Enable tenant commercial secrets: applier accepts mount tenants/, apply policy and OIDC role for company-email IMAP (metadata only; values are founder Red provision). Extend agent-high-risk-boundary for the path.
39 lines
1.1 KiB
HCL
39 lines
1.1 KiB
HCL
# Agent coding read-boundary for high-risk secret lanes (WARDEN-WP-0026 T04 / WP-0028).
|
|
#
|
|
# Coding agents MUST NOT hold raw data-read on high-risk recovery/upload/admin
|
|
# or tenant mailbox secrets. Metadata + capabilities only.
|
|
|
|
# --- platform high-risk ---
|
|
path "platform/data/workloads/railiance/backup/offsite-lane" {
|
|
capabilities = ["deny"]
|
|
}
|
|
path "platform/metadata/workloads/railiance/backup/offsite-lane" {
|
|
capabilities = ["read"]
|
|
}
|
|
path "platform/data/workloads/forgejo/forgejo-admin" {
|
|
capabilities = ["deny"]
|
|
}
|
|
path "platform/metadata/workloads/forgejo/forgejo-admin" {
|
|
capabilities = ["read"]
|
|
}
|
|
path "platform/data/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
|
|
capabilities = ["deny"]
|
|
}
|
|
path "platform/metadata/workloads/activity-core/llm-connect/llm-connect-provider-secrets" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
# --- tenant high-risk (WARDEN-WP-0028) ---
|
|
path "tenants/data/binky/company-email/imap" {
|
|
capabilities = ["deny"]
|
|
}
|
|
path "tenants/metadata/binky/company-email/imap" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
path "sys/capabilities-self" {
|
|
capabilities = ["update"]
|
|
}
|
|
path "auth/token/lookup-self" {
|
|
capabilities = ["read"]
|
|
}
|