id: CCR-2026-0006 kind: credential-change-request schema_version: 1 request_type: workload-kv-read title: Forgejo operator/admin API token (PAT) lane status: applied created: '2026-07-12' updated: '2026-07-12' requester: agent: grok message_id: 54125f84-e9df-4fa0-9309-7370633a20d3 reason: Establish OpenBao custody for the Forgejo site-admin PAT currently dropped at /tmp/forgejo-tegwick-api-token or FORGEJO_ADMIN_TOKEN on workstations. Drivers include ACTIVITY-WP-0020 weekly package prune and railiance-apps / railiance-platform Forgejo automation tools. review: required: true required_approvers: - platform-operator comments: - at: '2026-07-12T14:05:00+00:00' reviewer: bernd.worsch decision: approved comment: "Approved in chat \u2014 establish Forgejo admin PAT lane at platform/workloads/forgejo/forgejo-admin\ \ (sibling to forgejo-mailer)." target: domain: infotech tenant: coulomb workload: forgejo environment: production purpose: Forgejo admin API token for package prune, registry ops, org webhooks, and operator bootstrap on workstations and activity-core worker openbao: mount: platform kv_path: platform/workloads/forgejo/forgejo-admin fields: - API_TOKEN - API_USER - API_BASE_URL - TOKEN_SCOPES - GENERATED_AT policy_name: workload-kv-read-forgejo-admin policy_file: openbao/policies/workload-kv-read-forgejo-admin.hcl auth: method: oidc mount: netkingdom role: forgejo-admin-workload-kv-read allowed_redirect_uris: - https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback - http://localhost:8250/oidc/callback - http://127.0.0.1:8250/oidc/callback oidc_scopes: - openid - profile - email - groups user_claim: sub groups_claim: groups bound_claims: groups: - net-kingdom-admins bound_claims_confirmed: true policies: - workload-kv-read-forgejo-admin ttl: 15m access_frontdoor: type: ops-warden catalog_id: forgejo-admin-api-token selector: forgejo admin PAT package prune FORGEJO_ADMIN_TOKEN command: warden access forgejo-admin-api-token --fetch API_TOKEN resolvable: false readiness: approved-pending-apply delivery: surface: operator-workstation target: railiance-platform tools/cmd/forgejo-package-prune, activity-core weekly-forgejo-package-prune shell resolver, and railiance-apps Forgejo tools (load_token pattern after lane verified) risk: classification: high notes: - API_TOKEN is a Forgejo site-admin PAT for user tegwick (coulomb Owners). - Grants package, repository, and admin API operations on forgejo.coulomb.social. - Must not be stored on production hosts or pasted into Git, State Hub, or chat. - ops-warden must proxy reads as the caller and must not retain values. - Distinct from forgejo-mailer (SMTP) and railiance-backup-offsite-lane (WebDAV). verification: positive: - Approved net-kingdom-admins identity can read API_TOKEN through OpenBao or warden access without printing values in logs or hub messages. - warden route find "forgejo admin pat" resolves to catalog id forgejo-admin-api-token. negative: - default-policy token denied on platform/data/workloads/forgejo/forgejo-admin. activation_conditions: - CCR approved by platform-operator. - Policy and OIDC role applied with platform-admin or delegated applier authority. - "PAT minted in attended Forgejo session (tegwick \u2192 Settings \u2192 Applications)\ \ and stored at platform/workloads/forgejo/forgejo-admin; metadata fields optional." - Positive and negative verification recorded with non-secret audit references. - ops-warden catalog entry promoted from draft after verification. evidence: - at: '2026-07-12T14:05:07+00:00' actor: grok kind: delegated_metadata_apply result: passed details: - Delegated metadata applier ran as grok using local bao CLI ambient authority. - 'Policy metadata write: sys/policies/acl/workload-kv-read-forgejo-admin' - 'Auth role metadata write: auth/netkingdom/role/forgejo-admin-workload-kv-read' - No secret values were read, written, printed, or accepted in argv. - at: '2026-07-12T14:06:54+00:00' actor: grok kind: negative_verification result: passed details: - default-policy token denied on platform/data/workloads/forgejo/forgejo-admin (HTTP 403, 2026-07-12T14:06Z) lifecycle: deactivate: Disable ops-warden catalog entry and detach OIDC role policy; revoke PAT in Forgejo and retire workstation file-drop path. rotate: Mint a new PAT in Forgejo, update API_TOKEN in OpenBao, record non-secret rotation evidence, and restart dependent automation after downstream consumers load from OpenBao. compromised: Revoke PAT in Forgejo immediately, deactivate front door, rotate, audit package/webhook changes, record blast-radius notes. state_hub: workplan_id: ACTIVITY-WP-0020