railiance-platform/openbao/policies/workload-kv-read-binky-company-email-imap.hcl
tegwick 86209fa90c
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 2s
CCR-2026-0007: binky IMAP on tenants/ mount + CCR allowlist
Enable tenant commercial secrets: applier accepts mount tenants/, apply
policy and OIDC role for company-email IMAP (metadata only; values are
founder Red provision). Extend agent-high-risk-boundary for the path.
2026-07-17 00:09:28 +02:00

11 lines
378 B
HCL

# Least-privilege read policy for Binky company email IMAP credentials.
# Tenant mount (WARDEN-WP-0028) — client commercial secrets, not platform workloads.
# Exact path only; no list on parent, no sibling tenant paths.
path "tenants/data/binky/company-email/imap" {
capabilities = ["read"]
}
path "tenants/metadata/binky/company-email/imap" {
capabilities = ["read"]
}