id: CCR-2026-0004 kind: credential-change-request schema_version: 1 request_type: workload-kv-read title: Railiance offsite backup lane (Nextcloud WebDAV + age recovery) status: active created: '2026-07-07' updated: '2026-07-07' requester: agent: grok reason: Move railiance-backup / forgejo-backup credentials from hardcoded script values into OpenBao custody per DISCTL-WP-0003 credential-separation policy. review: required: true required_approvers: - platform-operator comments: - at: '2026-07-07T15:00:00+00:00' reviewer: bernd.worsch decision: approved comment: "Approved in chat \u2014 establish backup lane credentials in OpenBao\ \ for workstation forgejo-backup and railiance-backup tooling (Option A Nextcloud)." target: domain: financials tenant: railiance workload: backup environment: production purpose: age-encrypted offsite backup upload through Nextcloud WebDAV file drop openbao: mount: platform kv_path: platform/workloads/railiance/backup/offsite-lane fields: - NC_WEBDAV_TOKEN - NC_WEBDAV_URL - AGE_PRIVATE_KEY policy_name: workload-kv-read-railiance-backup-offsite-lane policy_file: openbao/policies/workload-kv-read-railiance-backup-offsite-lane.hcl auth: method: oidc mount: netkingdom role: railiance-backup-workload-kv-read allowed_redirect_uris: - https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback - http://localhost:8250/oidc/callback - http://127.0.0.1:8250/oidc/callback oidc_scopes: - openid - profile - email - groups user_claim: sub groups_claim: groups bound_claims: groups: - net-kingdom-admins bound_claims_confirmed: true policies: - workload-kv-read-railiance-backup-offsite-lane ttl: 15m access_frontdoor: type: ops-warden catalog_id: railiance-backup-offsite-lane selector: railiance backup nextcloud webdav token command: warden access railiance-backup-offsite-lane --fetch NC_WEBDAV_TOKEN resolvable: false readiness: applied-pending-verify delivery: surface: operator-workstation target: railiance-platform lib/railiance-backup-common.sh and forgejo-backup via RAILIANCE_BACKUP_NC_TOKEN env (fetched through OpenBao or warden access) risk: classification: high notes: - NC_WEBDAV_TOKEN grants upload to the offsite backup file drop. - "AGE_PRIVATE_KEY decrypts all age-encrypted backup artifacts \u2014 recovery escrow\ \ only." - Credentials must not be stored on production hosts with delete permission. - ops-warden must proxy reads as the caller and must not retain values. verification: positive: - Approved net-kingdom-admins identity can read NC_WEBDAV_TOKEN and AGE_PRIVATE_KEY through OpenBao or ops-warden without printing values. negative: - default-policy token denied on the KV data path. activation_conditions: - Policy and OIDC role applied with platform-admin/operator authority. - Secret values provisioned through approved operator custody from existing sources. - Positive and negative verification recorded with non-secret audit references. evidence: - at: '2026-07-07T15:14:59+00:00' actor: grok kind: delegated_metadata_apply result: passed details: - Delegated metadata applier ran as grok using local bao CLI ambient authority. - 'Policy metadata write: sys/policies/acl/workload-kv-read-railiance-backup-offsite-lane' - 'Auth role metadata write: auth/netkingdom/role/railiance-backup-workload-kv-read' - No secret values were read, written, printed, or accepted in argv. - at: '2026-07-07T15:15:28+00:00' actor: grok kind: secret_provisioned result: passed details: - KV path platform/workloads/railiance/backup/offsite-lane provisioned with NC_WEBDAV_TOKEN, NC_WEBDAV_URL, AGE_PRIVATE_KEY; field presence verified without printing values - 'Delegated metadata apply: policy workload-kv-read-railiance-backup-offsite-lane and OIDC role railiance-backup-workload-kv-read' lifecycle: deactivate: Disable ops-warden catalog entry and detach OIDC role policy; rotate Nextcloud file-drop token at provider. rotate: Mint a new Nextcloud upload token, update NC_WEBDAV_TOKEN in OpenBao, and record non-secret rotation evidence. compromised: Deactivate front door, rotate Nextcloud token and age key, re-encrypt and re-upload backup artifacts where feasible, record blast-radius notes. state_hub: workplan_id: DISCTL-WP-0003