CCR-2026-0007: binky IMAP on tenants/ mount + CCR allowlist
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 2s

Enable tenant commercial secrets: applier accepts mount tenants/, apply
policy and OIDC role for company-email IMAP (metadata only; values are
founder Red provision). Extend agent-high-risk-boundary for the path.
This commit is contained in:
tegwick 2026-07-17 00:09:28 +02:00
parent 347226eb36
commit 86209fa90c
6 changed files with 218 additions and 27 deletions

View file

@ -358,8 +358,30 @@ class CredentialChangeTests(unittest.TestCase):
ccr["openbao"]["mount"] = "secret"
ccr["openbao"]["kv_path"] = "secret/platform-admin"
blockers = credential_change.applier_readiness_blockers(ccr)
self.assertIn("openbao.mount must be platform, got secret", blockers)
self.assertIn("openbao.kv_path must stay under platform/workloads/", blockers)
self.assertTrue(
any("openbao.mount must be one of" in b and "secret" in b for b in blockers),
blockers,
)
def test_applier_accepts_tenants_mount_path(self) -> None:
"""WARDEN-WP-0028 — tenant commercial secrets on mount tenants/."""
ccr, errors, _warnings = credential_change.validate_ccr(self.sample)
self.assertEqual(errors, [])
ccr["status"] = "approved"
ccr["openbao"]["mount"] = "tenants"
ccr["openbao"]["kv_path"] = "tenants/binky/company-email/imap"
ccr["openbao"]["policy_name"] = "workload-kv-read-binky-company-email-imap"
ccr["openbao"]["policy_file"] = (
"openbao/policies/workload-kv-read-binky-company-email-imap.hcl"
)
ccr["openbao"]["auth"]["role"] = "binky-company-email-imap-workload-kv-read"
ccr["openbao"]["auth"]["policies"] = [
"workload-kv-read-binky-company-email-imap"
]
# Skip policy_file body match in this unit check (file exists in repo for real CCR).
ccr["openbao"]["policy_file"] = ""
violations = credential_change.applier_policy_violations(ccr)
self.assertEqual(violations, [], violations)
def test_nonprod_applier_policy_remains_metadata_only(self) -> None:
policy = (