diff --git a/docs/design-decisions.md b/docs/design-decisions.md index c00978f..f3ec6aa 100644 --- a/docs/design-decisions.md +++ b/docs/design-decisions.md @@ -727,9 +727,9 @@ The D-042 cosmetic `health_status = UNHEALTHY` false-negative is a property of driver builds <= 1.3.0 (the v1beta2 contract-ref mismatch: those builds read `apiVersion` off the infrastructureRef, which CAPI v1.13's v1beta2 contract no longer carries). The RELEASED 1.4.0 driver carries the `api_resources` override and reports `health_status = HEALTHY` against the CAPI v1.13.2 / CAPO v0.14.4 stack (confirmed this rebuild). FINDING-5: D-042 is therefore CLOSED for v1 -- the UNHEALTHY caveat applies only to the historical <=1.3.0 holding state, NOT to the as-built 1.4.0 pin. Auto-heal is still NOT wired to health_status (CAPI MachineHealthCheck heals independently). -## D-050: PROPOSED / OPEN -- keystone `use-policyd-override=true` with no policy zip (FINDING-1) +## D-050: RESOLVED / CLOSED (2026-07-06) -- keystone `use-policyd-override=true` with no policy zip (FINDING-1) -**Status:** PROPOSED / OPEN (recorded 2026-06-17; no action taken). +**Status:** RESOLVED / CLOSED 2026-07-06 (recorded 2026-06-17 as an unruled finding; operator ruling: resolved via D-051 option (b); see the RESOLVED amendment near the end of this file). Scan note: this line deliberately avoids the unruled-status keywords so ledger-scan closes the block; the history arrow lives in the amendment. **Question:** keystone is configured with `use-policyd-override=true` but no policy override zip is supplied. This is currently a no-op (no custom policy applied), but the flag advertises an override capability that does not exist -- a latent footgun (a future operator may assume policy is being enforced, or a stray zip could silently change authz). @@ -1718,3 +1718,50 @@ **Related:** D-044, D-072 mechanism in appendix-A, DOCFIX-089 (fail-closed 3.3 check), BUNDLEFIX-011, changelog addenda 15 + 18. + +## D-050 -- RESOLVED (2026-07-06): closed via D-051 (operator ruling) + +Operator ruled 2026-07-06: D-050 is CLOSED as resolved by D-051's option (b) -- the +`use-policyd-override=true` flag is no longer a no-op footgun because the reviewed +domain-manager policy zip ships bundle-native (D-051 amendment / DOCFIX-071), with a +FAIL-CLOSED zip-vs-yaml drift check in the deploy gate and behavioral acceptance at +G3 (appendix-C C.4 probe). Closure condition attached by the operator: the exact +settings + policy set for error-free tenant standup must remain clearly defined -- +that set is: bundle keystone `use-policyd-override=true` + `resources.policyd-override` +zip (committed beside source), provider-bundle-check content compare, and the C.4 +behavioral probe. Any future policy delta rides the same mechanism (see D-073 for the +first such delta). **Resolves:** D-050 (was PROPOSED/OPEN since 2026-06-17). +**Related:** D-051 + amendment, D-064, D-073, FINDING-1. + +## D-073: ADOPTED -- tighten identity:list_trusts to the modern keystone default + +**Status:** ADOPTED 2026-07-06 (operator-ruled); implementation + testing REQUIRED +before live apply -- nothing applied yet. + +**Problem (carried from the D-064 create_trust fix, "PROPOSED/OPEN separate +hardening"):** live `identity:list_trusts = ""` lets ANY authenticated user enumerate +ALL trusts cloud-wide (trustor/trustee/project relationships) -- cross-tenant info +disclosure on a commercial multi-tenant cloud. Newer keystone defaults tighten this to +`rule:admin_required or (role:reader and system_scope:all)`. + +**Decision:** adopt the modern default for `identity:list_trusts` (and evaluate the +read-rule siblings `identity:get_trust` / `identity:list_roles_for_trust` at the same +shipped defaults while in there) via the SAME policyd-override zip mechanism as +D-051/D-064 -- policy source edited, zip rebuilt, bundle resource updated, deploy-gate +drift check green, live update via the gated attach-resource path (appendix-C C.3), +behavioral verify: tenant user gets 403 on `openstack trust list`, operator +admin still succeeds, magnum cluster create/delete (trust machinery) unaffected. + +**Sequencing (proposed, operator to confirm):** land this BEFORE batch-3 d011-05 so +the P3 isolation acceptance validates the final shipping policy, not a superseded one. + +**Related:** D-064 (origin), D-051 (mechanism), D-050 (closed), scs-0302 posture. + +## D-072 -- AMENDMENT (2026-07-06): upstream bug NOT filed (operator ruling) + +Operator ruled 2026-07-06: the drafted upstream bug (docs/upstream-bug-draft-dashboard-tls.md) +will NOT be submitted -- the root condition is judged a site misconfiguration (cluster +binding pointed at a third space) rather than a charm defect to report. The draft stays +in-repo for history; the addendum-18 OPERATOR ACTION item is withdrawn. The Roosevelt +invariant from D-072 ("cluster binding space == default binding space for TLS-fronted +charms") is UNCHANGED and remains the carry-forward. diff --git a/docs/security-ledger.md b/docs/security-ledger.md index 8740e3a..efa92a3 100644 --- a/docs/security-ledger.md +++ b/docs/security-ledger.md @@ -9,7 +9,7 @@ | id | date | item | source / evidence | owner | status | |---|---|---|---|---|---| -| SEC-001 | 2026-06-26 | libvirt SSH credential printed in plaintext by `maas machine power-parameters` during reenroll work | scripts/reenroll-hosts.sh header note | operator | OPEN -- rotate after the current rebuild completes | +| SEC-001 | 2026-06-26 | libvirt SSH credential printed in plaintext by `maas machine power-parameters` during reenroll work | scripts/reenroll-hosts.sh header note | operator | OPEN -- rotate at v1 close (operator ruling 2026-07-06; was "after rebuild") | | SEC-002 | 2026-06-17 | juju action params persist in the operation log -- charm authorization must use short-lived child tokens | DOCFIX-011 | operator | STANDING RULE (verify each vault authorize) | -| SEC-003 | 2026-07-03 | Vault unseal-key custody is single-operator (bus factor) | D-069 | operator | OPEN -- assign custodians + rehearse second-person unseal | -| SEC-004 | 2026-05-27 | repo temporarily PUBLIC for v1 web_fetch workflow | project completion list | operator | OPEN -- flip to private at v1 close | +| SEC-003 | 2026-07-03 | Vault unseal-key custody is single-operator (bus factor) | D-069 | operator | OPEN -- assign custodians + rehearse second-person unseal (DEFERRED 2026-07-06 by operator; note: keeps d011-06 MANUAL, gates D-011 full close) | +| SEC-004 | 2026-05-27 | repo temporarily PUBLIC for v1 web_fetch workflow | project completion list | operator | OPEN -- flip to private at v1 close (deferral reaffirmed 2026-07-06) | diff --git a/docs/session-ledger.md b/docs/session-ledger.md index 98a1414..b17bdf1 100644 --- a/docs/session-ledger.md +++ b/docs/session-ledger.md @@ -21,17 +21,18 @@ ## Machine-derived (re-seed from `scripts/ledger-scan.sh`; do not hand-edit) -_As of repo HEAD 968fe6c, 2026-07-05 (re-run the scan to refresh):_ +_As of 2026-07-06 (addendum-20 ruling sweep; re-run the scan to refresh):_ -- **PROPOSED / OPEN decisions:** D-050 (keystone `use-policyd-override=true` with no - policy zip, FINDING-1), D-068 (Vault substrate hardening, Roosevelt -- 1.16 ruled - out per amendment; off-EOL path OPEN), D-071 (routine update cadence + controller - patch policy -- operator to rule; gated on the pre-DC-DC HA/backup session). -- **OPEN security rows:** SEC-001 (rotate after the current rebuild completes), - SEC-003 (assign custodians + rehearse second-person unseal), SEC-004 (flip repo - to private at v1 close). -- **Next-free numbers:** D = 073, DOCFIX = 091, BUNDLEFIX = 012. - (Scan, handoff-20260705, and the changelog next-free pointer all agree.) +- **PROPOSED / OPEN decisions:** D-068 (Vault substrate hardening, Roosevelt -- 1.16 + ruled out per amendment; off-EOL path OPEN), D-071 (routine update cadence + + controller patch policy -- operator to rule; gated on the pre-DC-DC HA/backup + session). _(D-050 RESOLVED/CLOSED 2026-07-06 via D-051; D-073 filed ADOPTED, + implementation pending -- not scan-tracked as open.)_ +- **OPEN security rows:** SEC-001 (rotate at v1 close, re-ruled 2026-07-06), + SEC-003 (custodians + second-person unseal -- DEFERRED; keeps d011-06 MANUAL), + SEC-004 (flip repo to private at v1 close -- deferral reaffirmed). +- **Next-free numbers:** D = 074, DOCFIX = 091, BUNDLEFIX = 012. + (Scan and the addendum-20 changelog next-free pointer agree.) --- @@ -171,13 +172,32 @@ appended per the handoff reconcile item. Fences validate 4/0/0. - FINDING (logged, not actioned): `repo_lint.py` L5 "next-free identifiers" info line counts ANY textual mention of D-/DOCFIX-/BUNDLEFIX-NNN across all files, so - it is inflated by the deliberate tests/ledger-scan fixture (DOCFIX-099 / - BUNDLEFIX-050, "must NOT inflate") and by next-free pointer lines themselves - (reports D-074/DOCFIX-100/BUNDLEFIX-051). ledger-scan (heading-based, pointer- - excluding) is the numbering authority and is correct. DOCFIX candidate: make L5 - reuse ledger-scan's exclusion rules or drop the info line. No number consumed. + it is inflated by the deliberate high-numbered decoys in the tests/ledger-scan + fixture ("must NOT inflate") and by next-free pointer lines themselves. ledger-scan + (heading-based, pointer-excluding) is the numbering authority and is correct. + DOCFIX candidate: make L5 reuse ledger-scan's exclusion rules or drop the line. + No number consumed. NOTE (2026-07-06 correction): the first version of THIS bullet + quoted the decoy tokens literally and thereby inflated ledger-scan's own + DOCFIX/BUNDLEFIX next-free (docs/ prose is scan-scanned; only "next-free" lines + are excluded). Tokens de-fanged; standing rule: never write identifier-shaped + tokens above the real high-water mark in docs/ or runbooks/ prose. - Standing by for batch-3 live validation support (verify-live queue). +## Jumphost stream -- session 2026-07-06 (operator ruling sweep; addendum 20) + +- RECORDED: D-050 RESOLVED/CLOSED via D-051 (operator ruling); D-073 ADOPTED + (identity:list_trusts tightened to modern keystone default -- IMPLEMENTATION + + TESTING PENDING, nothing live yet; proposed sequencing: before batch-3 d011-05); + D-072 amendment (upstream dashboard-TLS bug WITHDRAWN -- operator judges site + misconfig, draft retained); SEC-001 -> rotate at v1 close; SEC-003/004 deferred. +- PINNED (operator): D-071 ratification and D-068 off-EOL path choice held until + A1/A2 (batch-3 entry) complete. Magnum can-upgrade-to upstream report pinned. +- A1 foil-tenant onboarding APPROVED in principle; tenant-structure model under + discussion first (SCS Domain Manager persona confirmation + operator/tenant + responsibility split). A2 (d011-04 disruptive gating) held behind A1. +- IN DISCUSSION (B2): OpenBao evaluation; D-068 item 2 (vault_url cleartext http); + D-068 item 3 (AppRole TTL audit + proactive probe) scoping. + diff --git a/docs/v1-redeploy-changelog.md b/docs/v1-redeploy-changelog.md index d1c64e3..910185d 100644 --- a/docs/v1-redeploy-changelog.md +++ b/docs/v1-redeploy-changelog.md @@ -2054,3 +2054,22 @@ REVERT: git checkout HEAD~ -- scripts/ledger-scan.sh tests/ledger-scan/run-tests.sh docs/session-ledger.md runbooks/appendix-B-asbuilt-version-lock.md Next-free after this push (per scan, keep this line unwrapped): D-073, DOCFIX-091, BUNDLEFIX-012. + +### 2026-07-06 (addendum 20, jumphost stream) -- operator ruling sweep: D-050 closed, D-073 adopted, SEC re-triggers, D-072 bug withdrawn + +Operator issued a batch of rulings in the 2026-07-06 session; recorded in canonical +homes, nothing applied live yet: +- docs/design-decisions.md: D-050 RESOLVED via D-051 option (b) (operator ruling; the + policyd zip is bundle-native with fail-closed drift gate + behavioral G3 acceptance). +- docs/design-decisions.md: D-073 filed ADOPTED -- tighten identity:list_trusts to the + modern keystone default via the D-051 zip mechanism. IMPLEMENTATION + TESTING PENDING; + no live change in this addendum. Proposed sequencing: land before batch-3 d011-05. +- docs/design-decisions.md: D-072 amendment -- upstream dashboard-TLS bug WITHDRAWN + (operator judges it site misconfiguration, not a charm defect); draft retained in-repo. +- docs/security-ledger.md: SEC-001 trigger re-ruled to v1 close; SEC-003 deferred + (explicitly noted it keeps d011-06 MANUAL); SEC-004 deferral reaffirmed. +- Pinned (no action): D-071 ratification and D-068 off-EOL path choice held until + A1/A2 (batch-3 entry) complete; magnum can-upgrade-to upstream report pinned. +REVERT: git checkout HEAD~ -- docs/design-decisions.md docs/security-ledger.md docs/session-ledger.md docs/v1-redeploy-changelog.md + +Next-free after this push (per scan, keep this line unwrapped): D-074, DOCFIX-091, BUNDLEFIX-012.