generated from coulomb/repo-seed
RAILIANCE-WP-0009 T06 / RAILIANCE-WP-0010 T06 (CCR-2026-0002, CCR-2026-0003): both OpenBao KV paths are live, ESO delivers the Secrets in cluster, and positive/negative access verification is audit-logged. Catalog entries gain concrete zero-placeholder handoffs (exec_capable, resolvable); draft tables and playbook gates updated; routing tests repointed to still-draft lanes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
109 lines
3.8 KiB
Markdown
109 lines
3.8 KiB
Markdown
# OpenRouter API Key — llm-connect in activity-core
|
|
|
|
Date: 2026-06-24 (promoted active 2026-07-02)
|
|
Workplan: WARDEN-WP-0012 T4 · RAILIANCE-WP-0010 / CCR-2026-0003
|
|
Catalog: `openrouter-llm-connect` (**active** — OpenBao path live, ESO delivering)
|
|
|
|
Pointer playbook for LLM provider credentials consumed by `llm-connect` in the
|
|
`activity-core` namespace. ops-warden issues SSH certs only — API keys are an
|
|
OpenBao → Kubernetes Secret action owned by `railiance-platform` and
|
|
`activity-core` deployment repos.
|
|
|
|
---
|
|
|
|
## Owners
|
|
|
|
| Concern | Owner repo | Authoritative doc |
|
|
| --- | --- | --- |
|
|
| OpenBao path and ESO delivery | `railiance-platform` | `docs/openbao.md` — path convention |
|
|
| llm-connect K8s overlay and smoke | `llm-connect` | `deploy/k8s/activity-core-llm-connect/README.md` |
|
|
| activity-core runtime config (`LLM_CONNECT_URL`) | `activity-core` | `llm-connect/docs/activity-core-llm-endpoint.md` |
|
|
|
|
---
|
|
|
|
## Do not ask ops-warden
|
|
|
|
```bash
|
|
warden route show openbao-api-key --json
|
|
warden route show openrouter-llm-connect --json
|
|
```
|
|
|
|
`OPENROUTER_API_KEY` must not appear in Git, State Hub, workplans, logs, or chat.
|
|
|
|
---
|
|
|
|
## Custody shape (live since 2026-07-02)
|
|
|
|
```text
|
|
platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets
|
|
```
|
|
|
|
Property name: `OPENROUTER_API_KEY`
|
|
|
|
Delivery: `ExternalSecret activity-core/llm-connect-provider-secrets`
|
|
(ClusterSecretStore `openbao-activity-core`, read policy
|
|
`workload-kv-read-llm-connect-provider-secrets`, k8s auth role
|
|
`external-secrets-activity-core`) syncs to Secret
|
|
`llm-connect-provider-secrets`; the llm-connect Deployment consumes it.
|
|
Positive + negative access verified with OpenBao audit evidence
|
|
(RAILIANCE-WP-0010 T05). Lifecycle (deactivate/rotate/compromise):
|
|
`railiance-platform/docs/credential-lane-lifecycle-runbook.md`.
|
|
|
|
**Promotion gate (met 2026-07-02):** the OpenBao path exists and ESO delivers
|
|
the Secret in cluster. The earlier manually created bootstrap Secret has been
|
|
taken over by ESO on the CoulombCore cluster; the railiance01 k3s llm-connect
|
|
instance still uses its bootstrap Secret (separate migration, not this lane).
|
|
|
|
---
|
|
|
|
## Worker checklist
|
|
|
|
### 1. Confirm need
|
|
|
|
- [ ] Consumer is `llm-connect` in `activity-core` namespace (not a generic OpenRouter client)
|
|
- [ ] Default profile uses `provider=openrouter` (`llm-connect/docs/activity-core-llm-endpoint.md`)
|
|
- [ ] flex-auth policy applies if your tenant requires pre-approval for secret reads
|
|
|
|
### 2. Platform path (production)
|
|
|
|
- [ ] Path provisioned under `platform/workloads/activity-core/...`
|
|
- [ ] Workload KV read policy scoped to `llm-connect` service account
|
|
- [ ] ExternalSecret syncs to Secret `llm-connect-provider-secrets`
|
|
|
|
### 3. Deployment wiring
|
|
|
|
- [ ] `kubectl apply -k deploy/k8s/activity-core-llm-connect` (llm-connect repo)
|
|
- [ ] Deployment mounts provider Secret; env provides `OPENROUTER_API_KEY`
|
|
- [ ] activity-core sets `LLM_CONNECT_URL` to in-cluster service URL
|
|
|
|
### 4. Smoke
|
|
|
|
```bash
|
|
# From llm-connect repo — cluster smoke after apply
|
|
kubectl -n activity-core rollout status deployment/llm-connect
|
|
# See deploy/k8s/activity-core-llm-connect/README.md for endpoint smoke script
|
|
```
|
|
|
|
### 5. Rotation
|
|
|
|
- [ ] Update OpenBao KV value
|
|
- [ ] ESO refresh or rollout restart llm-connect Deployment
|
|
- [ ] Run cluster smoke; confirm activity-core triage profile still reaches provider
|
|
|
|
---
|
|
|
|
## Owner-repo next actions
|
|
|
|
| Repo | Action |
|
|
| --- | --- |
|
|
| `railiance-platform` | Provision OpenBao path + policy for activity-core llm-connect |
|
|
| `llm-connect` | Maintain K8s overlay and document Secret key names |
|
|
| `activity-core` | Set `LLM_CONNECT_URL` and triage profile after llm-connect is live |
|
|
|
|
---
|
|
|
|
## See also
|
|
|
|
- `llm-connect/docs/activity-core-llm-endpoint.md`
|
|
- `wiki/CredentialRouting.md#examples-do-not-ask-ops-warden`
|
|
- `net-kingdom/docs/platform-identity-security-architecture.md` |