4a824d72bd
Apply CCR-2026-0006 Forgejo admin PAT lane metadata
...
Record platform-operator approval, delegated policy/OIDC role apply,
negative verification evidence, and add attended PAT provision script.
2026-07-12 16:07:32 +02:00
618641c984
fix(forgejo): accept FORGEJO_ADMIN_TOKEN and document PAT setup
...
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 3s
Align prune auth with railiance-apps forgejo tools and explain that
package prune needs a Forgejo PAT, not the OpenBao backup lane.
2026-07-12 11:57:35 +02:00
715631dedd
feat(forgejo): add package prune script with retention depth 3
...
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 1s
List and optionally delete package versions beyond the newest three,
protecting production Helm image tags. Adds Make targets and unit tests
for ACTIVITY-WP-0020.
2026-07-12 11:35:04 +02:00
b38b8c1f7f
Send workplan_id only on State Hub progress metadata posts
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 6s
2026-07-09 00:32:54 +02:00
9cbf64ebee
CUST-WP-0055 T05: add State Hub workplan_id scope to credential broker
...
Accept --state-hub-workplan-id / STATE_HUB_WORKPLAN_ID and dual-write
workplan_id plus legacy workstream_id on progress events.
2026-07-08 20:00:35 +02:00
8321e14b46
Unblock credential broker warden-sign pilot
2026-07-01 23:10:38 +02:00
a95236d2e5
Add credential-change delegated applier flow
2026-07-01 20:07:26 +02:00
3527bc1cae
Request groups scope for whynot OIDC role
2026-06-28 13:23:14 +02:00
adf865611c
Mark whynot lane applied pending verification
2026-06-28 12:53:39 +02:00
271aa94642
Record whynot OpenBao lane apply evidence
2026-06-28 12:41:39 +02:00
53f3f4ca10
Document OpenBao Browser CLI limits
2026-06-28 09:18:36 +02:00
f630d5135e
Fix OpenBao role payload handoff
2026-06-28 02:33:42 +02:00
eb24e04b71
Correct whynot credential tenant path
2026-06-28 01:00:12 +02:00
248bc58b6a
Add credential CCR operator handoff
2026-06-28 00:21:02 +02:00
3706ff703e
Link CCR approval to State Hub decision
2026-06-28 00:00:02 +02:00
52687d8b3e
Confirm whynot credential binding
2026-06-27 23:45:31 +02:00
aee0dcefad
Add credential lane readiness proposals
2026-06-27 23:30:29 +02:00
815b124ab1
Implement credential change request review flow
2026-06-27 22:57:21 +02:00
85a4278a55
Add credential approval workflow plan
2026-06-27 22:48:24 +02:00
673ec46e25
feat: complete credential broker source flow
2026-06-27 00:29:53 +02:00
752cfd6f00
feat: add credential broker token helper
2026-06-27 00:06:03 +02:00
c7393d94ab
feat: add credential grant catalog foundation
2026-06-26 17:49:40 +02:00
693dc71833
Add ESO OpenBao GitOps add-ons
2026-06-25 20:08:36 +02:00
50799938db
fix(openbao-ui): handle OIDC callback without Ember popup flow
...
OpenBao's Ember UI expects OIDC to complete in a popup and postMessage to
window.opener. The standalone KeyCape login uses a full-page redirect, so the
callback now exchanges the authorization code directly, persists the UI token
in localStorage, and redirects into the vault UI. Unauthenticated /ui/ loads
also redirect to the standalone login page to avoid ?with= bounce loops.
2026-06-19 21:18:34 +02:00
520c7ea2c0
fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth
...
Ember's auth route bounces between ?with=netkingdom/ and ?with=token when
OIDC mounts are hidden from the unauthenticated listing. Bypass Ember on the
bare auth path with a static login page that calls auth_url directly; OIDC
callbacks still proxy to the OpenBao UI.
2026-06-19 21:13:08 +02:00
80648a78b7
Stop OpenBao login redirect loop by removing URL rewriting
...
Remove redirect-bootstrap and mount polling that fought Ember's token
fallback. Keep cosmetic overlay and direct KeyCape OIDC on sign-in only.
2026-06-19 21:07:37 +02:00
cb45f29fb2
Fix OpenBao login falling back to token auth
...
Add synchronous redirect-bootstrap, direct KeyCape OIDC on sign-in, and mount
watching so the UI no longer lands on ?with=token when netkingdom is hidden
from unauthenticated mount listing. Document listing_visibility tune helper.
2026-06-19 21:04:31 +02:00
6ddf4e56b4
Add KeyCape login overlay gateway for OpenBao browser UI
...
Streamline bao.coulomb.social login as "Sign in with KeyCape" via a versioned
nginx gateway that injects overlay assets and proxies to OpenBao. Disable chart
ingress in favor of the overlay ingress, wire make openbao-deploy, and add
openbao-verify-login-overlay with upstream drift detection.
2026-06-19 20:28:16 +02:00
423eccc8e9
feat(openbao): enable bao.coulomb.social ingress and Traefik middlewares
...
Expose OpenBao UI via TLS ingress with rate-limit and HSTS middlewares.
Track netkingdom OIDC mount in authenticated verify checks.
2026-06-18 01:23:02 +02:00
7838df6069
fix(openbao): complete SSH apply script for OpenBao 2.5.x issuers
...
Generate default CA via ssh/config/ca, split composite KUBECTL for role writes,
read pubkey from config/ca, allow warden key_id in roles, prefer production kubeconfig.
2026-06-18 01:18:56 +02:00
c24956fb5a
feat(openbao): add SSH engine automation for ops-warden signing
...
Declarative roles, warden-sign policy, apply/verify scripts, and Makefile
targets openbao-configure-ssh and openbao-verify-ssh. Document operator flow
in docs/openbao.md for NET-WP-0020 T5 / WP-0008 T2.
2026-06-18 01:06:43 +02:00
18c1b86498
Reject placeholder OpenBao drill evidence
2026-06-02 02:02:09 +02:00
606a5f3e1e
Add OpenBao emergency drill evidence validator
2026-06-02 00:08:17 +02:00
123b9aafce
Add OpenBao restore evidence validator
2026-06-01 23:57:00 +02:00
5e4040d43d
Add OpenBao authenticated readiness verifier
2026-06-01 22:46:14 +02:00
087bb91b86
Configure OpenBao file audit declaratively
2026-06-01 22:12:23 +02:00
3a5f9f58e9
Clean up OpenBao config rerun output
2026-05-25 15:57:24 +02:00
b76e9101d8
Tolerate declarative OpenBao audit setup
2026-05-25 15:14:41 +02:00
3741294b05
Treat sealed OpenBao preflight as expected
2026-05-25 10:49:29 +02:00
a7ffeb8b46
Platform secret setup
2026-05-23 13:59:58 +02:00