Commit graph

16 commits

Author SHA1 Message Date
86209fa90c CCR-2026-0007: binky IMAP on tenants/ mount + CCR allowlist
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 2s
Enable tenant commercial secrets: applier accepts mount tenants/, apply
policy and OIDC role for company-email IMAP (metadata only; values are
founder Red provision). Extend agent-high-risk-boundary for the path.
2026-07-17 00:09:28 +02:00
347226eb36 CCR-2026-0004: capabilities-safe verify + agent high-risk boundary
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 1s
Record WP-0026 T07 promotion evidence (no secret values), mark the
offsite backup lane front door resolvable/ready, and add OpenBao policy
agent-high-risk-boundary for coding-agent metadata-only access.
2026-07-16 23:26:28 +02:00
25fc47e5f2 Add CCR-2026-0006 Forgejo admin PAT OpenBao lane
Establish proposed workload-kv-read custody for the Forgejo site-admin
PAT at platform/workloads/forgejo/forgejo-admin, sibling to forgejo-mailer.
OIDC workstation fetch mirrors the railiance-backup-offsite pattern.
2026-07-12 16:01:53 +02:00
e36694648a Support activity-core ISSUE_CORE_API_KEY ExternalSecret on railiance01
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 3s
Switch openbao-activity-core ClusterSecretStore to interim coulombcore
token auth like forgejo/reuse, broaden the activity-core ESO policy to
include the shared issue-core runtime path, and document ESO-managed rotation.
2026-07-08 00:04:59 +02:00
3719c4dec0 Draft CCR-2026-0005 for reuse-surface runtime secrets lane
All checks were successful
CI Smoke / host-smoke (push) Successful in 7s
CI Smoke / container-smoke (push) Successful in 2s
RAILIANCE-WP-0011-T01: propose OpenBao path
platform/workloads/reuse/reuse-surface/runtime-secrets with
REUSE_SURFACE_TOKEN and REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET, matching
read policy, and metadata review for Railiance01 interim ESO delivery.
2026-07-07 22:21:31 +02:00
0055e8f3f7 Establish railiance backup credentials in OpenBao (CCR-2026-0004).
Some checks are pending
CI Smoke / host-smoke (push) Waiting to run
CI Smoke / container-smoke (push) Waiting to run
Add workload KV lane for Nextcloud WebDAV token, URL, and age recovery
escrow at platform/workloads/railiance/backup/offsite-lane. Apply read
policy and OIDC role railiance-backup-workload-kv-read; wire forgejo-backup
to load credentials from OpenBao when env is unset.
2026-07-07 17:16:30 +02:00
0941d6e8f9 Add OpenBao External Secrets lane for Forgejo mailer on railiance01
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 6s
Introduce external-secrets-forgejo policy/role, ClusterSecretStore
openbao-forgejo (forgejo namespace), and make openbao-configure-external-secrets-forgejo.
2026-07-07 14:30:02 +02:00
38936d8fd6 Close delegated prod applier pilot 2026-07-01 23:34:13 +02:00
a95236d2e5 Add credential-change delegated applier flow 2026-07-01 20:07:26 +02:00
eb24e04b71 Correct whynot credential tenant path 2026-06-28 01:00:12 +02:00
aee0dcefad Add credential lane readiness proposals 2026-06-27 23:30:29 +02:00
85a4278a55 Add credential approval workflow plan 2026-06-27 22:48:24 +02:00
752cfd6f00 feat: add credential broker token helper 2026-06-27 00:06:03 +02:00
693dc71833 Add ESO OpenBao GitOps add-ons 2026-06-25 20:08:36 +02:00
c24956fb5a feat(openbao): add SSH engine automation for ops-warden signing
Declarative roles, warden-sign policy, apply/verify scripts, and Makefile
targets openbao-configure-ssh and openbao-verify-ssh. Document operator flow
in docs/openbao.md for NET-WP-0020 T5 / WP-0008 T2.
2026-06-18 01:06:43 +02:00
a7ffeb8b46 Platform secret setup 2026-05-23 13:59:58 +02:00