generated from coulomb/repo-seed
Add platform-secret playbooks for issue-core ingestion, OpenRouter llm-connect, object-storage STS, and database dynamic credentials. Extend the routing catalog with draft entries and implement `warden route list --stale` for quarterly drift review. Document the review cadence in AccessRouting and mark the workplan finished.
104 lines
3.3 KiB
Markdown
104 lines
3.3 KiB
Markdown
# OpenRouter API Key — llm-connect in activity-core
|
|
|
|
Date: 2026-06-24
|
|
Workplan: WARDEN-WP-0012 T4
|
|
Catalog: `openrouter-llm-connect` (draft until OpenBao path ships)
|
|
|
|
Pointer playbook for LLM provider credentials consumed by `llm-connect` in the
|
|
`activity-core` namespace. ops-warden issues SSH certs only — API keys are an
|
|
OpenBao → Kubernetes Secret action owned by `railiance-platform` and
|
|
`activity-core` deployment repos.
|
|
|
|
---
|
|
|
|
## Owners
|
|
|
|
| Concern | Owner repo | Authoritative doc |
|
|
| --- | --- | --- |
|
|
| OpenBao path and ESO delivery | `railiance-platform` | `docs/openbao.md` — path convention |
|
|
| llm-connect K8s overlay and smoke | `llm-connect` | `deploy/k8s/activity-core-llm-connect/README.md` |
|
|
| activity-core runtime config (`LLM_CONNECT_URL`) | `activity-core` | `llm-connect/docs/activity-core-llm-endpoint.md` |
|
|
|
|
---
|
|
|
|
## Do not ask ops-warden
|
|
|
|
```bash
|
|
warden route show openbao-api-key --json
|
|
warden route show openrouter-llm-connect --json # after promotion
|
|
```
|
|
|
|
`OPENROUTER_API_KEY` must not appear in Git, State Hub, workplans, logs, or chat.
|
|
|
|
---
|
|
|
|
## Expected custody shape
|
|
|
|
Documented platform path convention (coordinate before writing secrets):
|
|
|
|
```text
|
|
platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets
|
|
```
|
|
|
|
Property name: `OPENROUTER_API_KEY`
|
|
|
|
Until the OpenBao path is provisioned, operators may create the K8s Secret
|
|
directly for pilot smoke (`llm-connect` README) — that is a bootstrap bridge,
|
|
not the long-term custody model.
|
|
|
|
**Promotion gate:** catalog entry stays `status: draft` until the OpenBao path
|
|
exists and ESO (or approved equivalent) delivers the Secret in cluster.
|
|
|
|
---
|
|
|
|
## Worker checklist
|
|
|
|
### 1. Confirm need
|
|
|
|
- [ ] Consumer is `llm-connect` in `activity-core` namespace (not a generic OpenRouter client)
|
|
- [ ] Default profile uses `provider=openrouter` (`llm-connect/docs/activity-core-llm-endpoint.md`)
|
|
- [ ] flex-auth policy applies if your tenant requires pre-approval for secret reads
|
|
|
|
### 2. Platform path (production)
|
|
|
|
- [ ] Path provisioned under `platform/workloads/activity-core/...`
|
|
- [ ] Workload KV read policy scoped to `llm-connect` service account
|
|
- [ ] ExternalSecret syncs to Secret `llm-connect-provider-secrets`
|
|
|
|
### 3. Deployment wiring
|
|
|
|
- [ ] `kubectl apply -k deploy/k8s/activity-core-llm-connect` (llm-connect repo)
|
|
- [ ] Deployment mounts provider Secret; env provides `OPENROUTER_API_KEY`
|
|
- [ ] activity-core sets `LLM_CONNECT_URL` to in-cluster service URL
|
|
|
|
### 4. Smoke
|
|
|
|
```bash
|
|
# From llm-connect repo — cluster smoke after apply
|
|
kubectl -n activity-core rollout status deployment/llm-connect
|
|
# See deploy/k8s/activity-core-llm-connect/README.md for endpoint smoke script
|
|
```
|
|
|
|
### 5. Rotation
|
|
|
|
- [ ] Update OpenBao KV value
|
|
- [ ] ESO refresh or rollout restart llm-connect Deployment
|
|
- [ ] Run cluster smoke; confirm activity-core triage profile still reaches provider
|
|
|
|
---
|
|
|
|
## Owner-repo next actions
|
|
|
|
| Repo | Action |
|
|
| --- | --- |
|
|
| `railiance-platform` | Provision OpenBao path + policy for activity-core llm-connect |
|
|
| `llm-connect` | Maintain K8s overlay and document Secret key names |
|
|
| `activity-core` | Set `LLM_CONNECT_URL` and triage profile after llm-connect is live |
|
|
|
|
---
|
|
|
|
## See also
|
|
|
|
- `llm-connect/docs/activity-core-llm-endpoint.md`
|
|
- `wiki/CredentialRouting.md#examples-do-not-ask-ops-warden`
|
|
- `net-kingdom/docs/platform-identity-security-architecture.md` |