140 lines
5.1 KiB
YAML
140 lines
5.1 KiB
YAML
id: CCR-2026-0007
|
|
kind: credential-change-request
|
|
schema_version: 1
|
|
request_type: workload-kv-read
|
|
title: Binky company email IMAP credentials (tenant lane)
|
|
status: active
|
|
created: '2026-07-17'
|
|
updated: '2026-07-17'
|
|
requester:
|
|
agent: grok
|
|
reason: Establish OpenBao custody for Binky-Hedgehog GmbH company mailbox IMAP credentials
|
|
used by email-connect read-only scans (binky-control dogfood; WARDEN-WP-0028 first
|
|
tenant lane on mount tenants/).
|
|
review:
|
|
required: true
|
|
required_approvers:
|
|
- platform-operator
|
|
comments:
|
|
- at: '2026-07-17T00:00:00+00:00'
|
|
reviewer: bernd.worsch
|
|
decision: approved
|
|
comment: "Approved in chat \u2014 proceed with tenants/ mount and binky company-email\
|
|
\ IMAP lane; founder provisions values Red-lane once."
|
|
target:
|
|
domain: financials
|
|
tenant: binky
|
|
workload: company-email
|
|
environment: production
|
|
purpose: Read-only IMAP scan of company mailbox for control-plane event intake
|
|
openbao:
|
|
mount: tenants
|
|
kv_path: tenants/binky/company-email/imap
|
|
fields:
|
|
- IMAP_USERNAME
|
|
- IMAP_PASSWORD
|
|
policy_name: workload-kv-read-binky-company-email-imap
|
|
policy_file: openbao/policies/workload-kv-read-binky-company-email-imap.hcl
|
|
auth:
|
|
method: oidc
|
|
mount: netkingdom
|
|
role: binky-company-email-imap-workload-kv-read
|
|
allowed_redirect_uris:
|
|
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
|
- http://localhost:8250/oidc/callback
|
|
- http://127.0.0.1:8250/oidc/callback
|
|
oidc_scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
user_claim: sub
|
|
groups_claim: groups
|
|
bound_claims:
|
|
groups:
|
|
- net-kingdom-admins
|
|
bound_claims_confirmed: true
|
|
policies:
|
|
- workload-kv-read-binky-company-email-imap
|
|
ttl: 15m
|
|
access_frontdoor:
|
|
type: ops-warden
|
|
catalog_id: binky-company-email-imap
|
|
selector: binky company email imap mailbox
|
|
command: warden access binky-company-email-imap --out FILE
|
|
resolvable: true
|
|
readiness: ready
|
|
delivery:
|
|
surface: operator-workstation
|
|
target: email-connect scan-mailbox via env IMAP_USERNAME/IMAP_PASSWORD (names only
|
|
in config); binky-control mailmeta for metadata-only evidence
|
|
risk:
|
|
classification: high
|
|
notes:
|
|
- IMAP credentials grant mailbox read access for the company domain.
|
|
- "High-risk lane (WP-0026 T04) \u2014 agents must not stream raw values; use --out/--exec/--wrap."
|
|
- Values must not appear in Git, State Hub, chat, or workplans.
|
|
- ops-warden proxies as the caller and must not retain values.
|
|
- Distinct from platform/workloads/* fleet lanes; lives on mount tenants/.
|
|
verification:
|
|
positive:
|
|
- Approved net-kingdom-admins identity can read the data path (capabilities include
|
|
read) without printing values.
|
|
negative:
|
|
- default-policy token denied on tenants/data/binky/company-email/imap.
|
|
activation_conditions:
|
|
- tenants/ KV v2 mount enabled on bao.coulomb.social.
|
|
- Policy and OIDC role applied.
|
|
- Secret values provisioned by founder (Red lane) through approved custody.
|
|
- Positive and negative capabilities-safe verification recorded.
|
|
- ops-warden catalog promoted after verify + provision.
|
|
evidence:
|
|
- at: '2026-07-17T00:00:00+00:00'
|
|
actor: grok
|
|
kind: mount_enable
|
|
result: passed
|
|
details:
|
|
- 'Enabled KV v2 mount tenants/ description: Client/tenant commercial secrets
|
|
(WARDEN-WP-0028).'
|
|
- No secret values written.
|
|
- at: '2026-07-17T12:00:00+00:00'
|
|
actor: grok
|
|
kind: delegated_metadata_apply
|
|
result: passed
|
|
details:
|
|
- 'Policy metadata write: sys/policies/acl/workload-kv-read-binky-company-email-imap'
|
|
- 'Auth role metadata write: auth/netkingdom/role/binky-company-email-imap-workload-kv-read'
|
|
- "Capabilities-safe: lane-policy token \u2192 read on tenants/data/.../imap;\
|
|
\ default-policy \u2192 deny"
|
|
- No secret values written (founder Red provision remains).
|
|
- at: '2026-07-17T00:00:00+00:00'
|
|
actor: bernd.worsch
|
|
kind: secret_provisioned
|
|
result: passed
|
|
details:
|
|
- "Founder set IMAP fields via OpenBao UI (version \u22652; not placeholder)."
|
|
- platform-admin policy extended with tenants/* for UI visibility (2026-07-17).
|
|
- at: '2026-07-17T00:00:00+00:00'
|
|
actor: grok
|
|
kind: capabilities_safe_verify
|
|
result: passed
|
|
details:
|
|
- "lane-policy token \u2192 read on tenants/data/binky/company-email/imap"
|
|
- "default-policy token \u2192 deny"
|
|
- Field presence keys IMAP_USERNAME + IMAP_PASSWORD; no values printed
|
|
- "ops-warden catalog promoted draft\u2192active; resolvable=true"
|
|
- at: '2026-07-17T00:00:00+00:00'
|
|
actor: grok
|
|
kind: frontdoor_activation
|
|
result: passed
|
|
details:
|
|
- catalog id binky-company-email-imap status=active resolvable=true risk=high
|
|
lifecycle:
|
|
deactivate: Disable ops-warden catalog entry and detach OIDC role policy; rotate
|
|
mailbox password at provider.
|
|
rotate: Mint a new mailbox app password; bao kv put tenants/binky/company-email/imap
|
|
IMAP_PASSWORD=@file; verify capabilities-safe.
|
|
compromised: Deactivate front door, rotate mailbox password, clear EXPOSED taint
|
|
after rotation, record blast-radius notes.
|
|
state_hub:
|
|
workplan_id: WARDEN-WP-0028
|