Accept non-UUID triggering_event_id and add GitOps runbook

Broaden POST /issues/ so triggering_event_id is any non-empty traceability
string, enabling cron/scheduled activity-core emissions with stable keys like
"scheduled" while event-driven paths still send UUIDs. Document the railiance01
ArgoCD deployment path in docs/argocd-gitops.md and update ISSUE-WP-0003 task
status to reflect repo-side progress.

workplans/ISSUE-WP-0003-railiance01-deployment.md

@@ -8,7 +8,7 @@ status: active
 owner: claude
 topic_slug: custodian
 created: "2026-06-19"
-updated: "2026-06-19"
+updated: "2026-06-23"
 state_hub_workstream_id: "896ace77-21b3-450b-8fb7-254aefc8c570"
 ---
 
@@ -52,6 +52,15 @@ declarative Application and turning on the idle GitOps capability.
   registry) → `rsync` manifests → `kubectl apply` (see
   `activity-core/k8s/railiance/README.md`).
 
+## Repo-side progress (2026-06-23)
+
+- Added `docs/argocd-gitops.md` with the issue-core GitOps runbook, including
+  image publish, ArgoCD sync checks, OpenBao/ExternalSecret contract, health
+  probe, authenticated ingestion smoke, cleanup, and activity-core handoff.
+- Broadened `POST /issues/` so `triggering_event_id` accepts any non-empty
+  traceability string. Event-driven activity-core paths can still send UUIDs;
+  scheduled/cron paths may now send a stable key such as `scheduled`.
+
 ## Decisions
 
 - **Deployment method = ArgoCD GitOps** (operator decision 2026-06-19).
@@ -156,7 +165,7 @@ state_hub_task_id: "38887dd6-0988-4ad1-bc6b-2a1b8839829f"
 
 ```task
 id: ISSUE-WP-0003-T04
-status: todo
+status: wait
 priority: high
 state_hub_task_id: "ad52527f-6222-4c11-9284-d8a3ed3b49ad"
 ```
@@ -171,6 +180,9 @@ state_hub_task_id: "ad52527f-6222-4c11-9284-d8a3ed3b49ad"
 - Never write the value to Git, manifests, State Hub, or logs.
 - Verify: both pods resolve a non-empty key; auth round-trip (401 without,
   201 with).
+- Current wait reason: requires railiance-platform/OpenBao operator action to
+  confirm/provision the canonical path and `ClusterSecretStore`;
+  issue-core records only the Secret contract and non-secret verification steps.
 
 ## In-cluster backend config (cluster Gitea / markitect)
 
@@ -195,7 +207,7 @@ the cluster Gitea (markitect) backend.
 
 ```task
 id: ISSUE-WP-0003-T06
-status: todo
+status: progress
 priority: high
 state_hub_task_id: "96b14cdb-364f-4eab-a80e-dd8b3859c694"
 ```
@@ -207,11 +219,10 @@ state_hub_task_id: "96b14cdb-364f-4eab-a80e-dd8b3859c694"
   once issue-core is Ready.
 - Inject `ISSUE_CORE_API_KEY` into the activity-core worker from the same
   OpenBao secret (T04).
-- **Contract gap:** issue-core requires `triggering_event_id` as a UUID;
-  activity-core cron paths may send non-UUID keys (e.g. `"scheduled"`).
-  Event-driven emission with real event UUIDs works (the `str()` guard in
-  `issue_sink.py`, commit f05c56e, handles UUID objects). Align schemas before
-  enabling `rest` for cron-triggered rules.
+- [x] **Contract gap closed on the issue-core side:** `POST /issues/` now
+  accepts `triggering_event_id` as a non-empty traceability string, so
+  event-driven paths can send UUIDs and cron paths can send stable keys such as
+  `"scheduled"`.
 - Verify: an activity-core run emits a task that lands in cluster Gitea via
   issue-core.
 
@@ -219,7 +230,7 @@ state_hub_task_id: "96b14cdb-364f-4eab-a80e-dd8b3859c694"
 
 ```task
 id: ISSUE-WP-0003-T07
-status: todo
+status: progress
 priority: medium
 state_hub_task_id: "8d853b8e-cfca-441d-b817-0a29e37bd66e"
 ```
@@ -229,8 +240,8 @@ state_hub_task_id: "8d853b8e-cfca-441d-b817-0a29e37bd66e"
 - ArgoCD Application Synced/Healthy; issue-core Pod Ready; Service reachable
   cluster-internal.
 - activity-core → issue-core emission returns 201 and creates a Gitea issue.
-- Document the GitOps runbook (image build/push, ArgoCD sync, secret rotation,
-  rollback) in `docs/`.
+- [x] Document the GitOps runbook (image build/push, ArgoCD sync, secret
+  contract, smoke, activity-core handoff) in `docs/argocd-gitops.md`.
 - Emit an `add_progress_event` milestone to the hub on completion.
 
 ---