TacoRocket · TacoRocket · Apr 12, 2026 · Apr 12, 2026
@@ -394,12 +394,13 @@ class ChainFamilySpec:
         ),
         current_gap=(
             "The live family is intentionally narrow in v1: direct token-opportunity rows only. "
-            "Broader trust expansion, secret-bearing config starts, and mixed-identity workloads "
-            "still need clearer admission rules or a different family boundary."
+            "Broader trust expansion and secret-bearing config starts still sit outside this "
+            "family, and mixed-identity workloads still need explicit corroboration before "
+            "default admission."
         ),
         best_current_examples=(
             "tokens-credentials -> managed-identities -> permissions",
-            "workloads -> tokens-credentials -> permissions",
+            "tokens-credentials -> env-vars -> managed-identities -> permissions",
         ),
         source_commands=(
             ChainSourceSpec(
@@ -417,6 +418,21 @@ class ChainFamilySpec:
                     "or request tokens."
                 ),
             ),
+            ChainSourceSpec(
+                command="env-vars",
+                minimum_fields=(
+                    "asset_id",
+                    "asset_name",
+                    "setting_name",
+                    "value_type",
+                    "key_vault_reference_identity",
+                    "workload_identity_ids",
+                ),
+                rationale=(
+                    "Provides workload configuration clues that can explicitly name which "
+                    "attached identity a mixed-identity web workload is using."
+                ),
+            ),
             ChainSourceSpec(
                 command="workloads",
                 minimum_fields=(

@@ -0,0 +1 @@
+
@@ -51,6 +51,60 @@
       ],
       "privileged": true,
       "is_current_identity": false
+    },
+    {
+      "principal_id": "cccc2222-2222-2222-2222-222222222222",
+      "display_name": "func-orders-system",
+      "principal_type": "ServicePrincipal",
+      "high_impact_roles": [
+        "Contributor"
+      ],
+      "all_role_names": [
+        "Contributor"
+      ],
+      "role_assignment_count": 1,
+      "scope_count": 1,
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps"
+      ],
+      "privileged": true,
+      "is_current_identity": false
+    },
+    {
+      "principal_id": "eeee3333-3333-3333-3333-333333333333",
+      "display_name": "app-empty-mi-system",
+      "principal_type": "ServicePrincipal",
+      "high_impact_roles": [
+        "Contributor"
+      ],
+      "all_role_names": [
+        "Contributor"
+      ],
+      "role_assignment_count": 1,
+      "scope_count": 1,
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps"
+      ],
+      "privileged": true,
+      "is_current_identity": false
+    },
+    {
+      "principal_id": "77770000-0000-0000-0000-000000000001",
+      "display_name": "vmss-edge-01-system",
+      "principal_type": "ServicePrincipal",
+      "high_impact_roles": [
+        "Contributor"
+      ],
+      "all_role_names": [
+        "Contributor"
+      ],
+      "role_assignment_count": 1,
+      "scope_count": 1,
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-workload"
+      ],
+      "privileged": true,
+      "is_current_identity": false
     }
   ],
   "issues": []

@@ -47,6 +47,84 @@
       "identity_types": [],
       "attached_to": [],
       "is_current_identity": false
+    },
+    {
+      "id": "cccc2222-2222-2222-2222-222222222222",
+      "principal_type": "ServicePrincipal",
+      "display_name": "func-orders-system",
+      "tenant_id": "11111111-1111-1111-1111-111111111111",
+      "sources": [
+        "managed-identities"
+      ],
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps"
+      ],
+      "role_names": [
+        "Contributor"
+      ],
+      "role_assignment_count": 1,
+      "identity_names": [
+        "func-orders-system"
+      ],
+      "identity_types": [
+        "systemAssigned"
+      ],
+      "attached_to": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps/providers/Microsoft.Web/sites/func-orders"
+      ],
+      "is_current_identity": false
+    },
+    {
+      "id": "eeee3333-3333-3333-3333-333333333333",
+      "principal_type": "ServicePrincipal",
+      "display_name": "app-empty-mi-system",
+      "tenant_id": "11111111-1111-1111-1111-111111111111",
+      "sources": [
+        "managed-identities"
+      ],
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps"
+      ],
+      "role_names": [
+        "Contributor"
+      ],
+      "role_assignment_count": 1,
+      "identity_names": [
+        "app-empty-mi-system"
+      ],
+      "identity_types": [
+        "systemAssigned"
+      ],
+      "attached_to": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps/providers/Microsoft.Web/sites/app-empty-mi"
+      ],
+      "is_current_identity": false
+    },
+    {
+      "id": "77770000-0000-0000-0000-000000000001",
+      "principal_type": "ServicePrincipal",
+      "display_name": "vmss-edge-01-system",
+      "tenant_id": "11111111-1111-1111-1111-111111111111",
+      "sources": [
+        "managed-identities"
+      ],
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-workload"
+      ],
+      "role_names": [
+        "Contributor"
+      ],
+      "role_assignment_count": 1,
+      "identity_names": [
+        "vmss-edge-01-system"
+      ],
+      "identity_types": [
+        "systemAssigned"
+      ],
+      "attached_to": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-workload/providers/Microsoft.Compute/virtualMachineScaleSets/vmss-edge-01"
+      ],
+      "is_current_identity": false
     }
   ],
   "issues": []

@@ -4,7 +4,7 @@
     "auth_mode": null,
     "command": "permissions",
     "devops_organization": null,
-    "generated_at": "<generated_at>",
+    "generated_at": "2026-04-12T18:56:06.241502Z",
     "schema_version": "1.3.0",
     "subscription_id": "22222222-2222-2222-2222-222222222222",
     "tenant_id": "11111111-1111-1111-1111-111111111111",
@@ -22,9 +22,9 @@
       "is_current_identity": true,
       "next_review": "Check privesc for the direct abuse or escalation path behind this current identity.",
       "operator_signal": "Direct control visible; current foothold.",
-      "priority": "high",
       "principal_id": "33333333-3333-3333-3333-333333333333",
       "principal_type": "ServicePrincipal",
+      "priority": "high",
       "privileged": true,
       "role_assignment_count": 1,
       "scope_count": 1,
@@ -33,6 +33,72 @@
       ],
       "summary": "Current identity 'azurefox-lab-sp' already has direct control visible through Owner across subscription-wide. Check privesc for the direct abuse or escalation path behind this current identity."
     },
+    {
+      "all_role_names": [
+        "Contributor"
+      ],
+      "display_name": "app-empty-mi-system",
+      "high_impact_roles": [
+        "Contributor"
+      ],
+      "is_current_identity": false,
+      "next_review": "Check managed-identities for the workload pivot behind this direct control row.",
+      "operator_signal": "Direct control visible; workload pivot visible.",
+      "principal_id": "eeee3333-3333-3333-3333-333333333333",
+      "principal_type": "ServicePrincipal",
+      "priority": "high",
+      "privileged": true,
+      "role_assignment_count": 1,
+      "scope_count": 1,
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps"
+      ],
+      "summary": "ServicePrincipal 'app-empty-mi-system' already has direct control visible through Contributor across subscription-wide, and current scope also shows a workload pivot. Check managed-identities for the workload pivot behind this direct control row."
+    },
+    {
+      "all_role_names": [
+        "Contributor"
+      ],
+      "display_name": "func-orders-system",
+      "high_impact_roles": [
+        "Contributor"
+      ],
+      "is_current_identity": false,
+      "next_review": "Check managed-identities for the workload pivot behind this direct control row.",
+      "operator_signal": "Direct control visible; workload pivot visible.",
+      "principal_id": "cccc2222-2222-2222-2222-222222222222",
+      "principal_type": "ServicePrincipal",
+      "priority": "high",
+      "privileged": true,
+      "role_assignment_count": 1,
+      "scope_count": 1,
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps"
+      ],
+      "summary": "ServicePrincipal 'func-orders-system' already has direct control visible through Contributor across subscription-wide, and current scope also shows a workload pivot. Check managed-identities for the workload pivot behind this direct control row."
+    },
+    {
+      "all_role_names": [
+        "Contributor"
+      ],
+      "display_name": "vmss-edge-01-system",
+      "high_impact_roles": [
+        "Contributor"
+      ],
+      "is_current_identity": false,
+      "next_review": "Check managed-identities for the workload pivot behind this direct control row.",
+      "operator_signal": "Direct control visible; workload pivot visible.",
+      "principal_id": "77770000-0000-0000-0000-000000000001",
+      "principal_type": "ServicePrincipal",
+      "priority": "high",
+      "privileged": true,
+      "role_assignment_count": 1,
+      "scope_count": 1,
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-workload"
+      ],
+      "summary": "ServicePrincipal 'vmss-edge-01-system' already has direct control visible through Contributor across subscription-wide, and current scope also shows a workload pivot. Check managed-identities for the workload pivot behind this direct control row."
+    },
     {
       "all_role_names": [
         "Contributor"
@@ -44,9 +110,9 @@
       "is_current_identity": false,
       "next_review": "Check role-trusts for trust expansion around who can influence this principal.",
       "operator_signal": "Direct control visible; trust expansion follow-on.",
-      "priority": "medium",
       "principal_id": "12121212-1212-1212-1212-121212121212",
       "principal_type": "ServicePrincipal",
+      "priority": "medium",
       "privileged": true,
       "role_assignment_count": 1,
       "scope_count": 1,
@@ -64,9 +130,9 @@
       "is_current_identity": false,
       "next_review": "Check rbac for the exact assignment evidence behind this lower-signal row.",
       "operator_signal": "Direct control not confirmed.",
-      "priority": "low",
       "principal_id": "44444444-4444-4444-4444-444444444444",
       "principal_type": "User",
+      "priority": "low",
       "privileged": false,
       "role_assignment_count": 1,
       "scope_count": 1,

@@ -1,8 +1,10 @@
 {
   "issues": [],
   "metadata": {
+    "auth_mode": null,
     "command": "principals",
-    "generated_at": "<generated_at>",
+    "devops_organization": null,
+    "generated_at": "2026-04-12T18:56:06.240867Z",
     "schema_version": "1.3.0",
     "subscription_id": "22222222-2222-2222-2222-222222222222",
     "tenant_id": "11111111-1111-1111-1111-111111111111",
@@ -56,6 +58,84 @@
         "rbac"
       ],
       "tenant_id": "11111111-1111-1111-1111-111111111111"
+    },
+    {
+      "attached_to": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps/providers/Microsoft.Web/sites/func-orders"
+      ],
+      "display_name": "func-orders-system",
+      "id": "cccc2222-2222-2222-2222-222222222222",
+      "identity_names": [
+        "func-orders-system"
+      ],
+      "identity_types": [
+        "systemAssigned"
+      ],
+      "is_current_identity": false,
+      "principal_type": "ServicePrincipal",
+      "role_assignment_count": 1,
+      "role_names": [
+        "Contributor"
+      ],
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps"
+      ],
+      "sources": [
+        "managed-identities"
+      ],
+      "tenant_id": "11111111-1111-1111-1111-111111111111"
+    },
+    {
+      "attached_to": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps/providers/Microsoft.Web/sites/app-empty-mi"
+      ],
+      "display_name": "app-empty-mi-system",
+      "id": "eeee3333-3333-3333-3333-333333333333",
+      "identity_names": [
+        "app-empty-mi-system"
+      ],
+      "identity_types": [
+        "systemAssigned"
+      ],
+      "is_current_identity": false,
+      "principal_type": "ServicePrincipal",
+      "role_assignment_count": 1,
+      "role_names": [
+        "Contributor"
+      ],
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-apps"
+      ],
+      "sources": [
+        "managed-identities"
+      ],
+      "tenant_id": "11111111-1111-1111-1111-111111111111"
+    },
+    {
+      "attached_to": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-workload/providers/Microsoft.Compute/virtualMachineScaleSets/vmss-edge-01"
+      ],
+      "display_name": "vmss-edge-01-system",
+      "id": "77770000-0000-0000-0000-000000000001",
+      "identity_names": [
+        "vmss-edge-01-system"
+      ],
+      "identity_types": [
+        "systemAssigned"
+      ],
+      "is_current_identity": false,
+      "principal_type": "ServicePrincipal",
+      "role_assignment_count": 1,
+      "role_names": [
+        "Contributor"
+      ],
+      "scope_ids": [
+        "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-workload"
+      ],
+      "sources": [
+        "managed-identities"
+      ],
+      "tenant_id": "11111111-1111-1111-1111-111111111111"
     }
   ]
 }