CUST-WP-0051: 2026-07-02 execution pass — deploy prep, operator pickup list
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -1,8 +1,40 @@
|
||||
# Infrastructure Stabilization Pickup Checkpoint
|
||||
|
||||
Updated: 2026-06-30
|
||||
Updated: 2026-07-02
|
||||
Coordinator workplan: `CUST-WP-0051`
|
||||
|
||||
## Operator Pickups Ready Now (2026-07-02)
|
||||
|
||||
Every remaining execution lane converged on operator gates in the 2026-07-02
|
||||
session (agent policy correctly blocks unattended production writes/reads on
|
||||
railiance01, credential-bootstrap script edits, and OIDC/MFA logins). Each item
|
||||
below is prepared to one command or one decision:
|
||||
|
||||
1. **Daily-triage robustness deploy** (`RAIL-BS-WP-0008`): image
|
||||
`activity-core:railiance01-prod` is rebuilt locally from activity-core
|
||||
`7612112` (T02 prompt contract included and gate-checked). Operator: run the
|
||||
save/scp/import block from `activity-core/k8s/railiance/README.md`, sync the
|
||||
repo *with `.git`* to `railiance01:~/activity-core` (the copy there has no
|
||||
git metadata and the revision gate needs it), then
|
||||
`cd ~/railiance-cluster && make deploy-activity-core-triage-robustness`.
|
||||
Afterwards `make admin-sync-smoke` closes `RAIL-BS-WP-0009`.
|
||||
2. **CCR approvals** (`RAILIANCE-WP-0009`/`0010`): `CCR-2026-0002`
|
||||
(issue-core ingestion) and `CCR-2026-0003` (llm-connect OpenRouter) are
|
||||
reviewed and binding-confirmed but still `proposed`. Approve, then
|
||||
`make credential-change-applier-apply` per CCR; the issue-core
|
||||
ExternalSecret already syncs, so verification is mostly confirm-not-create.
|
||||
3. **Broker live evidence** (`RAILIANCE-WP-0005-T09`): needs one
|
||||
KeyCape-OIDC-authenticated session to collect OpenBao audit-log references
|
||||
and response-wrap unwrap-once evidence.
|
||||
4. **Non-prod applier proof** (`RAILIANCE-WP-0008-T03`): mint one token from
|
||||
`auth/token/roles/credential-change-nonprod-applier` and record apply +
|
||||
denial probes.
|
||||
5. **OpenBao unseal automation** (`NET-WP-0020-T02`, advanced 2026-07-02):
|
||||
`make -C ~/net-kingdom openbao-init-unseal` exists with custody-model gate
|
||||
and non-secret evidence; operator review still needed to wire it as a phase
|
||||
inside `creds-bootstrap-agent.sh`, and greenfield live proof needs a rebuild
|
||||
slate.
|
||||
|
||||
## Purpose
|
||||
|
||||
This checkpoint is the restart surface for the infrastructure stabilization
|
||||
|
||||
@@ -315,6 +315,24 @@ Progress 2026-06-30 daily-triage recheck:
|
||||
commit/sync or explicitly hand it off, then use the repo-native automation
|
||||
status surface as evidence.
|
||||
|
||||
Progress 2026-07-02 deploy prep:
|
||||
|
||||
- Executed the preparable half of `RAIL-BS-WP-0008`: activity-core runtime
|
||||
Instruction now satisfies the T02 contract in the repo bundle (activity-core
|
||||
commit `7612112`: bounded top-7 phrasing on one line, NDJSON-style per-item
|
||||
framing compatible with the WP-0016 recovery parser, `max_tokens` 1800), and
|
||||
`activity-core:railiance01-prod` was rebuilt locally from that commit.
|
||||
- Live transfer/deploy to railiance01 is blocked by agent permission policy
|
||||
(production remote writes need explicit operator authorization), and
|
||||
per-read production log access is likewise gated, so `RAIL-BS-WP-0008-T03`
|
||||
(raw llm-connect response for the 2026-06-26 run) is also operator-owned.
|
||||
- Found that `railiance01:~/activity-core` has no `.git`; the deploy script's
|
||||
revision gate requires git metadata — noted in the workplan for the operator.
|
||||
- Advanced `NET-WP-0020-T02` (OpenBao SOPS-held init/unseal automation) with a
|
||||
gated helper + Make targets in net-kingdom; see that workplan for detail.
|
||||
- Refreshed `docs/infrastructure-stabilization-pickup-checkpoint.md` with an
|
||||
"Operator Pickups Ready Now" list — five one-command/one-decision items.
|
||||
|
||||
## Task: Finish Near-Term Production Service Lanes
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user