Files
ops-warden/wiki/playbooks/openrouter-llm-connect.md
tegwick 364eb7dfe1 Promote issue-core-ingestion-api-key and openrouter-llm-connect lanes to active
RAILIANCE-WP-0009 T06 / RAILIANCE-WP-0010 T06 (CCR-2026-0002, CCR-2026-0003):
both OpenBao KV paths are live, ESO delivers the Secrets in cluster, and
positive/negative access verification is audit-logged. Catalog entries gain
concrete zero-placeholder handoffs (exec_capable, resolvable); draft tables
and playbook gates updated; routing tests repointed to still-draft lanes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 20:48:39 +02:00

109 lines
3.8 KiB
Markdown

# OpenRouter API Key — llm-connect in activity-core
Date: 2026-06-24 (promoted active 2026-07-02)
Workplan: WARDEN-WP-0012 T4 · RAILIANCE-WP-0010 / CCR-2026-0003
Catalog: `openrouter-llm-connect` (**active** — OpenBao path live, ESO delivering)
Pointer playbook for LLM provider credentials consumed by `llm-connect` in the
`activity-core` namespace. ops-warden issues SSH certs only — API keys are an
OpenBao → Kubernetes Secret action owned by `railiance-platform` and
`activity-core` deployment repos.
---
## Owners
| Concern | Owner repo | Authoritative doc |
| --- | --- | --- |
| OpenBao path and ESO delivery | `railiance-platform` | `docs/openbao.md` — path convention |
| llm-connect K8s overlay and smoke | `llm-connect` | `deploy/k8s/activity-core-llm-connect/README.md` |
| activity-core runtime config (`LLM_CONNECT_URL`) | `activity-core` | `llm-connect/docs/activity-core-llm-endpoint.md` |
---
## Do not ask ops-warden
```bash
warden route show openbao-api-key --json
warden route show openrouter-llm-connect --json
```
`OPENROUTER_API_KEY` must not appear in Git, State Hub, workplans, logs, or chat.
---
## Custody shape (live since 2026-07-02)
```text
platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets
```
Property name: `OPENROUTER_API_KEY`
Delivery: `ExternalSecret activity-core/llm-connect-provider-secrets`
(ClusterSecretStore `openbao-activity-core`, read policy
`workload-kv-read-llm-connect-provider-secrets`, k8s auth role
`external-secrets-activity-core`) syncs to Secret
`llm-connect-provider-secrets`; the llm-connect Deployment consumes it.
Positive + negative access verified with OpenBao audit evidence
(RAILIANCE-WP-0010 T05). Lifecycle (deactivate/rotate/compromise):
`railiance-platform/docs/credential-lane-lifecycle-runbook.md`.
**Promotion gate (met 2026-07-02):** the OpenBao path exists and ESO delivers
the Secret in cluster. The earlier manually created bootstrap Secret has been
taken over by ESO on the CoulombCore cluster; the railiance01 k3s llm-connect
instance still uses its bootstrap Secret (separate migration, not this lane).
---
## Worker checklist
### 1. Confirm need
- [ ] Consumer is `llm-connect` in `activity-core` namespace (not a generic OpenRouter client)
- [ ] Default profile uses `provider=openrouter` (`llm-connect/docs/activity-core-llm-endpoint.md`)
- [ ] flex-auth policy applies if your tenant requires pre-approval for secret reads
### 2. Platform path (production)
- [ ] Path provisioned under `platform/workloads/activity-core/...`
- [ ] Workload KV read policy scoped to `llm-connect` service account
- [ ] ExternalSecret syncs to Secret `llm-connect-provider-secrets`
### 3. Deployment wiring
- [ ] `kubectl apply -k deploy/k8s/activity-core-llm-connect` (llm-connect repo)
- [ ] Deployment mounts provider Secret; env provides `OPENROUTER_API_KEY`
- [ ] activity-core sets `LLM_CONNECT_URL` to in-cluster service URL
### 4. Smoke
```bash
# From llm-connect repo — cluster smoke after apply
kubectl -n activity-core rollout status deployment/llm-connect
# See deploy/k8s/activity-core-llm-connect/README.md for endpoint smoke script
```
### 5. Rotation
- [ ] Update OpenBao KV value
- [ ] ESO refresh or rollout restart llm-connect Deployment
- [ ] Run cluster smoke; confirm activity-core triage profile still reaches provider
---
## Owner-repo next actions
| Repo | Action |
| --- | --- |
| `railiance-platform` | Provision OpenBao path + policy for activity-core llm-connect |
| `llm-connect` | Maintain K8s overlay and document Secret key names |
| `activity-core` | Set `LLM_CONNECT_URL` and triage profile after llm-connect is live |
---
## See also
- `llm-connect/docs/activity-core-llm-endpoint.md`
- `wiki/CredentialRouting.md#examples-do-not-ask-ops-warden`
- `net-kingdom/docs/platform-identity-security-architecture.md`