Complete activity-core LLM endpoint handoff (LLM-WP-0006)
Some checks failed
CI / test (3.10) (push) Has been cancelled
CI / test (3.11) (push) Has been cancelled
CI / test (3.12) (push) Has been cancelled

Switch the custodian triage default from anthropic/claude-sonnet-4 to
google/gemini-2.5-flash, which advertises structured-output support on
OpenRouter. Tighten the OpenRouter adapter to send strict JSON schema
requests and set provider.require_parameters=true so routing only hits
providers that honor the requested response_format.

Update Kubernetes deploy docs and config for the verified coulombcore
handoff: Containerfile build path, image-pull-policy=Never for smoke
pods, credential-routing notes, and live smoke evidence. Mark
LLM-WP-0006 finished with closure notes from 2026-06-18.
This commit is contained in:
2026-06-19 13:51:12 +02:00
parent 6a0319ee86
commit 90eb39c247
12 changed files with 176 additions and 27 deletions

View File

@@ -4,13 +4,13 @@ type: workplan
title: "Activity-Core Always-On LLM Endpoint"
domain: custodian
repo: llm-connect
status: blocked
status: finished
owner: codex
topic_slug: activity-core-llm-endpoint
planning_priority: high
planning_order: 6
created: "2026-06-07"
updated: "2026-06-07"
updated: "2026-06-18"
depends_on_workplans:
- LLM-WP-0003
related_workplans:
@@ -20,7 +20,7 @@ state_hub_workstream_id: "8de71d58-1193-424f-8338-a9aa4e173c5b"
# LLM-WP-0006 - Activity-Core Always-On LLM Endpoint
**status:** blocked
**status:** finished
**owner:** codex
## Purpose
@@ -206,7 +206,7 @@ reported distinctly from provider transport failure.
id: LLM-WP-0006-T07
title: "Publish verified LLM_CONNECT_URL handoff and activity-core smoke evidence"
priority: high
status: blocked
status: done
state_hub_task_id: "92e043f0-5ca8-4c2d-b8f6-dd5fbf8ccb62"
```
@@ -341,6 +341,74 @@ Remaining blocked live gate:
`activity-core` with the verified URL and the remaining provider Secret gate
for schema-valid `POST /execute` and `daily_triage` evidence.
2026-06-17 recheck:
- Verified the live `coulombcore` Kubernetes path is reachable and the
`activity-core` namespace `llm-connect` Deployment remains `1/1` available
with Service `llm-connect` on port `8080`.
- Confirmed the `llm-connect-provider-secrets` Secret object exists but still
reports `DATA 0`; no Secret values were inspected.
- Re-ran the in-namespace fixture smoke with the node-local image. The first
corrected pod needed `--image-pull-policy=Never` because the `:latest` tag
otherwise attempted a Docker Hub pull. With the local image, the smoke reached
`/execute` and failed safely with
`configuration_error: Adapter rejected RunConfig`.
- State Hub now also has a 2026-06-16 `daily_triage` event from
`activity-core` showing `LLM_CONNECT_URL is not configured`, and the local
activity-core runtime manifest still has `LLM_CONNECT_URL: ""`.
- `LLM-WP-0006-T07` therefore remains externally blocked until the provider
Secret is populated outside Git/State Hub, activity-core consumes
`http://llm-connect.activity-core.svc.cluster.local:8080` with
`LLM_CONNECT_TIMEOUT_SECONDS=300`, the fixture smoke returns schema-valid
JSON, and a non-secret `daily_triage` evidence event is recorded.
2026-06-18 recheck:
- activity-core has repo-local work to consume the stable URL:
`actcore-runtime-config` now sets
`LLM_CONNECT_URL=http://llm-connect.activity-core.svc.cluster.local:8080`
and `LLM_CONNECT_TIMEOUT_SECONDS=300`.
- The live `activity-core` namespace has not yet been reconciled to that
activity-core runtime surface; live deployments currently show only
`deployment.apps/llm-connect`, and live ConfigMaps show only
`kube-root-ca.crt` and `llm-connect-config`.
- The live `llm-connect-provider-secrets` Secret still reports `DATA 0`; no
Secret values were inspected.
- ops-warden's credential-routing guidance says LLM provider API keys are not
an ops-warden issuance task. The remaining credential gate belongs to the
approved operator/OpenBao-to-Kubernetes Secret path for
`activity-core/llm-connect-provider-secrets`.
- `LLM-WP-0006-T07` remains blocked until the provider Secret is populated,
the activity-core runtime is reconciled with the URL/timeout config, the
fixture smoke returns schema-valid JSON from inside the namespace, and
activity-core records non-secret `daily_triage` evidence.
2026-06-18 closure:
- Populated-provider state is now live: `activity-core/llm-connect-provider-secrets`
reports `DATA 1`; no Secret values were inspected or recorded.
- Updated the OpenRouter structured-output path to request strict JSON schema
output and to set `provider.require_parameters=true` for schema calls, so
OpenRouter routes only to providers that support the requested structured
output parameters.
- OpenRouter model metadata showed the previous
`anthropic/claude-sonnet-4` profile model does not advertise
`response_format`/`structured_outputs`; switched the activity-core profile
and Kubernetes ConfigMap defaults to `google/gemini-2.5-flash`, which does.
- Rebuilt `docker.io/library/llm-connect:latest` from `Containerfile`,
imported it into the `coulombcore` k3s image store, applied the updated
non-secret `llm-connect-config` ConfigMap, and rolled out
`deployment/llm-connect`.
- Verified live ConfigMap values:
`LLM_CONNECT_MODEL=google/gemini-2.5-flash` and
`LLM_CONNECT_CUSTODIAN_TRIAGE_MODEL=google/gemini-2.5-flash`.
- Final in-namespace smoke passed against
`http://llm-connect.activity-core.svc.cluster.local:8080` with:
`smoke: pass health=ok latency_seconds=2.147 recommendations=1`.
- Cleaned up the one-shot smoke pod after collecting logs. The llm-connect
endpoint handoff is complete; collecting scheduled `daily_triage` evidence
now belongs to activity-core / `ACTIVITY-WP-0006`.
## Closure Notes
After this workplan file is added or task statuses change, ask the custodian