Implement credentialed live hardening workplan

workplans/PMEM-WP-0014-live-credential-execution-and-managed-deployment-hardening.md

@@ -4,7 +4,7 @@ type: workplan
 title: "Live Credential Execution And Managed Deployment Hardening"
 domain: markitect
 repo: phase-memory
-status: ready
+status: finished
 owner: codex
 topic_slug: phase-memory
 created: "2026-05-19"
@@ -36,7 +36,7 @@ release-note discipline. The scorecard now rates the repo at **4.3 / 5**.
 
 ```task
 id: PMEM-WP-0014-T01
-status: todo
+status: done
 priority: high
 state_hub_task_id: "1d0eb51c-60ce-47ad-bd91-6ce1ee91f0f8"
 ```
@@ -54,7 +54,7 @@ Acceptance:
 
 ```task
 id: PMEM-WP-0014-T02
-status: todo
+status: done
 priority: high
 state_hub_task_id: "37b03680-fcc4-46c2-9ce2-f6bf1f2ef35b"
 ```
@@ -71,7 +71,7 @@ Acceptance:
 
 ```task
 id: PMEM-WP-0014-T03
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "a3260267-bc8f-4f17-abdd-2296ad2c6ed5"
 ```
@@ -88,7 +88,7 @@ Acceptance:
 
 ```task
 id: PMEM-WP-0014-T04
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "b68478ce-90c2-4e21-b621-569cb6925f74"
 ```
@@ -106,7 +106,7 @@ Acceptance:
 
 ```task
 id: PMEM-WP-0014-T05
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "b0974113-debd-4823-929a-761510132c09"
 ```
@@ -127,4 +127,21 @@ Acceptance:
 
 ## Closure Review
 
-Pending implementation.
+Implemented as a credential-safe operational hardening pass:
+
+- Credentialed drill configs now persist only endpoint/credential fingerprints,
+  and `credentialed_operator_report` / `write_credentialed_operator_report`
+  create redacted run artifacts.
+- `credentialed_telemetry_retention_drill` exercises retention planning/apply
+  through the live-shaped telemetry sink or an operator-approved fixture.
+- `managed_deployment_manifest` and
+  `validate_managed_deployment_manifest` define entrypoint, probe, rollback,
+  replica, and local-store mount expectations without requiring credentials.
+- Evaluation trend artifacts can now be persisted into deterministic history
+  files without duplicate run ids.
+- The operator runbook and troubleshooting matrix cover credential,
+  readiness, migration, retention, and adapter-manifest failures.
+
+No real endpoint credentials or managed platform were available in the default
+workspace, so PMEM-WP-0015 should collect the first live credential and managed
+deployment pilot evidence.

workplans/PMEM-WP-0015-credentialed-live-pilot-and-deployment-evidence.md

@@ -0,0 +1,138 @@
+---
+id: PMEM-WP-0015
+type: workplan
+title: "Credentialed Live Pilot And Deployment Evidence"
+domain: markitect
+repo: phase-memory
+status: ready
+owner: codex
+topic_slug: phase-memory
+created: "2026-05-19"
+updated: "2026-05-19"
+state_hub_workstream_id: "10e406f3-a016-46f6-92c4-9e0f8fc7ecc3"
+---
+
+# PMEM-WP-0015: Credentialed Live Pilot And Deployment Evidence
+
+## Goal
+
+Collect the first real operator evidence for live Markitect/Kontextual
+credentials, managed deployment packaging, telemetry retention, and evaluation
+history gates without committing credentials or endpoint secrets.
+
+## Current Evidence
+
+`PMEM-WP-0014` added redacted operator reports, credential-safe telemetry
+retention drills, managed deployment manifest validation, deterministic
+evaluation trend history persistence, and an operator troubleshooting matrix.
+The remaining maturity gap is live evidence from an approved operator
+environment and deployment target.
+
+## Non-Goals
+
+- Commit tokens, live endpoint URLs, or platform secrets.
+- Make live credential tests mandatory for default CI.
+- Replace platform-specific deployment tooling owned by operators.
+
+## T01 - Run redacted credentialed live smoke report
+
+```task
+id: PMEM-WP-0015-T01
+status: todo
+priority: high
+state_hub_task_id: "c095a240-0499-42a2-8661-7d4ead13d90e"
+```
+
+Run the credentialed operator report against approved live Markitect and
+Kontextual endpoints.
+
+Acceptance:
+
+- Report artifact contains no tokens or raw endpoint URLs.
+- Live adapter incompatibilities are captured as diagnostics.
+- Operator confirms the report can be shared through normal repo progress
+  channels.
+
+## T02 - Pilot managed deployment package
+
+```task
+id: PMEM-WP-0015-T02
+status: todo
+priority: high
+state_hub_task_id: "94fd6cf0-348b-47ac-87d9-17f1fa358590"
+```
+
+Translate the managed deployment manifest into the target operator platform and
+run readiness checks.
+
+Acceptance:
+
+- `/health` and `/ready` probes pass in the pilot environment.
+- Local-store mount and rollback procedure are validated.
+- Platform-specific notes are added to the operator runbook without taking
+  ownership of that platform.
+
+## T03 - Capture external telemetry retention evidence
+
+```task
+id: PMEM-WP-0015-T03
+status: todo
+priority: medium
+state_hub_task_id: "31f114bf-a7cb-4413-ab9b-51c7c00552c4"
+```
+
+Exercise telemetry export and retention apply against the approved credentialed
+telemetry boundary.
+
+Acceptance:
+
+- Retention apply records an audit event.
+- Pruned and retained operation ids are reviewable.
+- Secret-bearing fields are absent from exported artifacts.
+
+## T04 - Promote evaluation trend history into a gate
+
+```task
+id: PMEM-WP-0015-T04
+status: todo
+priority: medium
+state_hub_task_id: "74ba5e2f-e3f9-49a7-b2e5-c73ec478b1ab"
+```
+
+Persist trend history across commits or run ids and define the regression gate
+operators should inspect.
+
+Acceptance:
+
+- Trend history is written as a durable artifact.
+- Regression diagnostics identify metric declines.
+- Runbook explains how to compare the latest artifact with prior runs.
+
+## T05 - Fold pilot feedback into troubleshooting
+
+```task
+id: PMEM-WP-0015-T05
+status: todo
+priority: medium
+state_hub_task_id: "427d5cd6-f8e0-4c2f-bced-e4679461ebc1"
+```
+
+Use live pilot findings to refine the troubleshooting matrix and scorecard.
+
+Acceptance:
+
+- New operator failure modes have diagnostic codes and remediations.
+- Scorecard distinguishes implemented tooling from verified live evidence.
+- Next maturity target is adjusted based on actual pilot results.
+
+## Acceptance Criteria
+
+- PMEM-WP-0015 produces credential-safe artifacts from a real operator
+  environment.
+- Managed deployment readiness has platform evidence, not just local manifest
+  validation.
+- Scorecard can reasonably move toward the 4.7+ gate if the pilot succeeds.
+
+## Closure Review
+
+Pending implementation.