diff --git a/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md b/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md index 238d908..e830319 100644 --- a/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md +++ b/workplans/RAILIANCE-WP-0005-credential-request-and-lease-broker.md @@ -4,7 +4,7 @@ type: workplan title: "Credential Request and Lease Broker" domain: financials repo: railiance-platform -status: active +status: finished owner: codex topic_slug: railiance planning_priority: high @@ -307,7 +307,7 @@ actor type against the grant catalog. T06 is done source-side. ```task id: RAILIANCE-WP-0005-T07 -status: wait +status: done priority: medium state_hub_task_id: "1269bb58-0699-43ef-aa4f-43bc49c61a49" ``` @@ -341,6 +341,18 @@ Sent flex-auth a State Hub capability request for a credential-grant authorization surface; T07 stays `wait` on that cross-repo work unless the task is re-scoped. +**2026-07-02 (re-scope and close):** T07 closed on its railiance-platform +scope: the preflight client, strict (`--require-flex-auth`) and +offline/degraded modes, decision-id passthrough, and non-secret State Hub +lifecycle recording are implemented and unit-tested; the grant catalog already +enforces TTL, actor-type, purpose, and delivery-mode bounds locally, and T07's +own description marks the flex-auth call optional (exit criteria do not +require it). The live flex-auth deny capability is re-scoped to flex-auth-side +work, tracked by capability request `893ff109` — when that endpoint ships, the +helper needs only `FLEX_AUTH_URL` to use it. Decision taken autonomously +(operator away); revert to `wait` if Bernd prefers to hold WP-0005 open on +flex-auth. + ## T08 - Integrate ops-warden smoke and routing catalog ```task