From 3377c70c08a5d4327dea15eab26da5d2bfef5f43 Mon Sep 17 00:00:00 2001 From: tegwick Date: Thu, 2 Jul 2026 11:04:07 +0200 Subject: [PATCH] =?UTF-8?q?CUST-WP-0051:=202026-07-02=20execution=20pass?= =?UTF-8?q?=20=E2=80=94=20deploy=20prep,=20operator=20pickup=20list?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Fable 5 --- ...ructure-stabilization-pickup-checkpoint.md | 34 ++++++++++++++++++- ...1-infrastructure-stabilization-metaplan.md | 18 ++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/docs/infrastructure-stabilization-pickup-checkpoint.md b/docs/infrastructure-stabilization-pickup-checkpoint.md index 95c2153..5266ac3 100644 --- a/docs/infrastructure-stabilization-pickup-checkpoint.md +++ b/docs/infrastructure-stabilization-pickup-checkpoint.md @@ -1,8 +1,40 @@ # Infrastructure Stabilization Pickup Checkpoint -Updated: 2026-06-30 +Updated: 2026-07-02 Coordinator workplan: `CUST-WP-0051` +## Operator Pickups Ready Now (2026-07-02) + +Every remaining execution lane converged on operator gates in the 2026-07-02 +session (agent policy correctly blocks unattended production writes/reads on +railiance01, credential-bootstrap script edits, and OIDC/MFA logins). Each item +below is prepared to one command or one decision: + +1. **Daily-triage robustness deploy** (`RAIL-BS-WP-0008`): image + `activity-core:railiance01-prod` is rebuilt locally from activity-core + `7612112` (T02 prompt contract included and gate-checked). Operator: run the + save/scp/import block from `activity-core/k8s/railiance/README.md`, sync the + repo *with `.git`* to `railiance01:~/activity-core` (the copy there has no + git metadata and the revision gate needs it), then + `cd ~/railiance-cluster && make deploy-activity-core-triage-robustness`. + Afterwards `make admin-sync-smoke` closes `RAIL-BS-WP-0009`. +2. **CCR approvals** (`RAILIANCE-WP-0009`/`0010`): `CCR-2026-0002` + (issue-core ingestion) and `CCR-2026-0003` (llm-connect OpenRouter) are + reviewed and binding-confirmed but still `proposed`. Approve, then + `make credential-change-applier-apply` per CCR; the issue-core + ExternalSecret already syncs, so verification is mostly confirm-not-create. +3. **Broker live evidence** (`RAILIANCE-WP-0005-T09`): needs one + KeyCape-OIDC-authenticated session to collect OpenBao audit-log references + and response-wrap unwrap-once evidence. +4. **Non-prod applier proof** (`RAILIANCE-WP-0008-T03`): mint one token from + `auth/token/roles/credential-change-nonprod-applier` and record apply + + denial probes. +5. **OpenBao unseal automation** (`NET-WP-0020-T02`, advanced 2026-07-02): + `make -C ~/net-kingdom openbao-init-unseal` exists with custody-model gate + and non-secret evidence; operator review still needed to wire it as a phase + inside `creds-bootstrap-agent.sh`, and greenfield live proof needs a rebuild + slate. + ## Purpose This checkpoint is the restart surface for the infrastructure stabilization diff --git a/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md b/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md index 5c689d2..55f14e0 100644 --- a/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md +++ b/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md @@ -315,6 +315,24 @@ Progress 2026-06-30 daily-triage recheck: commit/sync or explicitly hand it off, then use the repo-native automation status surface as evidence. +Progress 2026-07-02 deploy prep: + +- Executed the preparable half of `RAIL-BS-WP-0008`: activity-core runtime + Instruction now satisfies the T02 contract in the repo bundle (activity-core + commit `7612112`: bounded top-7 phrasing on one line, NDJSON-style per-item + framing compatible with the WP-0016 recovery parser, `max_tokens` 1800), and + `activity-core:railiance01-prod` was rebuilt locally from that commit. +- Live transfer/deploy to railiance01 is blocked by agent permission policy + (production remote writes need explicit operator authorization), and + per-read production log access is likewise gated, so `RAIL-BS-WP-0008-T03` + (raw llm-connect response for the 2026-06-26 run) is also operator-owned. +- Found that `railiance01:~/activity-core` has no `.git`; the deploy script's + revision gate requires git metadata — noted in the workplan for the operator. +- Advanced `NET-WP-0020-T02` (OpenBao SOPS-held init/unseal automation) with a + gated helper + Make targets in net-kingdom; see that workplan for detail. +- Refreshed `docs/infrastructure-stabilization-pickup-checkpoint.md` with an + "Operator Pickups Ready Now" list — five one-command/one-decision items. + ## Task: Finish Near-Term Production Service Lanes ```task