RAILIANCE-WP-0009/0010 finished: front doors active; WP-0005 T10 done
- CCR-2026-0002/0003: frontdoor_activation evidence recorded, status active, readiness ready/resolvable (ops-warden catalog promotion commit 364eb7d) - WP-0009/0010 T06 done; both workplans finished - WP-0005 T10 closed on acceptance (fast path, break-glass, routing truth consistent); phase-2 readonly-diagnostics grant deferred as follow-up - WP-0005 T07 stays wait: flex-auth lacks a credential-grant authorization surface (capability request sent, State Hub message 893ff109) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -3,7 +3,7 @@ kind: credential-change-request
|
|||||||
schema_version: 1
|
schema_version: 1
|
||||||
request_type: workload-kv-read
|
request_type: workload-kv-read
|
||||||
title: issue-core runtime ingestion key lane
|
title: issue-core runtime ingestion key lane
|
||||||
status: applied
|
status: active
|
||||||
created: '2026-06-27'
|
created: '2026-06-27'
|
||||||
updated: '2026-07-02'
|
updated: '2026-07-02'
|
||||||
requester:
|
requester:
|
||||||
@@ -66,9 +66,9 @@ access_frontdoor:
|
|||||||
catalog_id: issue-core-ingestion-api-key
|
catalog_id: issue-core-ingestion-api-key
|
||||||
selector: issue-core ingestion API key
|
selector: issue-core ingestion API key
|
||||||
command: warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY
|
command: warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY
|
||||||
resolvable: false
|
resolvable: true
|
||||||
readiness: template
|
readiness: ready
|
||||||
activation: draft-until-ccr-verified
|
activation: verified-positive-and-negative-access-frontdoor-active-2026-07-02
|
||||||
delivery:
|
delivery:
|
||||||
surface: external-secrets
|
surface: external-secrets
|
||||||
target: ExternalSecret issue-core/issue-core-runtime -> Secret issue-core-runtime
|
target: ExternalSecret issue-core/issue-core-runtime -> Secret issue-core-runtime
|
||||||
@@ -111,6 +111,16 @@ verification:
|
|||||||
- 'Policy metadata write: sys/policies/acl/workload-kv-read-issue-core-runtime'
|
- 'Policy metadata write: sys/policies/acl/workload-kv-read-issue-core-runtime'
|
||||||
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-issue-core'
|
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-issue-core'
|
||||||
- No secret values were read, written, printed, or accepted in argv.
|
- No secret values were read, written, printed, or accepted in argv.
|
||||||
|
- at: '2026-07-02T18:49:04+00:00'
|
||||||
|
actor: railiance-platform
|
||||||
|
kind: frontdoor_activation
|
||||||
|
result: passed
|
||||||
|
details:
|
||||||
|
- 'ops-warden promoted catalog id issue-core-ingestion-api-key to status active
|
||||||
|
(ops-warden commit 364eb7d, reviewed 2026-07-02): entry is exec_capable and
|
||||||
|
resolvable with zero-placeholder handoff; ops-warden proxies reads as the caller
|
||||||
|
and holds no secret value. Promotion followed positive/negative verification
|
||||||
|
recorded 2026-07-02.'
|
||||||
lifecycle:
|
lifecycle:
|
||||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||||
rotate: Replace issue-core runtime secret values directly in OpenBao and record
|
rotate: Replace issue-core runtime secret values directly in OpenBao and record
|
||||||
|
|||||||
@@ -3,7 +3,7 @@ kind: credential-change-request
|
|||||||
schema_version: 1
|
schema_version: 1
|
||||||
request_type: workload-kv-read
|
request_type: workload-kv-read
|
||||||
title: llm-connect OpenRouter provider key lane
|
title: llm-connect OpenRouter provider key lane
|
||||||
status: applied
|
status: active
|
||||||
created: '2026-06-27'
|
created: '2026-06-27'
|
||||||
updated: '2026-07-02'
|
updated: '2026-07-02'
|
||||||
requester:
|
requester:
|
||||||
@@ -71,9 +71,9 @@ access_frontdoor:
|
|||||||
catalog_id: openrouter-llm-connect
|
catalog_id: openrouter-llm-connect
|
||||||
selector: llm-connect OpenRouter API key
|
selector: llm-connect OpenRouter API key
|
||||||
command: warden access openrouter-llm-connect --fetch OPENROUTER_API_KEY
|
command: warden access openrouter-llm-connect --fetch OPENROUTER_API_KEY
|
||||||
resolvable: false
|
resolvable: true
|
||||||
readiness: template
|
readiness: ready
|
||||||
activation: draft-until-ccr-verified
|
activation: verified-positive-and-negative-access-frontdoor-active-2026-07-02
|
||||||
delivery:
|
delivery:
|
||||||
surface: external-secrets
|
surface: external-secrets
|
||||||
target: ExternalSecret to Secret llm-connect-provider-secrets in the activity-core
|
target: ExternalSecret to Secret llm-connect-provider-secrets in the activity-core
|
||||||
@@ -113,6 +113,16 @@ verification:
|
|||||||
- 'Policy metadata write: sys/policies/acl/workload-kv-read-llm-connect-provider-secrets'
|
- 'Policy metadata write: sys/policies/acl/workload-kv-read-llm-connect-provider-secrets'
|
||||||
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-activity-core'
|
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-activity-core'
|
||||||
- No secret values were read, written, printed, or accepted in argv.
|
- No secret values were read, written, printed, or accepted in argv.
|
||||||
|
- at: '2026-07-02T18:49:08+00:00'
|
||||||
|
actor: railiance-platform
|
||||||
|
kind: frontdoor_activation
|
||||||
|
result: passed
|
||||||
|
details:
|
||||||
|
- 'ops-warden promoted catalog id openrouter-llm-connect to status active (ops-warden
|
||||||
|
commit 364eb7d, reviewed 2026-07-02): entry is exec_capable and resolvable with
|
||||||
|
zero-placeholder handoff; ops-warden proxies reads as the caller and holds no
|
||||||
|
provider key value. Promotion followed positive/negative verification recorded
|
||||||
|
2026-07-02.'
|
||||||
lifecycle:
|
lifecycle:
|
||||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||||
rotate: Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation
|
rotate: Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ topic_slug: railiance
|
|||||||
planning_priority: high
|
planning_priority: high
|
||||||
planning_order: 5
|
planning_order: 5
|
||||||
created: "2026-06-24"
|
created: "2026-06-24"
|
||||||
updated: "2026-07-01"
|
updated: "2026-07-02"
|
||||||
depends_on_workplans:
|
depends_on_workplans:
|
||||||
- RAIL-PL-WP-0002
|
- RAIL-PL-WP-0002
|
||||||
state_hub_workstream_id: "2731fece-6c49-45b8-ab8a-4ea6c04ac603"
|
state_hub_workstream_id: "2731fece-6c49-45b8-ab8a-4ea6c04ac603"
|
||||||
@@ -329,6 +329,18 @@ The helper records only non-secret metadata. T07 is `wait` until a live flex-aut
|
|||||||
credential authorization endpoint is available and the OpenBao live gate is
|
credential authorization endpoint is available and the OpenBao live gate is
|
||||||
cleared.
|
cleared.
|
||||||
|
|
||||||
|
**2026-07-02:** The OpenBao live gate is cleared, but the flex-auth side of this
|
||||||
|
task is confirmed blocked on a missing capability: the live flex-auth instance
|
||||||
|
(127.0.0.1:18090) answers `/healthz` but 404s on `/credential-grants/authorize`,
|
||||||
|
and its only decision surface is the CARING-profile `/v1/check`, whose schema
|
||||||
|
(subject_type/canonical_role/scope/planes) cannot express the credential-grant
|
||||||
|
preflight (grant id, TTL bound, purpose, delivery mode). No FLEX-WP workplan
|
||||||
|
covers this endpoint. Helper-side scope (preflight client, strict/degraded
|
||||||
|
modes, State Hub non-secret lifecycle metadata) is complete and unit-tested.
|
||||||
|
Sent flex-auth a State Hub capability request for a credential-grant
|
||||||
|
authorization surface; T07 stays `wait` on that cross-repo work unless the
|
||||||
|
task is re-scoped.
|
||||||
|
|
||||||
## T08 - Integrate ops-warden smoke and routing catalog
|
## T08 - Integrate ops-warden smoke and routing catalog
|
||||||
|
|
||||||
```task
|
```task
|
||||||
@@ -405,7 +417,7 @@ items are met.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAILIANCE-WP-0005-T10
|
id: RAILIANCE-WP-0005-T10
|
||||||
status: progress
|
status: done
|
||||||
priority: medium
|
priority: medium
|
||||||
state_hub_task_id: "44ce4082-fa8f-44d0-8f86-172d14ecfb0e"
|
state_hub_task_id: "44ce4082-fa8f-44d0-8f86-172d14ecfb0e"
|
||||||
```
|
```
|
||||||
@@ -432,6 +444,22 @@ external routing-doc/catalog updates.
|
|||||||
|
|
||||||
**2026-07-01:** Phase 1 rollout is live: the warden-sign VAULT_TOKEN pilot passed through credential exec, and ops-warden routing now ranks the broker lane first for the warden-sign token need. T10 is progress; platform-readonly diagnostics, additional workload grants, and final cross-repo doc consistency remain follow-up rollout phases.
|
**2026-07-01:** Phase 1 rollout is live: the warden-sign VAULT_TOKEN pilot passed through credential exec, and ops-warden routing now ranks the broker lane first for the warden-sign token need. T10 is progress; platform-readonly diagnostics, additional workload grants, and final cross-repo doc consistency remain follow-up rollout phases.
|
||||||
|
|
||||||
|
**2026-07-02:** T10 closed on its acceptance criteria. (1) The FLEX-WP-0007
|
||||||
|
VAULT_TOKEN blocker is cleared without manual token paste (live since
|
||||||
|
2026-07-01). (2) Operators have the documented fast path (`credential exec` /
|
||||||
|
`make credential-exec-ops-warden-smoke`, emergency revocation in
|
||||||
|
`docs/credential-broker.md`) and break-glass path (root-token/unseal ceremony
|
||||||
|
in `docs/openbao.md`). (3) Routing truth is consistent: ops-warden
|
||||||
|
`CredentialRouting.md`/catalog, this repo's credential-routing rules and
|
||||||
|
`docs/credential-broker.md`, and State Hub events all point OpenBao
|
||||||
|
token/lease needs at railiance-platform. Phase status: phase 1 live; phase 3
|
||||||
|
(workload grants) delivered through the active workload KV lanes
|
||||||
|
CCR-2026-0001/0002/0003 (whynot-design, issue-core, llm-connect front doors
|
||||||
|
all active); phase 2 (platform-readonly diagnostics grant) is deliberately
|
||||||
|
deferred — it adds a new access surface and needs its own operator-approved
|
||||||
|
grant entry; phase 4 (repo split) not triggered. Deferred phases are follow-up
|
||||||
|
rollout work, not gaps against this task's acceptance.
|
||||||
|
|
||||||
## Exit Criteria
|
## Exit Criteria
|
||||||
|
|
||||||
- A policy-approved actor can request or exec with a short-lived OpenBao token without seeing or pasting the raw token.
|
- A policy-approved actor can request or exec with a short-lived OpenBao token without seeing or pasting the raw token.
|
||||||
|
|||||||
@@ -4,13 +4,13 @@ type: workplan
|
|||||||
title: "Issue-Core Runtime Ingestion Credential Lane"
|
title: "Issue-Core Runtime Ingestion Credential Lane"
|
||||||
domain: financials
|
domain: financials
|
||||||
repo: railiance-platform
|
repo: railiance-platform
|
||||||
status: active
|
status: finished
|
||||||
owner: codex
|
owner: codex
|
||||||
topic_slug: railiance
|
topic_slug: railiance
|
||||||
planning_priority: high
|
planning_priority: high
|
||||||
planning_order: 9
|
planning_order: 9
|
||||||
created: "2026-06-29"
|
created: "2026-06-29"
|
||||||
updated: "2026-06-30"
|
updated: "2026-07-02"
|
||||||
depends_on_workplans:
|
depends_on_workplans:
|
||||||
- RAIL-PL-WP-0002
|
- RAIL-PL-WP-0002
|
||||||
- RAILIANCE-WP-0004
|
- RAILIANCE-WP-0004
|
||||||
@@ -226,7 +226,7 @@ Acceptance:
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAILIANCE-WP-0009-T06
|
id: RAILIANCE-WP-0009-T06
|
||||||
status: wait
|
status: done
|
||||||
priority: medium
|
priority: medium
|
||||||
state_hub_task_id: "0d9a02da-c032-43d5-8019-61ab4d87b40b"
|
state_hub_task_id: "0d9a02da-c032-43d5-8019-61ab4d87b40b"
|
||||||
```
|
```
|
||||||
@@ -245,6 +245,17 @@ Acceptance:
|
|||||||
- The CCR front-door readiness becomes active/resolvable only after positive
|
- The CCR front-door readiness becomes active/resolvable only after positive
|
||||||
and negative verification.
|
and negative verification.
|
||||||
|
|
||||||
|
**2026-07-02:** T06 done. ops-warden promoted catalog id
|
||||||
|
`issue-core-ingestion-api-key` from draft to active (ops-warden commit
|
||||||
|
`364eb7d`) following its own promotion checklist: concrete zero-placeholder
|
||||||
|
handoff (`warden route show issue-core-ingestion-api-key --json` reports
|
||||||
|
`status: active`, `resolvable: true`), playbook gate marked met, draft tables
|
||||||
|
updated, routing tests passing (45/45). The entry carries pointers only —
|
||||||
|
ops-warden proxies reads as the caller and holds no secret value.
|
||||||
|
`CCR-2026-0002` recorded the `frontdoor_activation` evidence and moved to
|
||||||
|
`status: active` with `readiness: ready`. Promotion happened only after the
|
||||||
|
2026-07-02 positive/negative verification.
|
||||||
|
|
||||||
## T07 - Record lifecycle operations
|
## T07 - Record lifecycle operations
|
||||||
|
|
||||||
```task
|
```task
|
||||||
|
|||||||
@@ -4,13 +4,13 @@ type: workplan
|
|||||||
title: "llm-connect OpenRouter Provider Key Lane"
|
title: "llm-connect OpenRouter Provider Key Lane"
|
||||||
domain: financials
|
domain: financials
|
||||||
repo: railiance-platform
|
repo: railiance-platform
|
||||||
status: active
|
status: finished
|
||||||
owner: codex
|
owner: codex
|
||||||
topic_slug: railiance
|
topic_slug: railiance
|
||||||
planning_priority: high
|
planning_priority: high
|
||||||
planning_order: 10
|
planning_order: 10
|
||||||
created: "2026-06-29"
|
created: "2026-06-29"
|
||||||
updated: "2026-07-01"
|
updated: "2026-07-02"
|
||||||
depends_on_workplans:
|
depends_on_workplans:
|
||||||
- RAIL-PL-WP-0002
|
- RAIL-PL-WP-0002
|
||||||
- RAILIANCE-WP-0004
|
- RAILIANCE-WP-0004
|
||||||
@@ -240,7 +240,7 @@ Acceptance:
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAILIANCE-WP-0010-T06
|
id: RAILIANCE-WP-0010-T06
|
||||||
status: wait
|
status: done
|
||||||
priority: medium
|
priority: medium
|
||||||
state_hub_task_id: "376de3fe-ef9c-4b57-b238-1ba21ac8bb1c"
|
state_hub_task_id: "376de3fe-ef9c-4b57-b238-1ba21ac8bb1c"
|
||||||
```
|
```
|
||||||
@@ -259,6 +259,17 @@ Acceptance:
|
|||||||
- The CCR front-door readiness becomes active/resolvable only after positive
|
- The CCR front-door readiness becomes active/resolvable only after positive
|
||||||
and negative verification.
|
and negative verification.
|
||||||
|
|
||||||
|
**2026-07-02:** T06 done. ops-warden promoted catalog id
|
||||||
|
`openrouter-llm-connect` from draft to active (ops-warden commit `364eb7d`)
|
||||||
|
following its own promotion checklist: concrete zero-placeholder handoff
|
||||||
|
(`warden route show openrouter-llm-connect --json` reports `status: active`,
|
||||||
|
`resolvable: true`), playbook gate marked met, draft tables updated, routing
|
||||||
|
tests passing (45/45). The entry carries pointers only — ops-warden proxies
|
||||||
|
reads as the caller and holds no provider key value. `CCR-2026-0003` recorded
|
||||||
|
the `frontdoor_activation` evidence and moved to `status: active` with
|
||||||
|
`readiness: ready`. Promotion happened only after the 2026-07-02
|
||||||
|
positive/negative verification.
|
||||||
|
|
||||||
## T07 - Record lifecycle operations
|
## T07 - Record lifecycle operations
|
||||||
|
|
||||||
```task
|
```task
|
||||||
|
|||||||
Reference in New Issue
Block a user