RAILIANCE-WP-0009/0010 finished: front doors active; WP-0005 T10 done

- CCR-2026-0002/0003: frontdoor_activation evidence recorded, status active,
  readiness ready/resolvable (ops-warden catalog promotion commit 364eb7d)
- WP-0009/0010 T06 done; both workplans finished
- WP-0005 T10 closed on acceptance (fast path, break-glass, routing truth
  consistent); phase-2 readonly-diagnostics grant deferred as follow-up
- WP-0005 T07 stays wait: flex-auth lacks a credential-grant authorization
  surface (capability request sent, State Hub message 893ff109)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 20:54:29 +02:00
parent d284fea400
commit 4936b8970b
5 changed files with 86 additions and 16 deletions

View File

@@ -3,7 +3,7 @@ kind: credential-change-request
schema_version: 1
request_type: workload-kv-read
title: issue-core runtime ingestion key lane
status: applied
status: active
created: '2026-06-27'
updated: '2026-07-02'
requester:
@@ -66,9 +66,9 @@ access_frontdoor:
catalog_id: issue-core-ingestion-api-key
selector: issue-core ingestion API key
command: warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY
resolvable: false
readiness: template
activation: draft-until-ccr-verified
resolvable: true
readiness: ready
activation: verified-positive-and-negative-access-frontdoor-active-2026-07-02
delivery:
surface: external-secrets
target: ExternalSecret issue-core/issue-core-runtime -> Secret issue-core-runtime
@@ -111,6 +111,16 @@ verification:
- 'Policy metadata write: sys/policies/acl/workload-kv-read-issue-core-runtime'
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-issue-core'
- No secret values were read, written, printed, or accepted in argv.
- at: '2026-07-02T18:49:04+00:00'
actor: railiance-platform
kind: frontdoor_activation
result: passed
details:
- 'ops-warden promoted catalog id issue-core-ingestion-api-key to status active
(ops-warden commit 364eb7d, reviewed 2026-07-02): entry is exec_capable and
resolvable with zero-placeholder handoff; ops-warden proxies reads as the caller
and holds no secret value. Promotion followed positive/negative verification
recorded 2026-07-02.'
lifecycle:
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
rotate: Replace issue-core runtime secret values directly in OpenBao and record

View File

@@ -3,7 +3,7 @@ kind: credential-change-request
schema_version: 1
request_type: workload-kv-read
title: llm-connect OpenRouter provider key lane
status: applied
status: active
created: '2026-06-27'
updated: '2026-07-02'
requester:
@@ -71,9 +71,9 @@ access_frontdoor:
catalog_id: openrouter-llm-connect
selector: llm-connect OpenRouter API key
command: warden access openrouter-llm-connect --fetch OPENROUTER_API_KEY
resolvable: false
readiness: template
activation: draft-until-ccr-verified
resolvable: true
readiness: ready
activation: verified-positive-and-negative-access-frontdoor-active-2026-07-02
delivery:
surface: external-secrets
target: ExternalSecret to Secret llm-connect-provider-secrets in the activity-core
@@ -113,6 +113,16 @@ verification:
- 'Policy metadata write: sys/policies/acl/workload-kv-read-llm-connect-provider-secrets'
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-activity-core'
- No secret values were read, written, printed, or accepted in argv.
- at: '2026-07-02T18:49:08+00:00'
actor: railiance-platform
kind: frontdoor_activation
result: passed
details:
- 'ops-warden promoted catalog id openrouter-llm-connect to status active (ops-warden
commit 364eb7d, reviewed 2026-07-02): entry is exec_capable and resolvable with
zero-placeholder handoff; ops-warden proxies reads as the caller and holds no
provider key value. Promotion followed positive/negative verification recorded
2026-07-02.'
lifecycle:
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
rotate: Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation