Add credential lane readiness proposals
This commit is contained in:
@@ -30,7 +30,7 @@ holding secret values itself.
|
||||
The immediate request is for `whynot-design` to retrieve its npm publish token.
|
||||
The path must be concrete, policy-scoped, and documented so the ops-warden
|
||||
catalog can replace the current unresolved template path with a live
|
||||
`whynot-design-npm-token` entry.
|
||||
`whynot-design-npm-publish` entry.
|
||||
|
||||
No task in this workplan may paste, commit, log, or send secret values through
|
||||
Git, State Hub, chat, prompts, or workplan text.
|
||||
@@ -47,7 +47,7 @@ Ops-warden message `551031d1-335e-4db8-9535-820fea52d0a3` asks
|
||||
- the flex-auth policy reference, if pre-approval is required.
|
||||
|
||||
Once these pointers are live, ops-warden will add a dedicated
|
||||
`whynot-design-npm-token` access catalog entry and a playbook, then notify
|
||||
`whynot-design-npm-publish` access catalog entry and a playbook, then notify
|
||||
whynot-design.
|
||||
|
||||
## Proposed Contract
|
||||
@@ -248,7 +248,7 @@ Acceptance:
|
||||
|
||||
- The State Hub reply to ops-warden includes only path, field, KV mount,
|
||||
OIDC role, policy name/path, optional flex-auth ref, and runbook location.
|
||||
- Ops-warden confirms the `whynot-design-npm-token` catalog entry no longer
|
||||
- Ops-warden confirms the `whynot-design-npm-publish` catalog entry no longer
|
||||
contains unresolved placeholders.
|
||||
- `warden access "npm auth token" --fetch` or the agreed exact selector resolves
|
||||
to the whynot-design lane and proxies the read as the caller.
|
||||
@@ -281,10 +281,11 @@ Acceptance:
|
||||
- If batching is deferred, notify ops-warden that this workplan will deliver
|
||||
whynot-design first and leave the sibling entries for separate planning.
|
||||
|
||||
**2026-06-27:** Deferred sibling lanes (`issue-core-ingestion-api-key` and
|
||||
`openrouter-llm-connect`) so the whynot-design npm token request can be serviced
|
||||
first. They should get concrete tasks or a follow-up workplan after this access
|
||||
lane pattern is validated.
|
||||
**2026-06-27:** Initially deferred sibling lanes (`issue-core-ingestion-api-key`
|
||||
and `openrouter-llm-connect`) so the whynot-design npm token request could be
|
||||
serviced first. The later ops-warden batch follow-up is now represented as
|
||||
proposed CCRs in `RAILIANCE-WP-0007`, still unapproved and unresolvable until
|
||||
human review and verification.
|
||||
|
||||
## Exit Criteria
|
||||
|
||||
@@ -294,5 +295,5 @@ lane pattern is validated.
|
||||
ops-warden without ops-warden storing the value.
|
||||
- Unauthorized reads are denied.
|
||||
- ops-warden has enough non-secret pointers to activate
|
||||
`whynot-design-npm-token`.
|
||||
`whynot-design-npm-publish`.
|
||||
- No secret values appear in Git, State Hub, chat, prompts, logs, or workplans.
|
||||
|
||||
@@ -119,7 +119,7 @@ Acceptance:
|
||||
|
||||
**2026-06-27:** Added `schemas/credential-change-request.schema.yaml`, the
|
||||
`credential-change-requests/` storage directory, and
|
||||
`credential-change-requests/CCR-2026-0001-whynot-design-npm-token.yaml` as the
|
||||
`credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml` as the
|
||||
first non-secret CCR fixture. The whynot CCR is intentionally `proposed` and
|
||||
marks the bound claim as unconfirmed, so apply is blocked until review.
|
||||
|
||||
@@ -148,7 +148,9 @@ Acceptance:
|
||||
plus Make targets `credential-change-validate` and `credential-change-render`.
|
||||
Validation rejects secret-looking markers and broad/unsafe request shapes; render
|
||||
produces the chat/State Hub review summary and highlights unconfirmed bound
|
||||
claims. Unit coverage lives in `tests/test_credential_change.py`.
|
||||
claims. CCRs now also carry machine-readable front-door readiness fields:
|
||||
`access_frontdoor.readiness` and `access_frontdoor.resolvable`. Unit coverage
|
||||
lives in `tests/test_credential_change.py`.
|
||||
|
||||
## T04 - Generate OpenBao apply plans from approved CCRs
|
||||
|
||||
@@ -201,8 +203,10 @@ Acceptance:
|
||||
|
||||
**2026-06-27:** Added file-backed `approve`, `deny`, and `needs-changes`
|
||||
commands that require reviewer and comment text and append non-secret review
|
||||
comments to the CCR. Remaining T05 work is State Hub decision-event emission and
|
||||
tighter chat integration.
|
||||
comments to the CCR. Added `status` plus Make targets
|
||||
`credential-change-status` and `credential-change-status-json` so ops-warden can
|
||||
consume `readiness`/`resolvable` without scraping prose. Remaining T05 work is
|
||||
State Hub decision-event emission and tighter chat integration.
|
||||
|
||||
## T06 - Build an interactive runbook for apply and verify
|
||||
|
||||
@@ -248,6 +252,14 @@ Acceptance:
|
||||
can be rendered for review. It remains proposed/unapproved with unconfirmed
|
||||
bound claims, so live apply and ops-warden activation are correctly blocked.
|
||||
|
||||
**2026-06-27:** Converted the ops-warden batch follow-up
|
||||
`fe5b1696-8956-4bd5-9d6f-dbde1901a076` into three proposed CCRs:
|
||||
`CCR-2026-0001` for `whynot-design-npm-publish`, `CCR-2026-0002` for
|
||||
`issue-core-ingestion-api-key`, and `CCR-2026-0003` for
|
||||
`llm-connect-openrouter-api-key`. All three are explicitly `readiness: template`
|
||||
and `resolvable: false` until owner confirmation, approval, OpenBao apply,
|
||||
secret provisioning, and verification are complete.
|
||||
|
||||
## T08 - Add deactivation, rotation, and compromise flows
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user