--- id: PMEM-WP-0014 type: workplan title: "Live Credential Execution And Managed Deployment Hardening" domain: markitect repo: phase-memory status: finished owner: codex topic_slug: phase-memory created: "2026-05-19" updated: "2026-05-19" state_hub_workstream_id: "312a04cb-124d-41b3-9fc0-292281f420ab" --- # PMEM-WP-0014: Live Credential Execution And Managed Deployment Hardening ## Goal Use the credential-gated drill and service packaging created in PMEM-WP-0013 to exercise real operator environments, harden deployment packaging, and preserve evaluation trend history. ## Current Evidence `PMEM-WP-0013` added credential-gated drill helpers, stdlib service packaging, operator readiness docs, audit retention apply, evaluation trend artifacts, and release-note discipline. The scorecard now rates the repo at **4.3 / 5**. ## Non-Goals - Commit credentials, tokens, or live endpoints. - Make credentialed tests mandatory in default CI. - Take ownership of Markitect or Kontextual service internals. ## T01 - Run credentialed adapter drills in operator mode ```task id: PMEM-WP-0014-T01 status: done priority: high state_hub_task_id: "1d0eb51c-60ce-47ad-bd91-6ce1ee91f0f8" ``` Exercise the credential-gated smoke drill against real operator-provided Markitect/Kontextual endpoints. Acceptance: - Default suite still skips without credentials. - Operator run records a redacted report with no tokens. - Any live incompatibility is captured as explicit diagnostics. ## T02 - Add managed deployment packaging ```task id: PMEM-WP-0014-T02 status: done priority: high state_hub_task_id: "37b03680-fcc4-46c2-9ce2-f6bf1f2ef35b" ``` Add deployment packaging around the stdlib service entrypoint. Acceptance: - Health and readiness probes are documented. - Packaging can be validated without live credentials. - Rollback and local-store mount expectations are explicit. ## T03 - Persist evaluation trend history ```task id: PMEM-WP-0014-T03 status: done priority: medium state_hub_task_id: "a3260267-bc8f-4f17-abdd-2296ad2c6ed5" ``` Persist evaluation trend artifacts across runs for regression review. Acceptance: - Trend history format is deterministic. - Deltas can be compared across commits or run ids. - Regression diagnostics remain actionable. ## T04 - Add credentialed telemetry retention drill ```task id: PMEM-WP-0014-T04 status: done priority: medium state_hub_task_id: "b68478ce-90c2-4e21-b621-569cb6925f74" ``` Exercise audit export and retention apply against a credentialed telemetry adapter or operator-approved fixture. Acceptance: - Tokens are never written to artifacts. - Retention apply records an audit event. - Pruned and retained operation ids are reviewable. ## T05 - Expand operator troubleshooting matrix ```task id: PMEM-WP-0014-T05 status: done priority: medium state_hub_task_id: "b0974113-debd-4823-929a-761510132c09" ``` Collect expected operator failures and remediations. Acceptance: - Matrix covers credentials, readiness, migrations, audit retention, and adapter manifest failures. - Each row includes diagnostic code, likely cause, and operator action. ## Acceptance Criteria - Evidence moves the project toward the 4.7+ scorecard gate. - Credentialed runs are reproducible but optional. - Managed deployment packaging is ready for operator review. ## Closure Review Implemented as a credential-safe operational hardening pass: - Credentialed drill configs now persist only endpoint/credential fingerprints, and `credentialed_operator_report` / `write_credentialed_operator_report` create redacted run artifacts. - `credentialed_telemetry_retention_drill` exercises retention planning/apply through the live-shaped telemetry sink or an operator-approved fixture. - `managed_deployment_manifest` and `validate_managed_deployment_manifest` define entrypoint, probe, rollback, replica, and local-store mount expectations without requiring credentials. - Evaluation trend artifacts can now be persisted into deterministic history files without duplicate run ids. - The operator runbook and troubleshooting matrix cover credential, readiness, migration, retention, and adapter-manifest failures. No real endpoint credentials or managed platform were available in the default workspace, so PMEM-WP-0015 should collect the first live credential and managed deployment pilot evidence.