Skip to content

docs(1claw): per-org Bankr BYOK for key vending#458

Open
kmjones1979 wants to merge 3 commits into
BankrBot:mainfrom
1clawAI:docs/1claw-byok
Open

docs(1claw): per-org Bankr BYOK for key vending#458
kmjones1979 wants to merge 3 commits into
BankrBot:mainfrom
1clawAI:docs/1claw-byok

Conversation

@kmjones1979

@kmjones1979 kmjones1979 commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Updates the 1claw skill docs to match the shipped per-org Bankr BYOK model:

  • Org owners/admins configure bk_ptr_ + default wlt_ via Settings → Bankr (PUT /v1/org/bankr-config)
  • Optional deployment-level BANKR_PARTNER_KEY noted as self-hosted fallback only
  • Applies to 1claw/SKILL.md and 1claw/references/mcp-and-api.md

Follow-up to #453 after 1Claw v0.33 BYOK landed in production.

Test plan

Made with Cursor

kmjones1979 and others added 2 commits June 7, 2026 23:17
@kmjones1979 @cursoragent
docs: update 1claw skill for per-org Bankr BYOK
cccb042 
Co-authored-by: Cursor <cursoragent@cursor.com>
@kmjones1979 @cursoragent
docs: align Bankr key vending with per-org BYOK
20e4e84 
Replace stale BANKR_PARTNER_KEY-only wording with org settings and API
config; note optional deployment fallback for self-hosted Vault.

Co-authored-by: Cursor <cursoragent@cursor.com>
saltoriousSIG
saltoriousSIG approved these changes Jun 8, 2026
View reviewed changes

@saltoriousSIG saltoriousSIG left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed this from a public-skill security standpoint. Mostly fine, Ill approve, but please address the one item below:

  • The deployment-level BANKR_PARTNER_KEY fallback can weaken tenant isolation if this runs in shared/self-hosted environments.
  • It’s useful operationally, but it creates a bigger blast radius if org BYOK isn’t set and fallback is left on.

Proposed fix (doc it explicitly):

  1. fallback off by default in multi-tenant environments
  2. require explicit per-org opt-in to use fallback
  3. org BYOK always takes precedence over deployment fallback
  4. log whether each lease used org key vs fallback key
  5. alert when fallback is used in prod

@kmjones1979 @cursoragent
docs: document Bankr fallback tenant-isolation controls
4c480e9 
Address maintainer review on PR BankrBot#458: multi-tenant should not use
BANKR_PARTNER_KEY; org BYOK precedence, audit credential_source, and
prod fallback alerting.

Co-authored-by: Cursor <cursoragent@cursor.com>
@kmjones1979

kmjones1979 commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Thanks @saltoriousSIG — addressed the deployment-fallback tenant-isolation concern in commit 4c480e9:

Docs (this PR)

  • Added Deployment fallback (operators only) section to 1claw/SKILL.md with explicit guidance: do not set BANKR_PARTNER_KEY on multi-tenant SaaS; fallback is self-hosted / single-tenant only
  • Documented precedence (org BYOK always wins), audit credential_source, and prod alerting expectation
  • Expanded 1claw/references/mcp-and-api.md with credential resolution table

Shipped in 1Claw Vault (separate deploy, 20806af)

  • bankr_key.leased audit events now include credential_source (org_byok | platform_fallback)
  • Production Vault (hsm_provider=gcp) emits tracing::warn! when platform_fallback is used so operators can alert on unexpected fallback in prod

Org BYOK precedence was already enforced in resolve_bankr_client(); this adds observability + explicit operator docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saltoriousSIG saltoriousSIG saltoriousSIG approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kmjones1979 @saltoriousSIG