Close delegated prod applier pilot

This commit is contained in:
tegwick 2026-07-01 23:34:13 +02:00
parent 2db4d1afe1
commit 38936d8fd6
5 changed files with 79 additions and 27 deletions

View file

@ -5,7 +5,7 @@ request_type: workload-kv-read
title: whynot-design npm publish token lane
status: active
created: '2026-06-27'
updated: '2026-06-29'
updated: '2026-07-01'
requester:
agent: ops-warden
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
@ -107,52 +107,79 @@ verification:
result: passed
details:
- Policy read succeeded for workload-kv-read-whynot-design-npm-publish.
- OIDC role read showed the whynot-design bound claim, read policy, and callback URIs.
- OIDC role read showed the whynot-design bound claim, read policy, and callback
URIs.
- Metadata read showed catalog-id whynot-design-npm-publish.
- Secret field presence check found NPM_AUTH_TOKEN without printing or recording the value.
- Secret field presence check found NPM_AUTH_TOKEN without printing or recording
the value.
- at: '2026-06-28T11:20:06+00:00'
actor: codex
kind: non_secret_oidc_role_correction
result: applied
details:
- Positive login reported missing groups claim because the role did not request the groups scope.
- Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes openid/profile/email/groups.
- Positive login reported missing groups claim because the role did not request
the groups scope.
- Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes
openid/profile/email/groups.
- Added the 127.0.0.1 local CLI callback URI alongside localhost and browser callbacks.
- at: '2026-06-28T14:01:47+00:00'
actor: codex
kind: non_secret_identity_group_check
result: applied
details:
- Positive login advanced from missing groups claim to bound claim mismatch; this confirms the groups scope is now requested.
- Positive login advanced from missing groups claim to bound claim mismatch; this
confirms the groups scope is now requested.
- Live LLDAP group inventory did not contain whynot-design before this check.
- Created and verified the whynot-design LLDAP group for the approved OpenBao bound claim.
- No user membership was changed; positive verification still requires the authenticating account to be explicitly added to whynot-design.
- Created and verified the whynot-design LLDAP group for the approved OpenBao
bound claim.
- No user membership was changed; positive verification still requires the authenticating
account to be explicitly added to whynot-design.
- at: '2026-06-28T15:22:29+00:00'
actor: bernd.worsch
kind: positive_fetch_verification
result: passed
details:
- Attended OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read succeeded with workload-kv-read-whynot-design-npm-publish policy.
- NPM_AUTH_TOKEN field fetch from platform/workloads/coulomb/whynot-design/npm-publish exited successfully with output redirected to /dev/null.
- Attended OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read
succeeded with workload-kv-read-whynot-design-npm-publish policy.
- NPM_AUTH_TOKEN field fetch from platform/workloads/coulomb/whynot-design/npm-publish
exited successfully with output redirected to /dev/null.
- The secret value was not printed or recorded.
- A short-lived OpenBao client token was printed by the CLI login output and was revoked by accessor immediately after the report.
- Negative denial verification is still pending; keep the front door non-resolvable until it passes.
- A short-lived OpenBao client token was printed by the CLI login output and was
revoked by accessor immediately after the report.
- Negative denial verification is still pending; keep the front door non-resolvable
until it passes.
- at: '2026-06-28T22:06:43+00:00'
actor: bernd.worsch
kind: negative_denial_verification
result: passed
details:
- platform-root was temporarily removed from the whynot-design LLDAP group for the attended negative check.
- OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read failed with a groups bound-claim mismatch.
- No OpenBao client token was issued for the negative identity, and no NPM_AUTH_TOKEN value was printed or recorded.
- platform-root was temporarily removed from the whynot-design LLDAP group for
the attended negative check.
- OIDC login for auth/netkingdom/role/whynot-design-workload-kv-read failed with
a groups bound-claim mismatch.
- No OpenBao client token was issued for the negative identity, and no NPM_AUTH_TOKEN
value was printed or recorded.
- at: '2026-06-28T22:08:50+00:00'
actor: codex
kind: identity_group_restore
result: passed
details:
- Restored platform-root membership in the whynot-design LLDAP group after negative verification.
- Verified whynot-design membership contains platform-root and no unexpected additional users.
- Positive and negative verification gates are now complete; access_frontdoor is ready/resolvable.
- Restored platform-root membership in the whynot-design LLDAP group after negative
verification.
- Verified whynot-design membership contains platform-root and no unexpected additional
users.
- Positive and negative verification gates are now complete; access_frontdoor
is ready/resolvable.
- at: '2026-07-01T21:27:20+00:00'
actor: credential-change-prod-applier-smoke
kind: delegated_metadata_apply
result: passed
details:
- Delegated metadata applier ran as credential-change-prod-applier-smoke using
local bao CLI ambient authority.
- 'Policy metadata write: sys/policies/acl/workload-kv-read-whynot-design-npm-publish'
- 'Auth role metadata write: auth/netkingdom/role/whynot-design-workload-kv-read'
- No secret values were read, written, printed, or accepted in argv.
lifecycle:
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation