Promote issue-core-ingestion-api-key and openrouter-llm-connect lanes to active

RAILIANCE-WP-0009 T06 / RAILIANCE-WP-0010 T06 (CCR-2026-0002, CCR-2026-0003):
both OpenBao KV paths are live, ESO delivers the Secrets in cluster, and
positive/negative access verification is audit-logged. Catalog entries gain
concrete zero-placeholder handoffs (exec_capable, resolvable); draft tables
and playbook gates updated; routing tests repointed to still-draft lanes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 20:48:39 +02:00
parent 833c36e20a
commit 364eb7dfe1
6 changed files with 86 additions and 36 deletions

View File

@@ -191,7 +191,6 @@ entries:
reviewed: "2026-06-18"
status: active
# --- draft: owner path not yet shipped; hidden from default lookup ---
- id: issue-core-ingestion-api-key
title: issue-core ingestion API key (OpenBao KV + ESO)
need_keywords: [issue-core, ingestion, api, key, openbao, issue_core_api_key, eso, external-secrets]
@@ -200,8 +199,20 @@ entries:
warden_executes: false
wiki_ref: wiki/playbooks/issue-core-ingestion-api-key.md#worker-checklist
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
reviewed: "2026-06-24"
status: draft
reviewed: "2026-07-02"
status: active
# Concrete, owner-confirmed lane — railiance-platform CCR-2026-0002 / RAILIANCE-WP-0009
# (promoted 2026-07-02): policy workload-kv-read-issue-core-runtime and k8s auth role
# external-secrets-issue-core applied; ExternalSecret issue-core/issue-core-runtime
# SecretSynced; positive + negative access verified with OpenBao audit evidence.
# Production consumer is ESO; warden access proxies reads as the caller (caller's own
# OpenBao authority) and never holds the value.
auth_method: "caller's own OpenBao token (operator OIDC via key-cape, or a token carrying workload-kv-read-issue-core-runtime)"
path_template: "platform/workloads/issue-core/issue-core/issue-core-runtime"
fetch_command: "bao kv get -field=ISSUE_CORE_API_KEY platform/workloads/issue-core/issue-core/issue-core-runtime"
policy_ref: "flex-auth check secret.read:issue-core"
exec_capable: true
lane: secret
- id: openrouter-llm-connect
title: OpenRouter API key for llm-connect in activity-core
@@ -211,8 +222,23 @@ entries:
warden_executes: false
wiki_ref: wiki/playbooks/openrouter-llm-connect.md#worker-checklist
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
reviewed: "2026-06-24"
status: draft
reviewed: "2026-07-02"
status: active
# Concrete, owner-confirmed lane — railiance-platform CCR-2026-0003 / RAILIANCE-WP-0010
# (promoted 2026-07-02): policy workload-kv-read-llm-connect-provider-secrets and k8s
# auth role external-secrets-activity-core applied; ExternalSecret
# activity-core/llm-connect-provider-secrets SecretSynced and llm-connect rolled out on
# the OpenBao-delivered value; positive + negative access verified with audit evidence.
# Production consumer is ESO; warden access proxies reads as the caller and never holds
# the provider key.
auth_method: "caller's own OpenBao token (operator OIDC via key-cape, or a token carrying workload-kv-read-llm-connect-provider-secrets)"
path_template: "platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets"
fetch_command: "bao kv get -field=OPENROUTER_API_KEY platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets"
policy_ref: "flex-auth check secret.read:llm-connect"
exec_capable: true
lane: secret
# --- draft: owner path not yet shipped; hidden from default lookup ---
- id: object-storage-sts
title: Object-storage STS / temporary S3 credentials