From bf6ede2b9e71a5546b88de8230752490d2dd890c Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Thu, 4 Jun 2026 08:17:36 +0000
Subject: [PATCH] vault: deny secret/data/vault for claude-agent
 terraform-state policy (executor elevation safety narrowing)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 stacks/vault/main.tf | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf
index 8dc3ef8d..d17c9e01 100644
--- a/stacks/vault/main.tf
+++ b/stacks/vault/main.tf
@@ -572,9 +572,9 @@ resource "vault_policy" "terraform_state" {
   # SECURITY: this grants the SHARED claude-agent pod broad Vault READ —
   # effectively every app secret under secret/ and every rotating DB
   # credential. Every agent that runs on this pod inherits it. Vault's own
-  # admin/root secrets are under secret/data/vault (covered by secret/data/*
-  # here — NOT explicitly denied; tighten with an explicit deny if that path
-  # must stay out of reach). No write/delete on secret/ or database/.
+  # admin/root secrets are under secret/data/vault — now explicitly DENIED
+  # below (2026-06-04, Viktor's choice) so they stay out of the pod's reach.
+  # No write/delete on secret/ or database/.
   policy = <<-EOT
     path "database/static-creds/*" {
       capabilities = ["read"]
@@ -588,6 +588,16 @@ resource "vault_policy" "terraform_state" {
     path "secret/metadata/*" {
       capabilities = ["read", "list"]
     }
+    # Explicit deny on Vault's own admin/root creds (Viktor's choice 2026-06-04).
+    # An explicit deny overrides the secret/data/* read grant above, so the
+    # shared claude-agent pod cannot read Vault's bootstrap/admin secrets even
+    # though it can read every other app secret.
+    path "secret/data/vault" {
+      capabilities = ["deny"]
+    }
+    path "secret/metadata/vault" {
+      capabilities = ["deny"]
+    }
   EOT
 }