CCR-2026-0004: capabilities-safe verify + agent high-risk boundary
Record WP-0026 T07 promotion evidence (no secret values), mark the offsite backup lane front door resolvable/ready, and add OpenBao policy agent-high-risk-boundary for coding-agent metadata-only access.
This commit is contained in:
parent
e9e631fbf4
commit
347226eb36
2 changed files with 63 additions and 3 deletions
|
|
@ -5,7 +5,7 @@ request_type: workload-kv-read
|
||||||
title: Railiance offsite backup lane (Nextcloud WebDAV + age recovery)
|
title: Railiance offsite backup lane (Nextcloud WebDAV + age recovery)
|
||||||
status: active
|
status: active
|
||||||
created: '2026-07-07'
|
created: '2026-07-07'
|
||||||
updated: '2026-07-07'
|
updated: '2026-07-16'
|
||||||
requester:
|
requester:
|
||||||
agent: grok
|
agent: grok
|
||||||
reason: Move railiance-backup / forgejo-backup credentials from hardcoded script
|
reason: Move railiance-backup / forgejo-backup credentials from hardcoded script
|
||||||
|
|
@ -62,8 +62,8 @@ access_frontdoor:
|
||||||
catalog_id: railiance-backup-offsite-lane
|
catalog_id: railiance-backup-offsite-lane
|
||||||
selector: railiance backup nextcloud webdav token
|
selector: railiance backup nextcloud webdav token
|
||||||
command: warden access railiance-backup-offsite-lane --fetch NC_WEBDAV_TOKEN
|
command: warden access railiance-backup-offsite-lane --fetch NC_WEBDAV_TOKEN
|
||||||
resolvable: false
|
resolvable: true
|
||||||
readiness: applied-pending-verify
|
readiness: ready
|
||||||
delivery:
|
delivery:
|
||||||
surface: operator-workstation
|
surface: operator-workstation
|
||||||
target: railiance-platform lib/railiance-backup-common.sh and forgejo-backup via
|
target: railiance-platform lib/railiance-backup-common.sh and forgejo-backup via
|
||||||
|
|
@ -105,6 +105,19 @@ verification:
|
||||||
NC_WEBDAV_URL, AGE_PRIVATE_KEY; field presence verified without printing values
|
NC_WEBDAV_URL, AGE_PRIVATE_KEY; field presence verified without printing values
|
||||||
- 'Delegated metadata apply: policy workload-kv-read-railiance-backup-offsite-lane
|
- 'Delegated metadata apply: policy workload-kv-read-railiance-backup-offsite-lane
|
||||||
and OIDC role railiance-backup-workload-kv-read'
|
and OIDC role railiance-backup-workload-kv-read'
|
||||||
|
- at: '2026-07-16T14:00:00+00:00'
|
||||||
|
actor: grok
|
||||||
|
kind: capabilities_safe_verify
|
||||||
|
result: passed
|
||||||
|
details:
|
||||||
|
- 'WP-0026 T07: capabilities-safe re-verify on bao.coulomb.social (no secret values read).'
|
||||||
|
- 'Positive: token with policy workload-kv-read-railiance-backup-offsite-lane → capabilities read on platform/data/workloads/railiance/backup/offsite-lane.'
|
||||||
|
- 'Negative: default-policy token → deny on the same data path; token revoked after check.'
|
||||||
|
- 'Agent boundary: policy agent-high-risk-boundary → deny on data path, read on metadata path.'
|
||||||
|
- 'Field presence via JSON key inventory only (NC_WEBDAV_TOKEN, NC_WEBDAV_URL, AGE_PRIVATE_KEY); lengths recorded, values not printed.'
|
||||||
|
- 'EXPOSED taint set: custom_metadata exposed_at=2026-07-16T00:00:00Z exposed_version=2 (WP-0026 T05).'
|
||||||
|
- 'ops-warden catalog promoted draft→active; fetch_command pinned to NC_WEBDAV_TOKEN; resolvable=true; risk=high.'
|
||||||
|
|
||||||
lifecycle:
|
lifecycle:
|
||||||
deactivate: Disable ops-warden catalog entry and detach OIDC role policy; rotate
|
deactivate: Disable ops-warden catalog entry and detach OIDC role policy; rotate
|
||||||
Nextcloud file-drop token at provider.
|
Nextcloud file-drop token at provider.
|
||||||
|
|
|
||||||
47
openbao/policies/agent-high-risk-boundary.hcl
Normal file
47
openbao/policies/agent-high-risk-boundary.hcl
Normal file
|
|
@ -0,0 +1,47 @@
|
||||||
|
# Agent coding read-boundary for high-risk secret lanes (WARDEN-WP-0026 T04).
|
||||||
|
#
|
||||||
|
# Coding agents (Claude/Codex/Grok sessions, automated workers) MUST NOT hold
|
||||||
|
# raw data-read on high-risk recovery/upload/admin secrets. This policy is the
|
||||||
|
# allow-list they *may* carry for those paths: metadata + capabilities only.
|
||||||
|
# Operator OIDC roles keep the full workload-kv-read-* policies separately.
|
||||||
|
#
|
||||||
|
# High-risk set (must stay in sync with ops-warden catalog risk: high):
|
||||||
|
# - railiance backup offsite (WebDAV upload + age recovery escrow)
|
||||||
|
# - forgejo admin PAT
|
||||||
|
# - openrouter LLM provider key (provider spend + prompt-adjacent)
|
||||||
|
#
|
||||||
|
# Apply live: `bao policy write agent-high-risk-boundary openbao/policies/agent-high-risk-boundary.hcl`
|
||||||
|
# Attach to agent AppRoles / tokens; never attach workload-kv-read-* for these paths
|
||||||
|
# to the same identity.
|
||||||
|
|
||||||
|
# --- railiance-backup-offsite-lane ---
|
||||||
|
path "platform/data/workloads/railiance/backup/offsite-lane" {
|
||||||
|
capabilities = ["deny"]
|
||||||
|
}
|
||||||
|
path "platform/metadata/workloads/railiance/backup/offsite-lane" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# --- forgejo-admin ---
|
||||||
|
path "platform/data/workloads/forgejo/forgejo-admin" {
|
||||||
|
capabilities = ["deny"]
|
||||||
|
}
|
||||||
|
path "platform/metadata/workloads/forgejo/forgejo-admin" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# --- openrouter-llm-connect ---
|
||||||
|
path "platform/data/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
|
||||||
|
capabilities = ["deny"]
|
||||||
|
}
|
||||||
|
path "platform/metadata/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Capabilities introspection (no secret values)
|
||||||
|
path "sys/capabilities-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
path "auth/token/lookup-self" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue