CUST-WP-0051: 2026-07-02 execution pass — deploy prep, operator pickup list
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -1,8 +1,40 @@
|
||||
# Infrastructure Stabilization Pickup Checkpoint
|
||||
|
||||
Updated: 2026-06-30
|
||||
Updated: 2026-07-02
|
||||
Coordinator workplan: `CUST-WP-0051`
|
||||
|
||||
## Operator Pickups Ready Now (2026-07-02)
|
||||
|
||||
Every remaining execution lane converged on operator gates in the 2026-07-02
|
||||
session (agent policy correctly blocks unattended production writes/reads on
|
||||
railiance01, credential-bootstrap script edits, and OIDC/MFA logins). Each item
|
||||
below is prepared to one command or one decision:
|
||||
|
||||
1. **Daily-triage robustness deploy** (`RAIL-BS-WP-0008`): image
|
||||
`activity-core:railiance01-prod` is rebuilt locally from activity-core
|
||||
`7612112` (T02 prompt contract included and gate-checked). Operator: run the
|
||||
save/scp/import block from `activity-core/k8s/railiance/README.md`, sync the
|
||||
repo *with `.git`* to `railiance01:~/activity-core` (the copy there has no
|
||||
git metadata and the revision gate needs it), then
|
||||
`cd ~/railiance-cluster && make deploy-activity-core-triage-robustness`.
|
||||
Afterwards `make admin-sync-smoke` closes `RAIL-BS-WP-0009`.
|
||||
2. **CCR approvals** (`RAILIANCE-WP-0009`/`0010`): `CCR-2026-0002`
|
||||
(issue-core ingestion) and `CCR-2026-0003` (llm-connect OpenRouter) are
|
||||
reviewed and binding-confirmed but still `proposed`. Approve, then
|
||||
`make credential-change-applier-apply` per CCR; the issue-core
|
||||
ExternalSecret already syncs, so verification is mostly confirm-not-create.
|
||||
3. **Broker live evidence** (`RAILIANCE-WP-0005-T09`): needs one
|
||||
KeyCape-OIDC-authenticated session to collect OpenBao audit-log references
|
||||
and response-wrap unwrap-once evidence.
|
||||
4. **Non-prod applier proof** (`RAILIANCE-WP-0008-T03`): mint one token from
|
||||
`auth/token/roles/credential-change-nonprod-applier` and record apply +
|
||||
denial probes.
|
||||
5. **OpenBao unseal automation** (`NET-WP-0020-T02`, advanced 2026-07-02):
|
||||
`make -C ~/net-kingdom openbao-init-unseal` exists with custody-model gate
|
||||
and non-secret evidence; operator review still needed to wire it as a phase
|
||||
inside `creds-bootstrap-agent.sh`, and greenfield live proof needs a rebuild
|
||||
slate.
|
||||
|
||||
## Purpose
|
||||
|
||||
This checkpoint is the restart surface for the infrastructure stabilization
|
||||
|
||||
Reference in New Issue
Block a user