Add credential-change delegated applier flow
This commit is contained in:
parent
c626bfcf15
commit
a95236d2e5
21 changed files with 2705 additions and 119 deletions
|
|
@ -4,13 +4,13 @@ type: workplan
|
|||
title: "Credential Change Proposal Review Workflow"
|
||||
domain: financials
|
||||
repo: railiance-platform
|
||||
status: active
|
||||
status: finished
|
||||
owner: codex
|
||||
topic_slug: railiance
|
||||
planning_priority: high
|
||||
planning_order: 7
|
||||
created: "2026-06-27"
|
||||
updated: "2026-06-28"
|
||||
updated: "2026-06-30"
|
||||
depends_on_workplans:
|
||||
- RAIL-PL-WP-0002
|
||||
- RAILIANCE-WP-0005
|
||||
|
|
@ -156,7 +156,7 @@ lives in `tests/test_credential_change.py`.
|
|||
|
||||
```task
|
||||
id: RAILIANCE-WP-0007-T04
|
||||
status: progress
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "1b2e7752-815c-46f8-a2e2-212e8d04da80"
|
||||
```
|
||||
|
|
@ -184,11 +184,17 @@ from reviewed plan to the interactive live applier.
|
|||
generated role payloads after live OpenBao rejected an OIDC role without
|
||||
callbacks. Unit coverage now checks the generated whynot-design role payload.
|
||||
|
||||
**2026-06-30:** Added source-artifact diff rendering to `plan` and delegated
|
||||
`applier-dry-run` output. The generated plan now reports whether the checked-in
|
||||
policy artifact matches the CCR-generated HCL and shows a unified diff when it
|
||||
does not. Approved-only `apply-plan`/`operator-commands` remain gated by CCR
|
||||
status and confirmed auth binding.
|
||||
|
||||
## T05 - Add chat/CLI approval commands
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0007-T05
|
||||
status: progress
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "e6d4d2d1-1881-4db7-92f8-05e3fdb846ae"
|
||||
```
|
||||
|
|
@ -215,11 +221,16 @@ State Hub decision-event emission and tighter chat integration. Created a
|
|||
State Hub decision for `CCR-2026-0001` and added `sync-decision` so resolved
|
||||
State Hub decisions can update the file-backed CCR status.
|
||||
|
||||
**2026-06-30:** Added optional `--record-state-hub` emission for approve, deny,
|
||||
and needs-changes commands. Review comments are checked for known secret markers
|
||||
before being written, and the State Hub progress event records only non-secret
|
||||
CCR id/path/policy/field/auth-role metadata plus the reviewer comment.
|
||||
|
||||
## T06 - Build an interactive runbook for apply and verify
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0007-T06
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "3c3fc38c-afa4-4367-b3e6-ba4b286ced30"
|
||||
```
|
||||
|
|
@ -235,11 +246,23 @@ Acceptance:
|
|||
- Positive and negative verification steps are guided.
|
||||
- Non-secret evidence is recorded automatically.
|
||||
|
||||
**2026-06-30:** Added `scripts/credential-change.py runbook <CCR>` and Make
|
||||
target `credential-change-runbook` to render the attended operator checklist,
|
||||
final confirmation phrase, metadata apply guidance, secret custody instructions,
|
||||
positive/negative verification steps, activation conditions, and evidence
|
||||
commands. `runbook --execute-metadata` is opt-in, requires the exact `APPLY
|
||||
<CCR-ID>` confirmation phrase, uses the local `bao` CLI with ambient approved
|
||||
operator authority, writes only policy/auth metadata, and records a non-secret
|
||||
`metadata_apply` evidence entry. Added `record-evidence` plus Make target
|
||||
`credential-change-record-evidence` so operators can append apply, secret
|
||||
provisioning, verification, and activation evidence to the CCR and optionally
|
||||
State Hub without storing secret values.
|
||||
|
||||
## T07 - Pilot with whynot-design and ops-warden
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0007-T07
|
||||
status: progress
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "07a7d8bf-5528-41c8-a791-d6ccd0466a33"
|
||||
```
|
||||
|
|
@ -302,11 +325,15 @@ groups bound-claim mismatch, `platform-root` membership was restored afterward,
|
|||
and `CCR-2026-0001` is now active/ready/resolvable. ops-warden catalog
|
||||
confirmation remains the external closeout step.
|
||||
|
||||
**2026-06-30:** Closed the pilot task based on the active/ready/resolvable CCR
|
||||
state and prior ops-warden catalog confirmation that the selector is active and
|
||||
resolvable. The remaining lifecycle work is now tracked separately in T08.
|
||||
|
||||
## T08 - Add deactivation, rotation, and compromise flows
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0007-T08
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "23d6ef9d-8dbc-4468-b486-5ec8ada71130"
|
||||
```
|
||||
|
|
@ -322,11 +349,22 @@ Acceptance:
|
|||
- Deactivation disables the relevant access front door and auth/policy path.
|
||||
- Compromise flow records blast-radius notes and required follow-up tasks.
|
||||
|
||||
**2026-06-30:** Added `lifecycle-plan`, `lifecycle-event`, and
|
||||
`import-inventory` commands plus Make targets. Lifecycle plans render
|
||||
deactivation, rotation, and compromise guidance, including access-front-door
|
||||
state changes and OpenBao metadata disable commands for deactivation or
|
||||
compromise. Lifecycle events update CCR status/front-door readiness, append
|
||||
non-secret lifecycle evidence, and optionally post State Hub progress.
|
||||
Compromise events accept non-secret blast-radius and follow-up references.
|
||||
`import-inventory` can create a CCR-backed inventory file and matching read
|
||||
policy artifact for an existing lane without asking for or storing secret
|
||||
values.
|
||||
|
||||
## T09 - Add decision templates and guided review actions
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0007-T09
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "c436fd8b-cd82-4600-81b0-87ec069d7ae6"
|
||||
```
|
||||
|
|
@ -348,6 +386,12 @@ Acceptance:
|
|||
- Future UI work can replace prefix parsing with structured decision outcomes
|
||||
without changing the CCR audit trail.
|
||||
|
||||
**2026-06-30:** Added `scripts/credential-change.py decision-templates <CCR>`
|
||||
and Make target `credential-change-decision-templates`. The generated templates
|
||||
include accepted prefixes, CCR id, KV path, policy, auth-role path, and the
|
||||
linked State Hub decision. Ambiguous State Hub rationale text now fails with the
|
||||
valid templates in the error message.
|
||||
|
||||
## Exit Criteria
|
||||
|
||||
- A human can review and approve or deny a credential/security change without
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue