RAILIANCE-WP-0009/0010 finished: front doors active; WP-0005 T10 done
- CCR-2026-0002/0003: frontdoor_activation evidence recorded, status active, readiness ready/resolvable (ops-warden catalog promotion commit 364eb7d) - WP-0009/0010 T06 done; both workplans finished - WP-0005 T10 closed on acceptance (fast path, break-glass, routing truth consistent); phase-2 readonly-diagnostics grant deferred as follow-up - WP-0005 T07 stays wait: flex-auth lacks a credential-grant authorization surface (capability request sent, State Hub message 893ff109) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -3,7 +3,7 @@ kind: credential-change-request
|
||||
schema_version: 1
|
||||
request_type: workload-kv-read
|
||||
title: issue-core runtime ingestion key lane
|
||||
status: applied
|
||||
status: active
|
||||
created: '2026-06-27'
|
||||
updated: '2026-07-02'
|
||||
requester:
|
||||
@@ -66,9 +66,9 @@ access_frontdoor:
|
||||
catalog_id: issue-core-ingestion-api-key
|
||||
selector: issue-core ingestion API key
|
||||
command: warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY
|
||||
resolvable: false
|
||||
readiness: template
|
||||
activation: draft-until-ccr-verified
|
||||
resolvable: true
|
||||
readiness: ready
|
||||
activation: verified-positive-and-negative-access-frontdoor-active-2026-07-02
|
||||
delivery:
|
||||
surface: external-secrets
|
||||
target: ExternalSecret issue-core/issue-core-runtime -> Secret issue-core-runtime
|
||||
@@ -111,6 +111,16 @@ verification:
|
||||
- 'Policy metadata write: sys/policies/acl/workload-kv-read-issue-core-runtime'
|
||||
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-issue-core'
|
||||
- No secret values were read, written, printed, or accepted in argv.
|
||||
- at: '2026-07-02T18:49:04+00:00'
|
||||
actor: railiance-platform
|
||||
kind: frontdoor_activation
|
||||
result: passed
|
||||
details:
|
||||
- 'ops-warden promoted catalog id issue-core-ingestion-api-key to status active
|
||||
(ops-warden commit 364eb7d, reviewed 2026-07-02): entry is exec_capable and
|
||||
resolvable with zero-placeholder handoff; ops-warden proxies reads as the caller
|
||||
and holds no secret value. Promotion followed positive/negative verification
|
||||
recorded 2026-07-02.'
|
||||
lifecycle:
|
||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||
rotate: Replace issue-core runtime secret values directly in OpenBao and record
|
||||
|
||||
@@ -3,7 +3,7 @@ kind: credential-change-request
|
||||
schema_version: 1
|
||||
request_type: workload-kv-read
|
||||
title: llm-connect OpenRouter provider key lane
|
||||
status: applied
|
||||
status: active
|
||||
created: '2026-06-27'
|
||||
updated: '2026-07-02'
|
||||
requester:
|
||||
@@ -71,9 +71,9 @@ access_frontdoor:
|
||||
catalog_id: openrouter-llm-connect
|
||||
selector: llm-connect OpenRouter API key
|
||||
command: warden access openrouter-llm-connect --fetch OPENROUTER_API_KEY
|
||||
resolvable: false
|
||||
readiness: template
|
||||
activation: draft-until-ccr-verified
|
||||
resolvable: true
|
||||
readiness: ready
|
||||
activation: verified-positive-and-negative-access-frontdoor-active-2026-07-02
|
||||
delivery:
|
||||
surface: external-secrets
|
||||
target: ExternalSecret to Secret llm-connect-provider-secrets in the activity-core
|
||||
@@ -113,6 +113,16 @@ verification:
|
||||
- 'Policy metadata write: sys/policies/acl/workload-kv-read-llm-connect-provider-secrets'
|
||||
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-activity-core'
|
||||
- No secret values were read, written, printed, or accepted in argv.
|
||||
- at: '2026-07-02T18:49:08+00:00'
|
||||
actor: railiance-platform
|
||||
kind: frontdoor_activation
|
||||
result: passed
|
||||
details:
|
||||
- 'ops-warden promoted catalog id openrouter-llm-connect to status active (ops-warden
|
||||
commit 364eb7d, reviewed 2026-07-02): entry is exec_capable and resolvable with
|
||||
zero-placeholder handoff; ops-warden proxies reads as the caller and holds no
|
||||
provider key value. Promotion followed positive/negative verification recorded
|
||||
2026-07-02.'
|
||||
lifecycle:
|
||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||
rotate: Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation
|
||||
|
||||
Reference in New Issue
Block a user