railiance-platform/credential-change-requests/CCR-2026-0007-binky-company-email-imap.yaml
tegwick 86209fa90c
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 2s
CCR-2026-0007: binky IMAP on tenants/ mount + CCR allowlist
Enable tenant commercial secrets: applier accepts mount tenants/, apply
policy and OIDC role for company-email IMAP (metadata only; values are
founder Red provision). Extend agent-high-risk-boundary for the path.
2026-07-17 00:09:28 +02:00

118 lines
4.3 KiB
YAML

id: CCR-2026-0007
kind: credential-change-request
schema_version: 1
request_type: workload-kv-read
title: Binky company email IMAP credentials (tenant lane)
status: applied
created: '2026-07-17'
updated: '2026-07-17'
requester:
agent: grok
reason: Establish OpenBao custody for Binky-Hedgehog GmbH company mailbox IMAP credentials
used by email-connect read-only scans (binky-control dogfood; WARDEN-WP-0028 first
tenant lane on mount tenants/).
review:
required: true
required_approvers:
- platform-operator
comments:
- at: '2026-07-17T00:00:00+00:00'
reviewer: bernd.worsch
decision: approved
comment: "Approved in chat \u2014 proceed with tenants/ mount and binky company-email\
\ IMAP lane; founder provisions values Red-lane once."
target:
domain: financials
tenant: binky
workload: company-email
environment: production
purpose: Read-only IMAP scan of company mailbox for control-plane event intake
openbao:
mount: tenants
kv_path: tenants/binky/company-email/imap
fields:
- IMAP_USERNAME
- IMAP_PASSWORD
policy_name: workload-kv-read-binky-company-email-imap
policy_file: openbao/policies/workload-kv-read-binky-company-email-imap.hcl
auth:
method: oidc
mount: netkingdom
role: binky-company-email-imap-workload-kv-read
allowed_redirect_uris:
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
- http://localhost:8250/oidc/callback
- http://127.0.0.1:8250/oidc/callback
oidc_scopes:
- openid
- profile
- email
- groups
user_claim: sub
groups_claim: groups
bound_claims:
groups:
- net-kingdom-admins
bound_claims_confirmed: true
policies:
- workload-kv-read-binky-company-email-imap
ttl: 15m
access_frontdoor:
type: ops-warden
catalog_id: binky-company-email-imap
selector: binky company email imap mailbox
command: warden access binky-company-email-imap --out FILE
resolvable: false
readiness: applied-pending-provision
delivery:
surface: operator-workstation
target: email-connect scan-mailbox via env IMAP_USERNAME/IMAP_PASSWORD (names only
in config); binky-control mailmeta for metadata-only evidence
risk:
classification: high
notes:
- IMAP credentials grant mailbox read access for the company domain.
- "High-risk lane (WP-0026 T04) \u2014 agents must not stream raw values; use --out/--exec/--wrap."
- Values must not appear in Git, State Hub, chat, or workplans.
- ops-warden proxies as the caller and must not retain values.
- Distinct from platform/workloads/* fleet lanes; lives on mount tenants/.
verification:
positive:
- Approved net-kingdom-admins identity can read the data path (capabilities include
read) without printing values.
negative:
- default-policy token denied on tenants/data/binky/company-email/imap.
activation_conditions:
- tenants/ KV v2 mount enabled on bao.coulomb.social.
- Policy and OIDC role applied.
- Secret values provisioned by founder (Red lane) through approved custody.
- Positive and negative capabilities-safe verification recorded.
- ops-warden catalog promoted after verify + provision.
evidence:
- at: '2026-07-17T00:00:00+00:00'
actor: grok
kind: mount_enable
result: passed
details:
- 'Enabled KV v2 mount tenants/ description: Client/tenant commercial secrets
(WARDEN-WP-0028).'
- No secret values written.
- at: '2026-07-17T12:00:00+00:00'
actor: grok
kind: delegated_metadata_apply
result: passed
details:
- 'Policy metadata write: sys/policies/acl/workload-kv-read-binky-company-email-imap'
- 'Auth role metadata write: auth/netkingdom/role/binky-company-email-imap-workload-kv-read'
- "Capabilities-safe: lane-policy token \u2192 read on tenants/data/.../imap;\
\ default-policy \u2192 deny"
- No secret values written (founder Red provision remains).
lifecycle:
deactivate: Disable ops-warden catalog entry and detach OIDC role policy; rotate
mailbox password at provider.
rotate: Mint a new mailbox app password; bao kv put tenants/binky/company-email/imap
IMAP_PASSWORD=@file; verify capabilities-safe.
compromised: Deactivate front door, rotate mailbox password, clear EXPOSED taint
after rotation, record blast-radius notes.
state_hub:
workplan_id: WARDEN-WP-0028