CCR-2026-0002/0003 approved + applied via constrained applier; WP-0008 finished, WP-0009/0010 advanced

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 12:12:49 +02:00
parent 8395862760
commit ddd916d71c
5 changed files with 103 additions and 15 deletions

View File

@@ -4,7 +4,7 @@ type: workplan
title: "OpenBao Approved Automation Delegation"
domain: financials
repo: railiance-platform
status: active
status: finished
owner: codex
topic_slug: railiance
planning_priority: high
@@ -173,7 +173,7 @@ credential-tests` passed with 28 tests.
```task
id: RAILIANCE-WP-0008-T03
status: progress
status: done
priority: medium
state_hub_task_id: "ff927a19-50fb-4351-8db1-c60a0cce0995"
```
@@ -302,3 +302,24 @@ CCR.
requirements.
- CCR approval, apply, verification, and front-door activation form one
reviewable chain.
## Completion 2026-07-02 — T03 live probe and workplan finish
T03 closed with live positive and negative evidence from a
`credential-change-nonprod-applier` child token (accessor
`pCznHtid1O0vy36QHqMbzu5Y`, revoked after use):
- allowed: `policy_write workload-kv-read-nonprod-probe-test` (test artifact
deleted afterwards by the operator session) and `policy_read
workload-kv-read-issue-core-runtime`;
- denied: `policy_read platform-admin`, out-of-pattern `policy_write
evil-probe-test`, KV secret read on the issue-core path, and
`auth/token/roles/credential-change-nonprod-applier` write;
- all recorded in `/openbao/audit/openbao-audit.log` (2026-07-02T10:09Z
window).
The production applier path was proven the same day: both `CCR-2026-0002`
and `CCR-2026-0003` were applied with a `credential-change-prod-applier`
child token holding only that policy — no `platform-admin` handoff. All
tasks are done; the workplan is finished.

View File

@@ -157,7 +157,7 @@ applier-dry-run CCR-2026-0002` now blocks only because the CCR is still
```task
id: RAILIANCE-WP-0009-T03
status: wait
status: done
priority: high
state_hub_task_id: "e8566cf4-bb74-4515-b434-7cbf60f9f684"
```
@@ -181,7 +181,7 @@ Acceptance:
```task
id: RAILIANCE-WP-0009-T04
status: wait
status: done
priority: high
state_hub_task_id: "4990fe6a-ae84-4720-bc8d-e026d73a304b"
```
@@ -202,7 +202,7 @@ Acceptance:
```task
id: RAILIANCE-WP-0009-T05
status: wait
status: done
priority: high
state_hub_task_id: "65e83572-2e46-4196-8f4d-4ab35ba8d1a6"
```
@@ -226,7 +226,7 @@ Acceptance:
```task
id: RAILIANCE-WP-0009-T06
status: wait
status: progress
priority: medium
state_hub_task_id: "0d9a02da-c032-43d5-8019-61ab4d87b40b"
```
@@ -274,3 +274,22 @@ Acceptance:
- ops-warden can resolve `issue-core-ingestion-api-key` without storing the
value.
- No secret values appear in Git, State Hub, chat, prompts, logs, or workplans.
## Progress 2026-07-02 — approval, apply, verification
`CCR-2026-0002` approved by bernd.worsch (both required approver roles) with
the field-set decision to keep `ISSUE_CORE_API_KEY` and `GITEA_BACKEND_TOKEN`.
- T03 done: policy `workload-kv-read-issue-core-runtime` and kubernetes auth
role applied via the constrained `credential-change-prod-applier` child
token (accessor revoked after use); State Hub apply evidence `4a66c84f`.
- T04 done: KV entry exists at the approved path (metadata `current_version
2`, created 2026-06-25); values were provisioned through operator custody.
- T05 done: positive = ExternalSecret `issue-core/issue-core-runtime`
Ready=True/SecretSynced (refresh 2026-07-02T09:42Z); negative =
default-policy token denied on the KV data path (2026-07-02T10:08Z, probe
accessor revoked); both recorded in the file audit device
`/openbao/audit/openbao-audit.log`.
- T06 progress: front-door handoff sent to ops-warden (State Hub message
`5d47caaa-dd3f-496f-94ba-a488722f8d82`); waiting on catalog confirmation.

View File

@@ -97,7 +97,7 @@ The plan supports these `INTENT.md` principles:
```task
id: RAILIANCE-WP-0010-T01
status: progress
status: done
priority: high
state_hub_task_id: "307b75a6-a3a8-473b-b171-7379d2848698"
```
@@ -170,7 +170,7 @@ CCR is still `proposed`.
```task
id: RAILIANCE-WP-0010-T03
status: wait
status: done
priority: high
state_hub_task_id: "42796ef5-c4a0-45a7-ae41-0ebdeccdb01d"
```
@@ -288,3 +288,19 @@ Acceptance:
- ops-warden can resolve the agreed OpenRouter/llm-connect selector without
storing the value.
- No secret values appear in Git, State Hub, chat, prompts, logs, or workplans.
## Progress 2026-07-02 — approval and metadata apply
`CCR-2026-0003` approved by bernd.worsch (platform-operator +
activity-core-owner); T01 closes on that approval with the
`openrouter-llm-connect` selector already aligned.
- T03 done: policy `workload-kv-read-llm-connect-provider-secrets` and
kubernetes auth role applied via the constrained prod-applier child token;
State Hub apply evidence `04c70285`.
- T04 remains the live gate: the KV entry at
`platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets`
does not exist yet — the operator must enter `OPENROUTER_API_KEY` through
OpenBao custody. The activity-core namespace also has no ExternalSecret
object for this lane yet. ops-warden checkpoint message: `6b058584`.