Newer
Older
openstack-caracal-ipv4 / docs / security-ledger.md
@JANeumatrix JANeumatrix 10 hours ago 1 KB Patches

Security exposure / obligation ledger (DOCFIX-078)

Commercial posture: every credential exposure, rotation obligation, and security TODO gets a ROW here with an owner and status -- never only a comment in a script header (where the libvirt item below lived for a week). Review this ledger at every phase-00 (teardown) and before any handoff. Locations of key material are deliberately NOT recorded here -- custody detail lives off-repo per D-069.

id date item source / evidence owner status
SEC-001 2026-06-26 libvirt SSH credential printed in plaintext by maas machine power-parameters during reenroll work scripts/reenroll-hosts.sh header note operator OPEN -- rotate after the current rebuild completes
SEC-002 2026-06-17 juju action params persist in the operation log -- charm authorization must use short-lived child tokens DOCFIX-011 operator STANDING RULE (verify each vault authorize)
SEC-003 2026-07-03 Vault unseal-key custody is single-operator (bus factor) D-069 operator OPEN -- assign custodians + rehearse second-person unseal
SEC-004 2026-05-27 repo temporarily PUBLIC for v1 web_fetch workflow project completion list operator OPEN -- flip to private at v1 close