feat: add credential grant catalog foundation

This commit is contained in:
tegwick 2026-06-26 17:49:40 +02:00
parent 693dc71833
commit c7393d94ab
6 changed files with 617 additions and 5 deletions

View file

@ -4,13 +4,13 @@ type: workplan
title: "Credential Request and Lease Broker"
domain: financials
repo: railiance-platform
status: ready
status: active
owner: codex
topic_slug: railiance
planning_priority: high
planning_order: 5
created: "2026-06-24"
updated: "2026-06-24"
updated: "2026-06-25"
depends_on_workplans:
- RAIL-PL-WP-0002
state_hub_workstream_id: "2731fece-6c49-45b8-ab8a-4ea6c04ac603"
@ -101,7 +101,7 @@ Mitigations required by this workplan:
```task
id: RAILIANCE-WP-0005-T01
status: todo
status: done
priority: high
state_hub_task_id: "cd680de8-a483-40d6-84fa-369bad60e7c7"
```
@ -116,11 +116,13 @@ Acceptance:
- Docs state that State Hub stores request metadata only, never secret values.
- Ops-warden credential routing can point OpenBao token requests here.
**2026-06-25:** Added `docs/credential-broker.md` as the ownership and architecture decision. It records that railiance-platform owns OpenBao credential request/generation/delivery, ops-warden owns SSH certificate signing only, State Hub stores non-secret request metadata only, and llm-connect/callers must not place secrets in prompts.
## T02 - Define credential grant catalog
```task
id: RAILIANCE-WP-0005-T02
status: todo
status: done
priority: high
state_hub_task_id: "6b64ad4b-90cd-475b-aaa9-73997c6b011b"
```
@ -144,6 +146,8 @@ Acceptance:
- The catalog distinguishes self-service, approval-required, and break-glass grants.
- No grant entry contains a secret.
**2026-06-25:** Added the non-secret grant catalog at `credential-grants/catalog.yaml` with the initial `ops-warden/warden-sign` pilot grant, plus `scripts/credential-grants-validate.py` and `make credential-grants-validate`. The validator enforces required fields, TTL bounds, denied delivery modes, disallowed OpenBao policies, audit/revocation expectations, and secret-looking marker rejection.
## T03 - Configure bounded OpenBao token roles and policies
```task