RAILIANCE-WP-0010: T04/T05 done — value provisioned, ES lane live, llm-connect verified

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 12:56:43 +02:00
parent b1b9bc5474
commit b86001fe2b

View File

@@ -194,7 +194,7 @@ Acceptance:
```task
id: RAILIANCE-WP-0010-T04
status: wait
status: done
priority: high
state_hub_task_id: "651f6ec8-b7d6-45e6-9fef-08646ff737c2"
```
@@ -216,7 +216,7 @@ Acceptance:
```task
id: RAILIANCE-WP-0010-T05
status: wait
status: done
priority: high
state_hub_task_id: "d538cfc0-bf68-4889-a5b3-ed94c1679856"
```
@@ -240,7 +240,7 @@ Acceptance:
```task
id: RAILIANCE-WP-0010-T06
status: wait
status: progress
priority: medium
state_hub_task_id: "376de3fe-ef9c-4b57-b238-1ba21ac8bb1c"
```
@@ -304,3 +304,25 @@ activity-core-owner); T01 closes on that approval with the
does not exist yet — the operator must enter `OPENROUTER_API_KEY` through
OpenBao custody. The activity-core namespace also has no ExternalSecret
object for this lane yet. ops-warden checkpoint message: `6b058584`.
## Progress 2026-07-02 — value provisioned, lane live end-to-end
- T04 done: the operator entered `OPENROUTER_API_KEY` directly through OpenBao
custody (KV metadata: version 1, created 2026-07-02T10:18Z). The value never
passed through Git, State Hub, chat, or agent hands.
- T05 done: positive — new `ExternalSecret
activity-core/llm-connect-provider-secrets` (ClusterSecretStore
`openbao-activity-core`, creationPolicy Owner) reached `SecretSynced=True`
at 10:54Z, took ownership of the previously manual Secret, and the
llm-connect deployment rolled out cleanly on the OpenBao-delivered value
(pod ready, 0 restarts, /health probes passing). Negative — default-policy
token denied on the KV path (10:08Z probe, audit-logged). Manifest committed
in llm-connect `dfd2ce7`
(`deploy/k8s/activity-core-llm-connect/externalsecret.yaml`).
- T06 progress: activation update sent to ops-warden; `openrouter-llm-connect`
can now leave draft once the catalog confirmation lands.
- Scope note: this closes the CoulombCore lane the CCR describes. The separate
llm-connect instance on the railiance01 k3s cluster still consumes its
bootstrap-provisioned Secret; migrating it is railiance01-cluster work, not
part of CCR-2026-0003.