feat: add credential grant catalog foundation
This commit is contained in:
parent
693dc71833
commit
c7393d94ab
6 changed files with 617 additions and 5 deletions
|
|
@ -4,13 +4,13 @@ type: workplan
|
|||
title: "Credential Request and Lease Broker"
|
||||
domain: financials
|
||||
repo: railiance-platform
|
||||
status: ready
|
||||
status: active
|
||||
owner: codex
|
||||
topic_slug: railiance
|
||||
planning_priority: high
|
||||
planning_order: 5
|
||||
created: "2026-06-24"
|
||||
updated: "2026-06-24"
|
||||
updated: "2026-06-25"
|
||||
depends_on_workplans:
|
||||
- RAIL-PL-WP-0002
|
||||
state_hub_workstream_id: "2731fece-6c49-45b8-ab8a-4ea6c04ac603"
|
||||
|
|
@ -101,7 +101,7 @@ Mitigations required by this workplan:
|
|||
|
||||
```task
|
||||
id: RAILIANCE-WP-0005-T01
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "cd680de8-a483-40d6-84fa-369bad60e7c7"
|
||||
```
|
||||
|
|
@ -116,11 +116,13 @@ Acceptance:
|
|||
- Docs state that State Hub stores request metadata only, never secret values.
|
||||
- Ops-warden credential routing can point OpenBao token requests here.
|
||||
|
||||
**2026-06-25:** Added `docs/credential-broker.md` as the ownership and architecture decision. It records that railiance-platform owns OpenBao credential request/generation/delivery, ops-warden owns SSH certificate signing only, State Hub stores non-secret request metadata only, and llm-connect/callers must not place secrets in prompts.
|
||||
|
||||
## T02 - Define credential grant catalog
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0005-T02
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "6b64ad4b-90cd-475b-aaa9-73997c6b011b"
|
||||
```
|
||||
|
|
@ -144,6 +146,8 @@ Acceptance:
|
|||
- The catalog distinguishes self-service, approval-required, and break-glass grants.
|
||||
- No grant entry contains a secret.
|
||||
|
||||
**2026-06-25:** Added the non-secret grant catalog at `credential-grants/catalog.yaml` with the initial `ops-warden/warden-sign` pilot grant, plus `scripts/credential-grants-validate.py` and `make credential-grants-validate`. The validator enforces required fields, TTL bounds, denied delivery modes, disallowed OpenBao policies, audit/revocation expectations, and secret-looking marker rejection.
|
||||
|
||||
## T03 - Configure bounded OpenBao token roles and policies
|
||||
|
||||
```task
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue