# Agent coding read-boundary for high-risk secret lanes (WARDEN-WP-0026 T04). # # Coding agents (Claude/Codex/Grok sessions, automated workers) MUST NOT hold # raw data-read on high-risk recovery/upload/admin secrets. This policy is the # allow-list they *may* carry for those paths: metadata + capabilities only. # Operator OIDC roles keep the full workload-kv-read-* policies separately. # # High-risk set (must stay in sync with ops-warden catalog risk: high): # - railiance backup offsite (WebDAV upload + age recovery escrow) # - forgejo admin PAT # - openrouter LLM provider key (provider spend + prompt-adjacent) # # Apply live: `bao policy write agent-high-risk-boundary openbao/policies/agent-high-risk-boundary.hcl` # Attach to agent AppRoles / tokens; never attach workload-kv-read-* for these paths # to the same identity. # --- railiance-backup-offsite-lane --- path "platform/data/workloads/railiance/backup/offsite-lane" { capabilities = ["deny"] } path "platform/metadata/workloads/railiance/backup/offsite-lane" { capabilities = ["read"] } # --- forgejo-admin --- path "platform/data/workloads/forgejo/forgejo-admin" { capabilities = ["deny"] } path "platform/metadata/workloads/forgejo/forgejo-admin" { capabilities = ["read"] } # --- openrouter-llm-connect --- path "platform/data/workloads/activity-core/llm-connect/llm-connect-provider-secrets" { capabilities = ["deny"] } path "platform/metadata/workloads/activity-core/llm-connect/llm-connect-provider-secrets" { capabilities = ["read"] } # Capabilities introspection (no secret values) path "sys/capabilities-self" { capabilities = ["update"] } path "auth/token/lookup-self" { capabilities = ["read"] }