# OpenRouter API Key — llm-connect in activity-core Date: 2026-06-24 Workplan: WARDEN-WP-0012 T4 Catalog: `openrouter-llm-connect` (draft until OpenBao path ships) Pointer playbook for LLM provider credentials consumed by `llm-connect` in the `activity-core` namespace. ops-warden issues SSH certs only — API keys are an OpenBao → Kubernetes Secret action owned by `railiance-platform` and `activity-core` deployment repos. --- ## Owners | Concern | Owner repo | Authoritative doc | | --- | --- | --- | | OpenBao path and ESO delivery | `railiance-platform` | `docs/openbao.md` — path convention | | llm-connect K8s overlay and smoke | `llm-connect` | `deploy/k8s/activity-core-llm-connect/README.md` | | activity-core runtime config (`LLM_CONNECT_URL`) | `activity-core` | `llm-connect/docs/activity-core-llm-endpoint.md` | --- ## Do not ask ops-warden ```bash warden route show openbao-api-key --json warden route show openrouter-llm-connect --json # after promotion ``` `OPENROUTER_API_KEY` must not appear in Git, State Hub, workplans, logs, or chat. --- ## Expected custody shape Documented platform path convention (coordinate before writing secrets): ```text platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets ``` Property name: `OPENROUTER_API_KEY` Until the OpenBao path is provisioned, operators may create the K8s Secret directly for pilot smoke (`llm-connect` README) — that is a bootstrap bridge, not the long-term custody model. **Promotion gate:** catalog entry stays `status: draft` until the OpenBao path exists and ESO (or approved equivalent) delivers the Secret in cluster. --- ## Worker checklist ### 1. Confirm need - [ ] Consumer is `llm-connect` in `activity-core` namespace (not a generic OpenRouter client) - [ ] Default profile uses `provider=openrouter` (`llm-connect/docs/activity-core-llm-endpoint.md`) - [ ] flex-auth policy applies if your tenant requires pre-approval for secret reads ### 2. Platform path (production) - [ ] Path provisioned under `platform/workloads/activity-core/...` - [ ] Workload KV read policy scoped to `llm-connect` service account - [ ] ExternalSecret syncs to Secret `llm-connect-provider-secrets` ### 3. Deployment wiring - [ ] `kubectl apply -k deploy/k8s/activity-core-llm-connect` (llm-connect repo) - [ ] Deployment mounts provider Secret; env provides `OPENROUTER_API_KEY` - [ ] activity-core sets `LLM_CONNECT_URL` to in-cluster service URL ### 4. Smoke ```bash # From llm-connect repo — cluster smoke after apply kubectl -n activity-core rollout status deployment/llm-connect # See deploy/k8s/activity-core-llm-connect/README.md for endpoint smoke script ``` ### 5. Rotation - [ ] Update OpenBao KV value - [ ] ESO refresh or rollout restart llm-connect Deployment - [ ] Run cluster smoke; confirm activity-core triage profile still reaches provider --- ## Owner-repo next actions | Repo | Action | | --- | --- | | `railiance-platform` | Provision OpenBao path + policy for activity-core llm-connect | | `llm-connect` | Maintain K8s overlay and document Secret key names | | `activity-core` | Set `LLM_CONNECT_URL` and triage profile after llm-connect is live | --- ## See also - `llm-connect/docs/activity-core-llm-endpoint.md` - `wiki/CredentialRouting.md#examples-do-not-ask-ops-warden` - `net-kingdom/docs/platform-identity-security-architecture.md`