Promote issue-core-ingestion-api-key and openrouter-llm-connect lanes to active

RAILIANCE-WP-0009 T06 / RAILIANCE-WP-0010 T06 (CCR-2026-0002, CCR-2026-0003):
both OpenBao KV paths are live, ESO delivers the Secrets in cluster, and
positive/negative access verification is audit-logged. Catalog entries gain
concrete zero-placeholder handoffs (exec_capable, resolvable); draft tables
and playbook gates updated; routing tests repointed to still-draft lanes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 20:48:39 +02:00
parent 833c36e20a
commit 364eb7dfe1
6 changed files with 86 additions and 36 deletions

View File

@@ -94,6 +94,8 @@ run the owner's tool as the caller and preserve owner custody.
| `railiance-infra-principals` | "railiance-infra deploys host principals" | Run the infra Ansible |
| `activity-core-issue-sink` | "activity-core + issue-core own emission — pair `ISSUE_CORE_*` env vars" | See `wiki/playbooks/activity-core-issue-sink.md` |
| `inter-hub-bootstrap-ssh` | "Inter-Hub bootstrap SSH envelope — attended vs unattended branches" | See `wiki/InterHubBootstrapAccessLane.md` |
| `issue-core-ingestion-api-key` | "railiance-platform OpenBao KV + ESO deliver `ISSUE_CORE_API_KEY` — here is the path" | ESO consumes in-cluster; `warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY` as yourself |
| `openrouter-llm-connect` | "railiance-platform OpenBao KV + ESO deliver `OPENROUTER_API_KEY` to activity-core" | ESO consumes in-cluster; `warden access openrouter-llm-connect --fetch OPENROUTER_API_KEY` as yourself |
Promotion criteria: `wiki/playbooks/catalog-lane-promotion.md`.
@@ -101,8 +103,6 @@ Promotion criteria: `wiki/playbooks/catalog-lane-promotion.md`.
| Catalog `id` | Routing focus | Playbook |
| --- | --- | --- |
| `issue-core-ingestion-api-key` | OpenBao KV + ESO for `ISSUE_CORE_API_KEY` | `wiki/playbooks/issue-core-ingestion-api-key.md` |
| `openrouter-llm-connect` | OpenRouter key → `llm-connect` in activity-core | `wiki/playbooks/openrouter-llm-connect.md` |
| `object-storage-sts` | NK-WP-0007 STS vending path | `wiki/playbooks/object-storage-sts.md` |
| `database-dynamic-credentials` | OpenBao database secrets engine | `wiki/playbooks/database-dynamic-credentials.md` |
@@ -117,7 +117,7 @@ value; the owner remains OpenBao, key-cape, flex-auth, or the routed subsystem.
| Request | Correct path |
| --- | --- |
| "`VAULT_TOKEN` for ops-warden production sign / policy-gate smoke" | `railiance-platform` credential broker — `warden route show ops-warden-warden-sign-token` |
| "Populate `OPENROUTER_API_KEY` for llm-connect" | Operator → OpenBao/K8s Secret in `activity-core` namespace |
| "Populate `OPENROUTER_API_KEY` for llm-connect" | Operator → OpenBao custody; delivery via `warden route show openrouter-llm-connect` |
| "Store Inter-Hub admin key for bootstrap" | Operator → OpenBao or `IHUB_OPERATOR_KEY_FILE` (`CUST-WP-0049`) |
| "Give me Vault root token" | Break-glass ceremony → `railiance-platform/docs/openbao.md` |
| "S3 credentials for artifact upload" | NK-WP-0007 / artifact-store consumer path |

View File

@@ -28,7 +28,7 @@ Promotion PR touches: `registry/routing/catalog.yaml`, playbook, optional
---
## Worked example (already active)
## Worked examples (already active)
**`ops-warden-warden-sign-token`** — promoted 2026-07-01 after RAILIANCE-WP-0005:
@@ -37,14 +37,21 @@ Promotion PR touches: `registry/routing/catalog.yaml`, playbook, optional
- Playbook: `wiki/playbooks/ops-warden-warden-sign-token.md`
- Smoke: `make credential-exec-ops-warden-smoke`
**`issue-core-ingestion-api-key`** — promoted 2026-07-02 after RAILIANCE-WP-0009
(CCR-2026-0002): KV path live, ExternalSecret `issue-core/issue-core-runtime`
SecretSynced, positive + negative verification audit-logged.
**`openrouter-llm-connect`** — promoted 2026-07-02 after RAILIANCE-WP-0010
(CCR-2026-0003): KV path live, ExternalSecret
`activity-core/llm-connect-provider-secrets` SecretSynced, llm-connect rolled
out on the OpenBao-delivered value, positive + negative verification audit-logged.
---
## Draft lanes — none ready yet (2026-07-01)
## Draft lanes (2026-07-02)
| Catalog `id` | Blocker |
| --- | --- |
| `issue-core-ingestion-api-key` | OpenBao KV path + ESO wiring not owner-signed off |
| `openrouter-llm-connect` | activity-core secret mount path still placeholder |
| `object-storage-sts` | NK-WP-0007 vending path not production-exercised |
| `database-dynamic-credentials` | OpenBao database engine role paths TBD per workload |

View File

@@ -1,8 +1,8 @@
# issue-core Ingestion API Key — OpenBao Custody
Date: 2026-06-24
Workplan: WARDEN-WP-0012 T1
Catalog: `issue-core-ingestion-api-key` (draft until path ships)
Date: 2026-06-24 (promoted active 2026-07-02)
Workplan: WARDEN-WP-0012 T1 · RAILIANCE-WP-0009 / CCR-2026-0002
Catalog: `issue-core-ingestion-api-key` (**active** — path live, ESO delivering)
Pointer playbook for agents and operators wiring the **shared ingestion key**
between `activity-core` IssueSink emission and `issue-core` REST ingestion.
@@ -54,8 +54,14 @@ GITEA_BACKEND_TOKEN
The ExternalSecret manifest belongs in `issue-core` workload manifests (tenant
repo owns runtime deployment). Platform owns mount policy and path provisioning.
**Promotion gate:** catalog entry stays `status: draft` until this path exists
in the live OpenBao cluster and an owner-repo ExternalSecret is merged.
**Promotion gate (met 2026-07-02):** the path exists in the live OpenBao
cluster and `ExternalSecret issue-core/issue-core-runtime` is merged and
`SecretSynced` (read policy `workload-kv-read-issue-core-runtime`, k8s auth
role `external-secrets-issue-core`, auth subject
`external-secrets/external-secrets`). Positive + negative access verified with
OpenBao audit evidence (RAILIANCE-WP-0009 T05). Lifecycle
(deactivate/rotate/compromise):
`railiance-platform/docs/credential-lane-lifecycle-runbook.md`.
---
@@ -110,8 +116,7 @@ scoped tokens only, never root token for routine workload secret inspection.
| `issue-core` | Merge ExternalSecret + Deployment env from synced Secret |
| `activity-core` | Mirror `ISSUE_CORE_API_KEY` injection for REST sink mode |
When the path ships, ops-warden promotes `issue-core-ingestion-api-key` to
`status: active` with this `wiki_ref`.
Promoted to `status: active` on 2026-07-02 (RAILIANCE-WP-0009 T06).
---

View File

@@ -1,8 +1,8 @@
# OpenRouter API Key — llm-connect in activity-core
Date: 2026-06-24
Workplan: WARDEN-WP-0012 T4
Catalog: `openrouter-llm-connect` (draft until OpenBao path ships)
Date: 2026-06-24 (promoted active 2026-07-02)
Workplan: WARDEN-WP-0012 T4 · RAILIANCE-WP-0010 / CCR-2026-0003
Catalog: `openrouter-llm-connect` (**active** — OpenBao path live, ESO delivering)
Pointer playbook for LLM provider credentials consumed by `llm-connect` in the
`activity-core` namespace. ops-warden issues SSH certs only — API keys are an
@@ -25,16 +25,14 @@ OpenBao → Kubernetes Secret action owned by `railiance-platform` and
```bash
warden route show openbao-api-key --json
warden route show openrouter-llm-connect --json # after promotion
warden route show openrouter-llm-connect --json
```
`OPENROUTER_API_KEY` must not appear in Git, State Hub, workplans, logs, or chat.
---
## Expected custody shape
Documented platform path convention (coordinate before writing secrets):
## Custody shape (live since 2026-07-02)
```text
platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets
@@ -42,12 +40,19 @@ platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets
Property name: `OPENROUTER_API_KEY`
Until the OpenBao path is provisioned, operators may create the K8s Secret
directly for pilot smoke (`llm-connect` README) — that is a bootstrap bridge,
not the long-term custody model.
Delivery: `ExternalSecret activity-core/llm-connect-provider-secrets`
(ClusterSecretStore `openbao-activity-core`, read policy
`workload-kv-read-llm-connect-provider-secrets`, k8s auth role
`external-secrets-activity-core`) syncs to Secret
`llm-connect-provider-secrets`; the llm-connect Deployment consumes it.
Positive + negative access verified with OpenBao audit evidence
(RAILIANCE-WP-0010 T05). Lifecycle (deactivate/rotate/compromise):
`railiance-platform/docs/credential-lane-lifecycle-runbook.md`.
**Promotion gate:** catalog entry stays `status: draft` until the OpenBao path
exists and ESO (or approved equivalent) delivers the Secret in cluster.
**Promotion gate (met 2026-07-02):** the OpenBao path exists and ESO delivers
the Secret in cluster. The earlier manually created bootstrap Secret has been
taken over by ESO on the CoulombCore cluster; the railiance01 k3s llm-connect
instance still uses its bootstrap Secret (separate migration, not this lane).
---