CUST-WP-0051: 2026-07-02 execution pass — deploy prep, operator pickup list

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 11:04:07 +02:00
parent 560f676fb6
commit 3377c70c08
2 changed files with 51 additions and 1 deletions

View File

@@ -1,8 +1,40 @@
# Infrastructure Stabilization Pickup Checkpoint
Updated: 2026-06-30
Updated: 2026-07-02
Coordinator workplan: `CUST-WP-0051`
## Operator Pickups Ready Now (2026-07-02)
Every remaining execution lane converged on operator gates in the 2026-07-02
session (agent policy correctly blocks unattended production writes/reads on
railiance01, credential-bootstrap script edits, and OIDC/MFA logins). Each item
below is prepared to one command or one decision:
1. **Daily-triage robustness deploy** (`RAIL-BS-WP-0008`): image
`activity-core:railiance01-prod` is rebuilt locally from activity-core
`7612112` (T02 prompt contract included and gate-checked). Operator: run the
save/scp/import block from `activity-core/k8s/railiance/README.md`, sync the
repo *with `.git`* to `railiance01:~/activity-core` (the copy there has no
git metadata and the revision gate needs it), then
`cd ~/railiance-cluster && make deploy-activity-core-triage-robustness`.
Afterwards `make admin-sync-smoke` closes `RAIL-BS-WP-0009`.
2. **CCR approvals** (`RAILIANCE-WP-0009`/`0010`): `CCR-2026-0002`
(issue-core ingestion) and `CCR-2026-0003` (llm-connect OpenRouter) are
reviewed and binding-confirmed but still `proposed`. Approve, then
`make credential-change-applier-apply` per CCR; the issue-core
ExternalSecret already syncs, so verification is mostly confirm-not-create.
3. **Broker live evidence** (`RAILIANCE-WP-0005-T09`): needs one
KeyCape-OIDC-authenticated session to collect OpenBao audit-log references
and response-wrap unwrap-once evidence.
4. **Non-prod applier proof** (`RAILIANCE-WP-0008-T03`): mint one token from
`auth/token/roles/credential-change-nonprod-applier` and record apply +
denial probes.
5. **OpenBao unseal automation** (`NET-WP-0020-T02`, advanced 2026-07-02):
`make -C ~/net-kingdom openbao-init-unseal` exists with custody-model gate
and non-secret evidence; operator review still needed to wire it as a phase
inside `creds-bootstrap-agent.sh`, and greenfield live proof needs a rebuild
slate.
## Purpose
This checkpoint is the restart surface for the infrastructure stabilization

View File

@@ -315,6 +315,24 @@ Progress 2026-06-30 daily-triage recheck:
commit/sync or explicitly hand it off, then use the repo-native automation
status surface as evidence.
Progress 2026-07-02 deploy prep:
- Executed the preparable half of `RAIL-BS-WP-0008`: activity-core runtime
Instruction now satisfies the T02 contract in the repo bundle (activity-core
commit `7612112`: bounded top-7 phrasing on one line, NDJSON-style per-item
framing compatible with the WP-0016 recovery parser, `max_tokens` 1800), and
`activity-core:railiance01-prod` was rebuilt locally from that commit.
- Live transfer/deploy to railiance01 is blocked by agent permission policy
(production remote writes need explicit operator authorization), and
per-read production log access is likewise gated, so `RAIL-BS-WP-0008-T03`
(raw llm-connect response for the 2026-06-26 run) is also operator-owned.
- Found that `railiance01:~/activity-core` has no `.git`; the deploy script's
revision gate requires git metadata — noted in the workplan for the operator.
- Advanced `NET-WP-0020-T02` (OpenBao SOPS-held init/unseal automation) with a
gated helper + Make targets in net-kingdom; see that workplan for detail.
- Refreshed `docs/infrastructure-stabilization-pickup-checkpoint.md` with an
"Operator Pickups Ready Now" list — five one-command/one-decision items.
## Task: Finish Near-Term Production Service Lanes
```task