Enable tenant commercial secrets: applier accepts mount tenants/, apply policy and OIDC role for company-email IMAP (metadata only; values are founder Red provision). Extend agent-high-risk-boundary for the path.
11 lines
378 B
HCL
11 lines
378 B
HCL
# Least-privilege read policy for Binky company email IMAP credentials.
|
|
# Tenant mount (WARDEN-WP-0028) — client commercial secrets, not platform workloads.
|
|
# Exact path only; no list on parent, no sibling tenant paths.
|
|
|
|
path "tenants/data/binky/company-email/imap" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
path "tenants/metadata/binky/company-email/imap" {
|
|
capabilities = ["read"]
|
|
}
|