CUST-WP-0051: 2026-07-02 execution pass — deploy prep, operator pickup list

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 11:04:07 +02:00
parent 560f676fb6
commit 3377c70c08
2 changed files with 51 additions and 1 deletions

View File

@@ -1,8 +1,40 @@
# Infrastructure Stabilization Pickup Checkpoint
Updated: 2026-06-30
Updated: 2026-07-02
Coordinator workplan: `CUST-WP-0051`
## Operator Pickups Ready Now (2026-07-02)
Every remaining execution lane converged on operator gates in the 2026-07-02
session (agent policy correctly blocks unattended production writes/reads on
railiance01, credential-bootstrap script edits, and OIDC/MFA logins). Each item
below is prepared to one command or one decision:
1. **Daily-triage robustness deploy** (`RAIL-BS-WP-0008`): image
`activity-core:railiance01-prod` is rebuilt locally from activity-core
`7612112` (T02 prompt contract included and gate-checked). Operator: run the
save/scp/import block from `activity-core/k8s/railiance/README.md`, sync the
repo *with `.git`* to `railiance01:~/activity-core` (the copy there has no
git metadata and the revision gate needs it), then
`cd ~/railiance-cluster && make deploy-activity-core-triage-robustness`.
Afterwards `make admin-sync-smoke` closes `RAIL-BS-WP-0009`.
2. **CCR approvals** (`RAILIANCE-WP-0009`/`0010`): `CCR-2026-0002`
(issue-core ingestion) and `CCR-2026-0003` (llm-connect OpenRouter) are
reviewed and binding-confirmed but still `proposed`. Approve, then
`make credential-change-applier-apply` per CCR; the issue-core
ExternalSecret already syncs, so verification is mostly confirm-not-create.
3. **Broker live evidence** (`RAILIANCE-WP-0005-T09`): needs one
KeyCape-OIDC-authenticated session to collect OpenBao audit-log references
and response-wrap unwrap-once evidence.
4. **Non-prod applier proof** (`RAILIANCE-WP-0008-T03`): mint one token from
`auth/token/roles/credential-change-nonprod-applier` and record apply +
denial probes.
5. **OpenBao unseal automation** (`NET-WP-0020-T02`, advanced 2026-07-02):
`make -C ~/net-kingdom openbao-init-unseal` exists with custody-model gate
and non-secret evidence; operator review still needed to wire it as a phase
inside `creds-bootstrap-agent.sh`, and greenfield live proof needs a rebuild
slate.
## Purpose
This checkpoint is the restart surface for the infrastructure stabilization