diff --git a/credential-change-requests/CCR-2026-0002-issue-core-ingestion-api-key.yaml b/credential-change-requests/CCR-2026-0002-issue-core-ingestion-api-key.yaml index 75fc838..b73953e 100644 --- a/credential-change-requests/CCR-2026-0002-issue-core-ingestion-api-key.yaml +++ b/credential-change-requests/CCR-2026-0002-issue-core-ingestion-api-key.yaml @@ -3,7 +3,7 @@ kind: credential-change-request schema_version: 1 request_type: workload-kv-read title: issue-core runtime ingestion key lane -status: applied +status: active created: '2026-06-27' updated: '2026-07-02' requester: @@ -66,9 +66,9 @@ access_frontdoor: catalog_id: issue-core-ingestion-api-key selector: issue-core ingestion API key command: warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY - resolvable: false - readiness: template - activation: draft-until-ccr-verified + resolvable: true + readiness: ready + activation: verified-positive-and-negative-access-frontdoor-active-2026-07-02 delivery: surface: external-secrets target: ExternalSecret issue-core/issue-core-runtime -> Secret issue-core-runtime @@ -111,6 +111,16 @@ verification: - 'Policy metadata write: sys/policies/acl/workload-kv-read-issue-core-runtime' - 'Auth role metadata write: auth/kubernetes/role/external-secrets-issue-core' - No secret values were read, written, printed, or accepted in argv. + - at: '2026-07-02T18:49:04+00:00' + actor: railiance-platform + kind: frontdoor_activation + result: passed + details: + - 'ops-warden promoted catalog id issue-core-ingestion-api-key to status active + (ops-warden commit 364eb7d, reviewed 2026-07-02): entry is exec_capable and + resolvable with zero-placeholder handoff; ops-warden proxies reads as the caller + and holds no secret value. Promotion followed positive/negative verification + recorded 2026-07-02.' lifecycle: deactivate: Disable ops-warden catalog entry and remove or detach auth role policy. rotate: Replace issue-core runtime secret values directly in OpenBao and record diff --git a/credential-change-requests/CCR-2026-0003-llm-connect-openrouter-api-key.yaml b/credential-change-requests/CCR-2026-0003-llm-connect-openrouter-api-key.yaml index 75187a6..c9585d1 100644 --- a/credential-change-requests/CCR-2026-0003-llm-connect-openrouter-api-key.yaml +++ b/credential-change-requests/CCR-2026-0003-llm-connect-openrouter-api-key.yaml @@ -3,7 +3,7 @@ kind: credential-change-request schema_version: 1 request_type: workload-kv-read title: llm-connect OpenRouter provider key lane -status: applied +status: active created: '2026-06-27' updated: '2026-07-02' requester: @@ -71,9 +71,9 @@ access_frontdoor: catalog_id: openrouter-llm-connect selector: llm-connect OpenRouter API key command: warden access openrouter-llm-connect --fetch OPENROUTER_API_KEY - resolvable: false - readiness: template - activation: draft-until-ccr-verified + resolvable: true + readiness: ready + activation: verified-positive-and-negative-access-frontdoor-active-2026-07-02 delivery: surface: external-secrets target: ExternalSecret to Secret llm-connect-provider-secrets in the activity-core @@ -113,6 +113,16 @@ verification: - 'Policy metadata write: sys/policies/acl/workload-kv-read-llm-connect-provider-secrets' - 'Auth role metadata write: auth/kubernetes/role/external-secrets-activity-core' - No secret values were read, written, printed, or accepted in argv. + - at: '2026-07-02T18:49:08+00:00' + actor: railiance-platform + kind: frontdoor_activation + result: passed + details: + - 'ops-warden promoted catalog id openrouter-llm-connect to status active (ops-warden + commit 364eb7d, reviewed 2026-07-02): entry is exec_capable and resolvable with + zero-placeholder handoff; ops-warden proxies reads as the caller and holds no + provider key value. Promotion followed positive/negative verification recorded + 2026-07-02.' lifecycle: deactivate: Disable ops-warden catalog entry and remove or detach auth role policy. rotate: Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation diff --git a/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md b/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md index d3c213e..238d908 100644 --- a/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md +++ b/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md @@ -10,7 +10,7 @@ topic_slug: railiance planning_priority: high planning_order: 5 created: "2026-06-24" -updated: "2026-07-01" +updated: "2026-07-02" depends_on_workplans: - RAIL-PL-WP-0002 state_hub_workstream_id: "2731fece-6c49-45b8-ab8a-4ea6c04ac603" @@ -329,6 +329,18 @@ The helper records only non-secret metadata. T07 is `wait` until a live flex-aut credential authorization endpoint is available and the OpenBao live gate is cleared. +**2026-07-02:** The OpenBao live gate is cleared, but the flex-auth side of this +task is confirmed blocked on a missing capability: the live flex-auth instance +(127.0.0.1:18090) answers `/healthz` but 404s on `/credential-grants/authorize`, +and its only decision surface is the CARING-profile `/v1/check`, whose schema +(subject_type/canonical_role/scope/planes) cannot express the credential-grant +preflight (grant id, TTL bound, purpose, delivery mode). No FLEX-WP workplan +covers this endpoint. Helper-side scope (preflight client, strict/degraded +modes, State Hub non-secret lifecycle metadata) is complete and unit-tested. +Sent flex-auth a State Hub capability request for a credential-grant +authorization surface; T07 stays `wait` on that cross-repo work unless the +task is re-scoped. + ## T08 - Integrate ops-warden smoke and routing catalog ```task @@ -405,7 +417,7 @@ items are met. ```task id: RAILIANCE-WP-0005-T10 -status: progress +status: done priority: medium state_hub_task_id: "44ce4082-fa8f-44d0-8f86-172d14ecfb0e" ``` @@ -432,6 +444,22 @@ external routing-doc/catalog updates. **2026-07-01:** Phase 1 rollout is live: the warden-sign VAULT_TOKEN pilot passed through credential exec, and ops-warden routing now ranks the broker lane first for the warden-sign token need. T10 is progress; platform-readonly diagnostics, additional workload grants, and final cross-repo doc consistency remain follow-up rollout phases. +**2026-07-02:** T10 closed on its acceptance criteria. (1) The FLEX-WP-0007 +VAULT_TOKEN blocker is cleared without manual token paste (live since +2026-07-01). (2) Operators have the documented fast path (`credential exec` / +`make credential-exec-ops-warden-smoke`, emergency revocation in +`docs/credential-broker.md`) and break-glass path (root-token/unseal ceremony +in `docs/openbao.md`). (3) Routing truth is consistent: ops-warden +`CredentialRouting.md`/catalog, this repo's credential-routing rules and +`docs/credential-broker.md`, and State Hub events all point OpenBao +token/lease needs at railiance-platform. Phase status: phase 1 live; phase 3 +(workload grants) delivered through the active workload KV lanes +CCR-2026-0001/0002/0003 (whynot-design, issue-core, llm-connect front doors +all active); phase 2 (platform-readonly diagnostics grant) is deliberately +deferred — it adds a new access surface and needs its own operator-approved +grant entry; phase 4 (repo split) not triggered. Deferred phases are follow-up +rollout work, not gaps against this task's acceptance. + ## Exit Criteria - A policy-approved actor can request or exec with a short-lived OpenBao token without seeing or pasting the raw token. diff --git a/workplans/RAILIANCE-WP-0009-issue-core-runtime-ingestion-key-lane.md b/workplans/RAILIANCE-WP-0009-issue-core-runtime-ingestion-key-lane.md index b9eeefc..18e8bc1 100644 --- a/workplans/RAILIANCE-WP-0009-issue-core-runtime-ingestion-key-lane.md +++ b/workplans/RAILIANCE-WP-0009-issue-core-runtime-ingestion-key-lane.md @@ -4,13 +4,13 @@ type: workplan title: "Issue-Core Runtime Ingestion Credential Lane" domain: financials repo: railiance-platform -status: active +status: finished owner: codex topic_slug: railiance planning_priority: high planning_order: 9 created: "2026-06-29" -updated: "2026-06-30" +updated: "2026-07-02" depends_on_workplans: - RAIL-PL-WP-0002 - RAILIANCE-WP-0004 @@ -226,7 +226,7 @@ Acceptance: ```task id: RAILIANCE-WP-0009-T06 -status: wait +status: done priority: medium state_hub_task_id: "0d9a02da-c032-43d5-8019-61ab4d87b40b" ``` @@ -245,6 +245,17 @@ Acceptance: - The CCR front-door readiness becomes active/resolvable only after positive and negative verification. +**2026-07-02:** T06 done. ops-warden promoted catalog id +`issue-core-ingestion-api-key` from draft to active (ops-warden commit +`364eb7d`) following its own promotion checklist: concrete zero-placeholder +handoff (`warden route show issue-core-ingestion-api-key --json` reports +`status: active`, `resolvable: true`), playbook gate marked met, draft tables +updated, routing tests passing (45/45). The entry carries pointers only — +ops-warden proxies reads as the caller and holds no secret value. +`CCR-2026-0002` recorded the `frontdoor_activation` evidence and moved to +`status: active` with `readiness: ready`. Promotion happened only after the +2026-07-02 positive/negative verification. + ## T07 - Record lifecycle operations ```task diff --git a/workplans/RAILIANCE-WP-0010-llm-connect-openrouter-provider-key-lane.md b/workplans/RAILIANCE-WP-0010-llm-connect-openrouter-provider-key-lane.md index a17d411..8e244d0 100644 --- a/workplans/RAILIANCE-WP-0010-llm-connect-openrouter-provider-key-lane.md +++ b/workplans/RAILIANCE-WP-0010-llm-connect-openrouter-provider-key-lane.md @@ -4,13 +4,13 @@ type: workplan title: "llm-connect OpenRouter Provider Key Lane" domain: financials repo: railiance-platform -status: active +status: finished owner: codex topic_slug: railiance planning_priority: high planning_order: 10 created: "2026-06-29" -updated: "2026-07-01" +updated: "2026-07-02" depends_on_workplans: - RAIL-PL-WP-0002 - RAILIANCE-WP-0004 @@ -240,7 +240,7 @@ Acceptance: ```task id: RAILIANCE-WP-0010-T06 -status: wait +status: done priority: medium state_hub_task_id: "376de3fe-ef9c-4b57-b238-1ba21ac8bb1c" ``` @@ -259,6 +259,17 @@ Acceptance: - The CCR front-door readiness becomes active/resolvable only after positive and negative verification. +**2026-07-02:** T06 done. ops-warden promoted catalog id +`openrouter-llm-connect` from draft to active (ops-warden commit `364eb7d`) +following its own promotion checklist: concrete zero-placeholder handoff +(`warden route show openrouter-llm-connect --json` reports `status: active`, +`resolvable: true`), playbook gate marked met, draft tables updated, routing +tests passing (45/45). The entry carries pointers only — ops-warden proxies +reads as the caller and holds no provider key value. `CCR-2026-0003` recorded +the `frontdoor_activation` evidence and moved to `status: active` with +`readiness: ready`. Promotion happened only after the 2026-07-02 +positive/negative verification. + ## T07 - Record lifecycle operations ```task