lanes (WARDEN-WP-0026 T04).
#
# Coding agents (Claude/Codex/Grok sessions, automated workers) MUST NOT hold
# raw data-read on high-risk recovery/upload/admin secrets. This policy is the
# allow-list they *may* carry for those paths: metadata + capabilities only.
# Operator OIDC roles keep the full workload-kv-read-* policies separately.
#
# High-risk set (must stay in sync with ops-warden catalog risk: high):
# - railiance backup offsite (WebDAV upload + age recovery escrow)
# - forgejo admin PAT
# - openrouter LLM provider key (provider spend + prompt-adjacent)
#
# Apply live: `bao policy write agent-high-risk-boundary openbao/policies/agent-high-risk-boundary.hcl`
# Attach to agent AppRoles / tokens; never attach workload-kv-read-* for these paths
# to the same identity.
# --- railiance-backup-offsite-lane ---
path "platform/data/workloads/railiance/backup/offsite-lane" {
capabilities = ["deny"]
}
path "platform/metadata/workloads/railiance/backup/offsite-lane" {
capabilities = ["read"]
}
# --- forgejo-admin ---
path "platform/data/workloads/forgejo/forgejo-admin" {
capabilities = ["deny"]
}
path "platform/metadata/workloads/forgejo/forgejo-admin" {
capabilities = ["read"]
}
# --- openrouter-llm-connect ---
path "platform/data/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
capabilities = ["deny"]
}
path "platform/metadata/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
capabilities = ["read"]
}
# Capabilities introspection (no secret values)
path "sys/capabilities-self" {
capabilities = ["update"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}