Confirm whynot credential binding
This commit is contained in:
parent
aee0dcefad
commit
52687d8b3e
6 changed files with 115 additions and 41 deletions
|
|
@ -2,30 +2,36 @@ id: CCR-2026-0001
|
|||
kind: credential-change-request
|
||||
schema_version: 1
|
||||
request_type: workload-kv-read
|
||||
title: "whynot-design npm publish token lane"
|
||||
title: whynot-design npm publish token lane
|
||||
status: proposed
|
||||
created: "2026-06-27"
|
||||
updated: "2026-06-27"
|
||||
created: '2026-06-27'
|
||||
updated: '2026-06-27'
|
||||
requester:
|
||||
agent: ops-warden
|
||||
message_id: "fe5b1696-8956-4bd5-9d6f-dbde1901a076"
|
||||
reason: "Allow ops-warden to proxy caller-scoped access to whynot-design's npm publish token."
|
||||
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||
reason: Allow ops-warden to proxy caller-scoped access to whynot-design's npm publish
|
||||
token.
|
||||
review:
|
||||
required: true
|
||||
required_approvers:
|
||||
- platform-operator
|
||||
comments: []
|
||||
- platform-operator
|
||||
comments:
|
||||
- at: '2026-06-27T21:40:22+00:00'
|
||||
reviewer: bernd.worsch
|
||||
decision: binding_confirmed
|
||||
comment: 'Confirmed in chat: groups=whynot-design is the intended KeyCape/NetKingdom
|
||||
binding for the whynot-design npm publish lane.'
|
||||
target:
|
||||
domain: financials
|
||||
tenant: whynot-design
|
||||
workload: whynot-design
|
||||
environment: production
|
||||
purpose: "npm package publishing through ops-warden caller-scoped fetch/exec"
|
||||
purpose: npm package publishing through ops-warden caller-scoped fetch/exec
|
||||
openbao:
|
||||
mount: platform
|
||||
kv_path: platform/workloads/whynot-design/whynot-design/npm-publish
|
||||
fields:
|
||||
- NPM_AUTH_TOKEN
|
||||
- NPM_AUTH_TOKEN
|
||||
policy_name: workload-kv-read-whynot-design-npm-publish
|
||||
policy_file: openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl
|
||||
auth:
|
||||
|
|
@ -36,42 +42,46 @@ openbao:
|
|||
groups_claim: groups
|
||||
bound_claims:
|
||||
groups:
|
||||
- whynot-design
|
||||
bound_claims_confirmed: false
|
||||
- whynot-design
|
||||
bound_claims_confirmed: true
|
||||
policies:
|
||||
- workload-kv-read-whynot-design-npm-publish
|
||||
- workload-kv-read-whynot-design-npm-publish
|
||||
ttl: 15m
|
||||
access_frontdoor:
|
||||
type: ops-warden
|
||||
catalog_id: whynot-design-npm-publish
|
||||
selector: "npm publish token"
|
||||
command: "warden access whynot-design-npm-publish --exec -- npm publish"
|
||||
selector: npm publish token
|
||||
command: warden access whynot-design-npm-publish --exec -- npm publish
|
||||
resolvable: false
|
||||
readiness: template
|
||||
activation: "draft-until-ccr-verified"
|
||||
activation: draft-until-ccr-verified
|
||||
risk:
|
||||
classification: high
|
||||
notes:
|
||||
- "Grants read access to the credential used to publish npm packages."
|
||||
- "Uses a publish-specific catalog id; a future read-only npm token must use a separate catalog id."
|
||||
- "The proposed OIDC bound claim must be confirmed before apply."
|
||||
- "ops-warden must proxy the read as the caller and must not retain the token value."
|
||||
- Grants read access to the credential used to publish npm packages.
|
||||
- Uses a publish-specific catalog id; a future read-only npm token must use a separate
|
||||
catalog id.
|
||||
- The OIDC bound claim was confirmed in review; re-confirm if the claim changes.
|
||||
- ops-warden must proxy the read as the caller and must not retain the token value.
|
||||
verification:
|
||||
positive:
|
||||
- "Approved whynot-design identity can fetch field NPM_AUTH_TOKEN through OpenBao or ops-warden."
|
||||
- Approved whynot-design identity can fetch field NPM_AUTH_TOKEN through OpenBao
|
||||
or ops-warden.
|
||||
negative:
|
||||
- "Non-whynot identity cannot read the path or field."
|
||||
- Non-whynot identity cannot read the path or field.
|
||||
activation_conditions:
|
||||
- "Policy applied with platform-admin/operator authority."
|
||||
- "OIDC role bound to confirmed whynot-design claim or approved service account."
|
||||
- "Secret value provisioned directly in OpenBao through approved operator custody."
|
||||
- "Positive and negative verification recorded with non-secret audit ids or timestamps."
|
||||
- Policy applied with platform-admin/operator authority.
|
||||
- OIDC role bound to confirmed whynot-design claim or approved service account.
|
||||
- Secret value provisioned directly in OpenBao through approved operator custody.
|
||||
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
||||
lifecycle:
|
||||
deactivate: "Disable ops-warden catalog entry and remove or detach auth role policy."
|
||||
rotate: "Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation evidence."
|
||||
compromised: "Immediately deactivate access front door, rotate npm token, record blast-radius notes, and open incident follow-up tasks."
|
||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation
|
||||
evidence.
|
||||
compromised: Immediately deactivate access front door, rotate npm token, record
|
||||
blast-radius notes, and open incident follow-up tasks.
|
||||
state_hub:
|
||||
workplan_id: RAILIANCE-WP-0007
|
||||
related_workplan_id: RAILIANCE-WP-0006
|
||||
ops_warden_reply_message_id: "b175c561-7858-43f5-a309-949b0dede1b4"
|
||||
ops_warden_batch_message_id: "fe5b1696-8956-4bd5-9d6f-dbde1901a076"
|
||||
ops_warden_reply_message_id: b175c561-7858-43f5-a309-949b0dede1b4
|
||||
ops_warden_batch_message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue