Close delegated prod applier pilot

This commit is contained in:
tegwick 2026-07-01 23:34:13 +02:00
parent 2db4d1afe1
commit 38936d8fd6
5 changed files with 79 additions and 27 deletions

View file

@ -10,7 +10,7 @@ topic_slug: railiance
planning_priority: high
planning_order: 8
created: "2026-06-28"
updated: "2026-06-30"
updated: "2026-07-01"
depends_on_workplans:
- RAIL-PL-WP-0002
- RAILIANCE-WP-0005
@ -99,7 +99,7 @@ Start with one production candidate policy, for example
- allow `create`, `update`, and `read` on approved credential-broker issuer
policy names such as `credential-broker-*-issuer`;
- allow `create`, `update`, and `read` on selected auth role prefixes such as
`auth/netkingdom/role/*-workload-kv-read`,
`auth/netkingdom/role/*` with local dry-run role-name constraints,
`auth/kubernetes/role/*`, and `auth/token/roles/credential-broker-*`;
- allow read/list only where needed for idempotent verification;
- deny broad `sys/*`, `auth/*`, `platform/*`, `identity/*`, `root`, and
@ -208,11 +208,17 @@ disallows `root` and `platform-admin`, disables the default policy, and does not
issue tokens by itself. Live non-production apply and denial evidence remains
the closeout gate.
**2026-07-01:** Applied the updated non-production metadata-only policy
and bounded `auth/token/roles/credential-change-nonprod-applier` role to live
OpenBao. The role attaches only `credential-change-nonprod-applier`, disables
the default policy, and disallows `root` / `platform-admin`; T03 remains open
until a non-production lane apply and denial probe are recorded.
## T04 - Add production metadata applier with human approval gate
```task
id: RAILIANCE-WP-0008-T04
status: progress
status: done
priority: high
state_hub_task_id: "414abd65-22d3-420f-994d-f7fdd1302db5"
```
@ -249,11 +255,22 @@ uses service tokens, disables default policy attachment, and keeps token issuanc
outside the setup script. Production closure still needs a live run and
capability evidence using this constrained identity.
**2026-07-01:** Updated the delegated applier ACLs to use the OpenBao-matchable
`auth/netkingdom/role/*` path while keeping role-name and bound-claim
constraints in the local CCR dry-run. Applied the live prod/nonprod applier
policies and token roles, then issued a 15-minute
`credential-change-prod-applier` child token and used it to run
`scripts/credential-change.py applier-apply CCR-2026-0001`. The delegated
run wrote the workload KV policy and OIDC role metadata without
`platform-admin`. A `sys/capabilities-self` probe on
`platform/data/workloads/coulomb/whynot-design/npm-publish` returned
`deny`, and the matching short-lived child token accessor was revoked.
## T05 - Close the whynot-design pilot
```task
id: RAILIANCE-WP-0008-T05
status: wait
status: done
priority: high
state_hub_task_id: "18f34c95-4d2b-4a08-a5ad-5ab700ff9dfe"
```
@ -270,6 +287,12 @@ Acceptance:
- `CCR-2026-0001` can move to `active`.
- ops-warden can mark `whynot-design-npm-publish` ready/resolvable.
**2026-07-01:** Closed the whynot-design pilot. `CCR-2026-0001` is
active, the front-door metadata is ready/resolvable, prior approved-custody
provisioning plus positive and negative verification are recorded without
secret values, and the delegated prod applier evidence is now recorded on the
CCR.
## Exit Criteria
- Routine approved OpenBao metadata changes no longer require broad