Record policy gate support closeouts
This commit is contained in:
@@ -57,7 +57,8 @@ Current read:
|
||||
| --- | --- |
|
||||
| Inter-Hub / ops-hub runtime keys | Production real-value gate; implementation can proceed with route evidence, but live smoke waits on OpenBao/operator custody. |
|
||||
| activity-core to issue-core | Production service credential gate; the blocker is `ISSUE_CORE_API_KEY` injection/evidence, not repo-side contract work. |
|
||||
| OpenBao unseal / issuer profile | M3-style operator ceremony; remains a hard operator-design gate. |
|
||||
| OpenBao unseal / issuer profile | M3-style operator ceremony. The narrow `warden-sign` lane is verified/banked; broader issuer/profile work remains separate. |
|
||||
| ops-warden policy gate / warden-sign | Verified and banked: `SECRETS-WP-0004` and `FLEX-WP-0007` are finished, with `decision:032b096c433ad80c`, `ttl_out_of_bounds`, backend `vault`, and no secret material recorded. |
|
||||
| Forgejo SMTP/package/runner migration | Production credential and recovery-readiness gate; use OpenBao/key-cape/ops-bridge routes, then record non-secret drill evidence. |
|
||||
|
||||
## Live Gates
|
||||
@@ -66,7 +67,8 @@ Current read:
|
||||
| --- | --- | --- | --- | --- | --- | --- | --- |
|
||||
| Inter-Hub ops-hub bootstrap | `CUST-WP-0049-T06`, unblocks `CUST-WP-0047-T05` | `inter-hub-bootstrap-ssh` for the envelope; `openbao-api-key` for operator/runtime key custody; `ssh-cert-host-access` only for cert signing if remote execution is used | Local workstation with `IHUB_OPERATOR_KEY_FILE`, or trusted host with railiance-infra force-command wrapper | Hub id, manifest id, widget count, runtime key prefix only, bootstrap smoke result, State Hub progress id | Prefer API helper. Use deployment-side migration/bootstrap only by explicit operator approval. Manual SQL remains last-resort and must be recorded as an exception. | Operator materializes Inter-Hub operator key through approved custody, runs the ops-hub helper, stores generated runtime key outside Git, removes temp files. | Ready for operator handoff |
|
||||
| Ops-hub runtime evidence key | `IHUB-WP-0022-T04`, then `IHUB-WP-0022-T07` | `openbao-api-key` owned by `railiance-platform` / OpenBao | Operator workstation, OpenBao UI/CLI session, or trusted cluster job; not a Codex-visible shell with printed values | OpenBao path/version or populated key count only, token exchange HTTP status, evidence submission smoke id | Attended one-time key file is acceptable only long enough to store in OpenBao and remove; no chat or State Hub transfer. | Store/provide `OPS_HUB_KEY` via OpenBao path, then run Inter-Hub submission smoke. | Waiting on operator custody |
|
||||
| OpenBao unseal and token automation | `NET-WP-0020`, related OpenBao token-grant and policy-gate blockers | `openbao-api-key` for OpenBao issuer/token paths; `railiance-infra-principals` for host policy; `ssh-cert-host-access` for cert signing; `key-cape-oidc-login` for login/MFA | OpenBao operator terminal, cluster-admin context, or trusted railiance-infra deployment path | Policy names, role names, token accessor only, decision ids, allow/deny smoke result | Keep attended ceremony path until auto-unseal/profile is explicitly approved. Do not invent `warden secret` or paste `VAULT_TOKEN`. | Decide custody profile, apply narrow policy/role through approved issuer path, rerun smoke with non-secret evidence. | Needs operator design/approval |
|
||||
| OpenBao unseal and token automation | `NET-WP-0020`, related OpenBao token-grant and policy-gate blockers | `openbao-api-key` for OpenBao issuer/token paths; `railiance-infra-principals` for host policy; `ssh-cert-host-access` for cert signing; `key-cape-oidc-login` for login/MFA | OpenBao operator terminal, cluster-admin context, or trusted railiance-infra deployment path | Policy names, role names, token accessor only, decision ids, allow/deny smoke result | Keep attended ceremony path until auto-unseal/profile is explicitly approved. Do not invent `warden secret` or paste `VAULT_TOKEN`. | Broader custody profile remains open; do not treat the completed `warden-sign` lane as a general OpenBao credential helper. | Needs operator design/approval |
|
||||
| ops-warden policy gate / warden-sign lane | `SECRETS-WP-0004`, `FLEX-WP-0007` | secrets-engine owned the OpenBao lane; flex-auth owned the policy decision runtime; ops-warden ran the smoke | CoulombCore via deployed flex-auth runtime `127.0.0.1:18090` and production OpenBao | `decision:032b096c433ad80c`, `ttl_out_of_bounds`, backend `vault`, no token/role/secret/accessor values | Keep `policy.enabled` off until testing/production maturity; live enforcement is an ops-warden operator posture decision. | No CUST action. Bank the verified gate and avoid reopening it as a generic credential blocker. | Verified/banked |
|
||||
| Forgejo production migration | `RAIL-HO-WP-0005` T02/T06/T11/T12 | `openbao-api-key` for SMTP/package/provider credentials; `key-cape-oidc-login` for login/MFA; `ops-bridge-tunnel` or `ssh-cert-host-access` only for host reachability | Forgejo admin/browser session, railiance01 trusted host, or approved GitOps/deployment path | Decision record id, hostname/exposure choice, SMTP sender/domain alignment, password-reset smoke, backup/restore drill id, package pull smoke, cutover approval id | Keep Gitea as read-only rollback until stabilization passes; do not retire legacy Gitea without explicit approval. | Resolve production choices, store SMTP credentials through OpenBao, run recovery and migration drills, then request cutover approval. | Needs human production decisions |
|
||||
|
||||
## Route Lookup Commands
|
||||
|
||||
@@ -71,7 +71,8 @@ separate ops-warden worker.
|
||||
| Daily-triage live proof | activity-core deploy/runtime operator | State Hub `daily_triage` id, output-valid or partial/quarantine status, working-memory path | Deploy WP-0016 code/schema and bounded runtime prompt bundle, then run railiance01 smoke. |
|
||||
| activity-core to issue-core | route `activity-core-issue-sink` | `actcore-runtime-secret` has key, activity-core points to issue-core port `8765`, HTTP 201, Gitea issue id | Inject `ISSUE_CORE_API_KEY` through approved custody, set REST sink env, restart/sync, run safe emission. |
|
||||
| Forgejo production design | Forgejo/operator decisions plus OpenBao/KeyCape/ops-bridge routes as needed | Decision id, SMTP smoke, backup/restore drill, package/action smoke, cutover approval id | Resolve T02 production choices before any production cutover work. |
|
||||
| OpenBao unseal and credential helper | `openbao-api-key`, `railiance-infra-principals`, `ssh-cert-host-access`, `key-cape-oidc-login` | Policy names, role names, token accessor only, allow/deny smoke | Approve custody profile and apply narrow issuer policies before live helper smokes. |
|
||||
| OpenBao unseal and credential helper | `openbao-api-key`, `railiance-infra-principals`, `ssh-cert-host-access`, `key-cape-oidc-login` | Policy names, role names, token accessor only, allow/deny smoke | `warden-sign` lane is verified/banked; broader custody profile and issuer automation remain separate operator-design gates. |
|
||||
| ops-warden policy gate / warden-sign lane | `SECRETS-WP-0004` + `FLEX-WP-0007` finished; ops-warden operator posture | `decision:032b096c433ad80c`, `ttl_out_of_bounds`, backend `vault`; no token/role/secret/accessor values | No Custodian action. Keep `policy.enabled` off until testing/production maturity. |
|
||||
|
||||
## Daily Automation Evidence
|
||||
|
||||
@@ -104,6 +105,7 @@ Resume from `docs/daily-triage-stabilization-status.md` and
|
||||
| issue-core | ArgoCD service is healthy on port `8765`; image `0.2.1`; ExternalSecret Ready; authenticated smoke created Gitea issue `175`. | activity-core still needs `ISSUE_CORE_API_KEY`, URL port `8765`, `ISSUE_SINK_TYPE=rest`, and a safe emission smoke. |
|
||||
| Forgejo | Migration inventory/design lane is active but pre-cutover. | Production design decisions, SMTP/email recovery, package registry, Actions, backup/restore, migration drill, cutover approval. |
|
||||
| artifact-store | D7.1 is done; D7.2 has an opt-in live MinIO compatibility harness and manual smoke docs. No live secret handoff is recorded. | Run D7.2 against an approved MinIO-compatible endpoint, then route D7.3 STS vending through identity/platform custody before changing credential behavior. |
|
||||
| secrets-engine | `SECRETS-WP-0004` is finished: the scoped `warden-sign` lane supported the vault-backed policy-gate smoke without exposing token material. `SECRETS-WP-0003` remains active for the real whynot-design npm publish pilot. | Finish or park `SECRETS-WP-0003` behind Gitea bot/package-token provisioning, OpenBao custody, ops-warden route confirmation, and real package publish evidence. |
|
||||
| FOS hub | Old NK-WP-0001 Keycloak prerequisite is cancelled; NK-WP-0002 local identity, IAM Profile v0.2, the Core Hub FastAPI IAM Profile integration test, and Core Hub operator UI first screens are done; hub-core extraction/dev-hub work is done; CUST-WP-0025 Phase 3 has been rewritten for Core Hub. | Execute the remaining Core Hub deployed evidence and cutover gates: `CUST-WP-0025-T16` and `T17`. |
|
||||
|
||||
## Next-Pick List
|
||||
@@ -123,7 +125,10 @@ Resume from `docs/daily-triage-stabilization-status.md` and
|
||||
record that WSL2 remains primary for the next operating period.
|
||||
6. Run artifact-store D7.2 live MinIO-compatible evidence; Forgejo and storage
|
||||
work can now inherit the finished staged-promotion gates.
|
||||
7. Keep Forgejo cutover and State Hub HA work parked until their human decision
|
||||
7. Keep `SECRETS-WP-0003` parked until Gitea bot/package-token provisioning,
|
||||
OpenBao custody, route confirmation, and a coordinated whynot-design version
|
||||
bump are available.
|
||||
8. Keep Forgejo cutover and State Hub HA work parked until their human decision
|
||||
and drill gates are satisfied.
|
||||
|
||||
## Resume Commands
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Near-Term Production Service Lanes Status
|
||||
|
||||
Updated: 2026-06-27
|
||||
Updated: 2026-06-30
|
||||
|
||||
## Purpose
|
||||
|
||||
@@ -14,6 +14,7 @@ before starting larger migrations.
|
||||
| `issue-wp-0003` | issue-core is live through ArgoCD; image `0.2.1`, Service port `8765`, ExternalSecret Ready, authenticated smoke created Gitea issue `175`. | Do not flip activity-core blindly. First inject `ISSUE_CORE_API_KEY` into `actcore-runtime-secret` through route `activity-core-issue-sink`; then set activity-core `ISSUE_CORE_URL` to port `8765`, set `ISSUE_SINK_TYPE=rest`, restart/sync, and run one safe emission smoke. |
|
||||
| `rail-ho-wp-0005` | Forgejo migration remains pre-implementation. Inventory is in progress; production decisions, SMTP/email recovery, cutover, and legacy retirement are human-gated. | Resolve T02 production decisions first, then build the disposable Forgejo probe. Do not start production cutover before promotion lifecycle, email recovery, package registry, Actions, backup/restore, and migration drill pass. |
|
||||
| `artifact-store-wp-0007` | D7.1 is done. The dated MinIO/fork/object-store landscape assessment chose a compatibility-profile lane rather than a direct MaxIO fork. D7.2 is in progress with an opt-in live MinIO pytest harness and manual smoke docs; no secret value was read or recorded. | Run the D7.2 harness against an approved MinIO-compatible endpoint and capture health/round-trip/multipart evidence. Route D7.3 STS credential vending through identity/platform custody before changing artifact-store credential behavior. |
|
||||
| `secrets-wp-0003` | Active. The whynot-design real npm publish pilot has a canonical decision and source-side runbook, but real publication still waits on Gitea bot/package-token provisioning, OpenBao custody, ops-warden route confirmation, and a coordinated whynot-design version bump. | Keep parked until the operator/Gitea/OpenBao gates are ready; do not request or record token values. The next safe non-secret action is route-confirmation evidence from ops-warden. |
|
||||
| `staged-promotion-lifecycle` | Finished. Lifecycle spec, app contract, overlay scaffold, Stage 1 runner, canary template, deploy/observe tooling, promote/rollback tooling, and onboarding guide are done. | Use the finished promotion gates as prerequisites for Forgejo/source-forge and storage production work. |
|
||||
|
||||
## Credential And Operator Routing
|
||||
@@ -45,5 +46,7 @@ No secret value was read or written. The required non-secret evidence is:
|
||||
3. Run artifact-store D7.2 live evidence against an approved MinIO-compatible
|
||||
endpoint, with D7.3 routed to identity/platform custody if STS vending is
|
||||
not artifact-store-owned.
|
||||
4. Keep Forgejo production cutover parked behind explicit T02 decisions and the
|
||||
4. Keep `secrets-wp-0003` parked behind Gitea bot/token, OpenBao custody,
|
||||
ops-warden route confirmation, and coordinated whynot-design version bump.
|
||||
5. Keep Forgejo production cutover parked behind explicit T02 decisions and the
|
||||
staged-promotion/backup/email/package/action gates.
|
||||
|
||||
@@ -161,6 +161,15 @@ boundary plus WARDEN-WP-0015 environment-posture/workload-maturity triage. This
|
||||
turns vague IT-security blockers into dev/test doubles, owner-routed production
|
||||
custody gates, or real maturity/posture violations.
|
||||
|
||||
Refined 2026-06-30: closed the adjacent ops-warden policy-gate support lanes
|
||||
without changing ops-warden itself. `/home/worsch/flex-auth` `FLEX-WP-0007`
|
||||
finished at commit `339c35e`, and `/home/worsch/secrets-engine`
|
||||
`SECRETS-WP-0004` finished at commit `e0ab1b8`. Non-secret evidence records the
|
||||
deployed flex-auth runtime, `decision:032b096c433ad80c`,
|
||||
`ttl_out_of_bounds`, backend `vault`, and the scoped `warden-sign` OpenBao lane.
|
||||
`policy.enabled` remains intentionally off until testing/production maturity, so
|
||||
this gate is verified and banked rather than live-enforced.
|
||||
|
||||
## Task: Close The Ops-Hub Inter-Hub Evidence Lane
|
||||
|
||||
```task
|
||||
@@ -279,6 +288,9 @@ Priority order:
|
||||
cutover approval gates.
|
||||
- `artifact-store-wp-0007`: complete MinIO compatibility and STS credential
|
||||
vending assessment if it is required by backup, registry, or app lanes.
|
||||
- `secrets-wp-0003`: finish or explicitly park the whynot-design real npm
|
||||
publish pilot behind Gitea bot, OpenBao provisioning, route confirmation, and
|
||||
real package publish evidence.
|
||||
- `staged-promotion-lifecycle`: make production promotion gates explicit before
|
||||
further cluster/source-forge cutovers.
|
||||
|
||||
@@ -401,6 +413,21 @@ Progress 2026-06-27 staged promotion T07 and finish:
|
||||
REPO=railiance-cluster` synced the finished workstream with only pre-existing
|
||||
C-12 orphan-row warnings.
|
||||
|
||||
Progress 2026-06-30 policy-gate support closeout:
|
||||
|
||||
- Closed `/home/worsch/flex-auth` `FLEX-WP-0007` from ops-warden's non-secret
|
||||
production smoke handoff. The deployed runtime at `127.0.0.1:18090` was used
|
||||
from CoulombCore, allow produced `decision:032b096c433ad80c`, and excessive
|
||||
TTL was denied with `ttl_out_of_bounds`.
|
||||
- Closed `/home/worsch/secrets-engine` `SECRETS-WP-0004` from the same evidence:
|
||||
the scoped `warden-sign` OpenBao policy/AppRole lane was applied and used for
|
||||
the vault-backed smoke. No token, role id, secret id, accessor, or raw smoke
|
||||
log was recorded in Git or State Hub.
|
||||
- This removes the `warden-sign` / `FLEX-WP-0007` blocker from CUST-WP-0051.
|
||||
The remaining production credential lanes are different gates:
|
||||
`SECRETS-WP-0003` real npm publish, activity-core -> issue-core,
|
||||
artifact-store live MinIO/STS evidence, and Forgejo migration credentials.
|
||||
|
||||
## Task: Decide State Hub Migration Strategy
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user