From 3ef57f63c1e114f7e8a88ce9194f56786d1e70c0 Mon Sep 17 00:00:00 2001 From: tegwick Date: Tue, 30 Jun 2026 09:49:04 +0200 Subject: [PATCH] Record policy gate support closeouts --- docs/credential-custody-unblock-board.md | 6 +++-- ...ructure-stabilization-pickup-checkpoint.md | 9 +++++-- ...ar-term-production-service-lanes-status.md | 7 +++-- ...1-infrastructure-stabilization-metaplan.md | 27 +++++++++++++++++++ 4 files changed, 43 insertions(+), 6 deletions(-) diff --git a/docs/credential-custody-unblock-board.md b/docs/credential-custody-unblock-board.md index 9cec769..15fb94c 100644 --- a/docs/credential-custody-unblock-board.md +++ b/docs/credential-custody-unblock-board.md @@ -57,7 +57,8 @@ Current read: | --- | --- | | Inter-Hub / ops-hub runtime keys | Production real-value gate; implementation can proceed with route evidence, but live smoke waits on OpenBao/operator custody. | | activity-core to issue-core | Production service credential gate; the blocker is `ISSUE_CORE_API_KEY` injection/evidence, not repo-side contract work. | -| OpenBao unseal / issuer profile | M3-style operator ceremony; remains a hard operator-design gate. | +| OpenBao unseal / issuer profile | M3-style operator ceremony. The narrow `warden-sign` lane is verified/banked; broader issuer/profile work remains separate. | +| ops-warden policy gate / warden-sign | Verified and banked: `SECRETS-WP-0004` and `FLEX-WP-0007` are finished, with `decision:032b096c433ad80c`, `ttl_out_of_bounds`, backend `vault`, and no secret material recorded. | | Forgejo SMTP/package/runner migration | Production credential and recovery-readiness gate; use OpenBao/key-cape/ops-bridge routes, then record non-secret drill evidence. | ## Live Gates @@ -66,7 +67,8 @@ Current read: | --- | --- | --- | --- | --- | --- | --- | --- | | Inter-Hub ops-hub bootstrap | `CUST-WP-0049-T06`, unblocks `CUST-WP-0047-T05` | `inter-hub-bootstrap-ssh` for the envelope; `openbao-api-key` for operator/runtime key custody; `ssh-cert-host-access` only for cert signing if remote execution is used | Local workstation with `IHUB_OPERATOR_KEY_FILE`, or trusted host with railiance-infra force-command wrapper | Hub id, manifest id, widget count, runtime key prefix only, bootstrap smoke result, State Hub progress id | Prefer API helper. Use deployment-side migration/bootstrap only by explicit operator approval. Manual SQL remains last-resort and must be recorded as an exception. | Operator materializes Inter-Hub operator key through approved custody, runs the ops-hub helper, stores generated runtime key outside Git, removes temp files. | Ready for operator handoff | | Ops-hub runtime evidence key | `IHUB-WP-0022-T04`, then `IHUB-WP-0022-T07` | `openbao-api-key` owned by `railiance-platform` / OpenBao | Operator workstation, OpenBao UI/CLI session, or trusted cluster job; not a Codex-visible shell with printed values | OpenBao path/version or populated key count only, token exchange HTTP status, evidence submission smoke id | Attended one-time key file is acceptable only long enough to store in OpenBao and remove; no chat or State Hub transfer. | Store/provide `OPS_HUB_KEY` via OpenBao path, then run Inter-Hub submission smoke. | Waiting on operator custody | -| OpenBao unseal and token automation | `NET-WP-0020`, related OpenBao token-grant and policy-gate blockers | `openbao-api-key` for OpenBao issuer/token paths; `railiance-infra-principals` for host policy; `ssh-cert-host-access` for cert signing; `key-cape-oidc-login` for login/MFA | OpenBao operator terminal, cluster-admin context, or trusted railiance-infra deployment path | Policy names, role names, token accessor only, decision ids, allow/deny smoke result | Keep attended ceremony path until auto-unseal/profile is explicitly approved. Do not invent `warden secret` or paste `VAULT_TOKEN`. | Decide custody profile, apply narrow policy/role through approved issuer path, rerun smoke with non-secret evidence. | Needs operator design/approval | +| OpenBao unseal and token automation | `NET-WP-0020`, related OpenBao token-grant and policy-gate blockers | `openbao-api-key` for OpenBao issuer/token paths; `railiance-infra-principals` for host policy; `ssh-cert-host-access` for cert signing; `key-cape-oidc-login` for login/MFA | OpenBao operator terminal, cluster-admin context, or trusted railiance-infra deployment path | Policy names, role names, token accessor only, decision ids, allow/deny smoke result | Keep attended ceremony path until auto-unseal/profile is explicitly approved. Do not invent `warden secret` or paste `VAULT_TOKEN`. | Broader custody profile remains open; do not treat the completed `warden-sign` lane as a general OpenBao credential helper. | Needs operator design/approval | +| ops-warden policy gate / warden-sign lane | `SECRETS-WP-0004`, `FLEX-WP-0007` | secrets-engine owned the OpenBao lane; flex-auth owned the policy decision runtime; ops-warden ran the smoke | CoulombCore via deployed flex-auth runtime `127.0.0.1:18090` and production OpenBao | `decision:032b096c433ad80c`, `ttl_out_of_bounds`, backend `vault`, no token/role/secret/accessor values | Keep `policy.enabled` off until testing/production maturity; live enforcement is an ops-warden operator posture decision. | No CUST action. Bank the verified gate and avoid reopening it as a generic credential blocker. | Verified/banked | | Forgejo production migration | `RAIL-HO-WP-0005` T02/T06/T11/T12 | `openbao-api-key` for SMTP/package/provider credentials; `key-cape-oidc-login` for login/MFA; `ops-bridge-tunnel` or `ssh-cert-host-access` only for host reachability | Forgejo admin/browser session, railiance01 trusted host, or approved GitOps/deployment path | Decision record id, hostname/exposure choice, SMTP sender/domain alignment, password-reset smoke, backup/restore drill id, package pull smoke, cutover approval id | Keep Gitea as read-only rollback until stabilization passes; do not retire legacy Gitea without explicit approval. | Resolve production choices, store SMTP credentials through OpenBao, run recovery and migration drills, then request cutover approval. | Needs human production decisions | ## Route Lookup Commands diff --git a/docs/infrastructure-stabilization-pickup-checkpoint.md b/docs/infrastructure-stabilization-pickup-checkpoint.md index 0373d58..3336570 100644 --- a/docs/infrastructure-stabilization-pickup-checkpoint.md +++ b/docs/infrastructure-stabilization-pickup-checkpoint.md @@ -71,7 +71,8 @@ separate ops-warden worker. | Daily-triage live proof | activity-core deploy/runtime operator | State Hub `daily_triage` id, output-valid or partial/quarantine status, working-memory path | Deploy WP-0016 code/schema and bounded runtime prompt bundle, then run railiance01 smoke. | | activity-core to issue-core | route `activity-core-issue-sink` | `actcore-runtime-secret` has key, activity-core points to issue-core port `8765`, HTTP 201, Gitea issue id | Inject `ISSUE_CORE_API_KEY` through approved custody, set REST sink env, restart/sync, run safe emission. | | Forgejo production design | Forgejo/operator decisions plus OpenBao/KeyCape/ops-bridge routes as needed | Decision id, SMTP smoke, backup/restore drill, package/action smoke, cutover approval id | Resolve T02 production choices before any production cutover work. | -| OpenBao unseal and credential helper | `openbao-api-key`, `railiance-infra-principals`, `ssh-cert-host-access`, `key-cape-oidc-login` | Policy names, role names, token accessor only, allow/deny smoke | Approve custody profile and apply narrow issuer policies before live helper smokes. | +| OpenBao unseal and credential helper | `openbao-api-key`, `railiance-infra-principals`, `ssh-cert-host-access`, `key-cape-oidc-login` | Policy names, role names, token accessor only, allow/deny smoke | `warden-sign` lane is verified/banked; broader custody profile and issuer automation remain separate operator-design gates. | +| ops-warden policy gate / warden-sign lane | `SECRETS-WP-0004` + `FLEX-WP-0007` finished; ops-warden operator posture | `decision:032b096c433ad80c`, `ttl_out_of_bounds`, backend `vault`; no token/role/secret/accessor values | No Custodian action. Keep `policy.enabled` off until testing/production maturity. | ## Daily Automation Evidence @@ -104,6 +105,7 @@ Resume from `docs/daily-triage-stabilization-status.md` and | issue-core | ArgoCD service is healthy on port `8765`; image `0.2.1`; ExternalSecret Ready; authenticated smoke created Gitea issue `175`. | activity-core still needs `ISSUE_CORE_API_KEY`, URL port `8765`, `ISSUE_SINK_TYPE=rest`, and a safe emission smoke. | | Forgejo | Migration inventory/design lane is active but pre-cutover. | Production design decisions, SMTP/email recovery, package registry, Actions, backup/restore, migration drill, cutover approval. | | artifact-store | D7.1 is done; D7.2 has an opt-in live MinIO compatibility harness and manual smoke docs. No live secret handoff is recorded. | Run D7.2 against an approved MinIO-compatible endpoint, then route D7.3 STS vending through identity/platform custody before changing credential behavior. | +| secrets-engine | `SECRETS-WP-0004` is finished: the scoped `warden-sign` lane supported the vault-backed policy-gate smoke without exposing token material. `SECRETS-WP-0003` remains active for the real whynot-design npm publish pilot. | Finish or park `SECRETS-WP-0003` behind Gitea bot/package-token provisioning, OpenBao custody, ops-warden route confirmation, and real package publish evidence. | | FOS hub | Old NK-WP-0001 Keycloak prerequisite is cancelled; NK-WP-0002 local identity, IAM Profile v0.2, the Core Hub FastAPI IAM Profile integration test, and Core Hub operator UI first screens are done; hub-core extraction/dev-hub work is done; CUST-WP-0025 Phase 3 has been rewritten for Core Hub. | Execute the remaining Core Hub deployed evidence and cutover gates: `CUST-WP-0025-T16` and `T17`. | ## Next-Pick List @@ -123,7 +125,10 @@ Resume from `docs/daily-triage-stabilization-status.md` and record that WSL2 remains primary for the next operating period. 6. Run artifact-store D7.2 live MinIO-compatible evidence; Forgejo and storage work can now inherit the finished staged-promotion gates. -7. Keep Forgejo cutover and State Hub HA work parked until their human decision +7. Keep `SECRETS-WP-0003` parked until Gitea bot/package-token provisioning, + OpenBao custody, route confirmation, and a coordinated whynot-design version + bump are available. +8. Keep Forgejo cutover and State Hub HA work parked until their human decision and drill gates are satisfied. ## Resume Commands diff --git a/docs/near-term-production-service-lanes-status.md b/docs/near-term-production-service-lanes-status.md index aac046a..3f3cd74 100644 --- a/docs/near-term-production-service-lanes-status.md +++ b/docs/near-term-production-service-lanes-status.md @@ -1,6 +1,6 @@ # Near-Term Production Service Lanes Status -Updated: 2026-06-27 +Updated: 2026-06-30 ## Purpose @@ -14,6 +14,7 @@ before starting larger migrations. | `issue-wp-0003` | issue-core is live through ArgoCD; image `0.2.1`, Service port `8765`, ExternalSecret Ready, authenticated smoke created Gitea issue `175`. | Do not flip activity-core blindly. First inject `ISSUE_CORE_API_KEY` into `actcore-runtime-secret` through route `activity-core-issue-sink`; then set activity-core `ISSUE_CORE_URL` to port `8765`, set `ISSUE_SINK_TYPE=rest`, restart/sync, and run one safe emission smoke. | | `rail-ho-wp-0005` | Forgejo migration remains pre-implementation. Inventory is in progress; production decisions, SMTP/email recovery, cutover, and legacy retirement are human-gated. | Resolve T02 production decisions first, then build the disposable Forgejo probe. Do not start production cutover before promotion lifecycle, email recovery, package registry, Actions, backup/restore, and migration drill pass. | | `artifact-store-wp-0007` | D7.1 is done. The dated MinIO/fork/object-store landscape assessment chose a compatibility-profile lane rather than a direct MaxIO fork. D7.2 is in progress with an opt-in live MinIO pytest harness and manual smoke docs; no secret value was read or recorded. | Run the D7.2 harness against an approved MinIO-compatible endpoint and capture health/round-trip/multipart evidence. Route D7.3 STS credential vending through identity/platform custody before changing artifact-store credential behavior. | +| `secrets-wp-0003` | Active. The whynot-design real npm publish pilot has a canonical decision and source-side runbook, but real publication still waits on Gitea bot/package-token provisioning, OpenBao custody, ops-warden route confirmation, and a coordinated whynot-design version bump. | Keep parked until the operator/Gitea/OpenBao gates are ready; do not request or record token values. The next safe non-secret action is route-confirmation evidence from ops-warden. | | `staged-promotion-lifecycle` | Finished. Lifecycle spec, app contract, overlay scaffold, Stage 1 runner, canary template, deploy/observe tooling, promote/rollback tooling, and onboarding guide are done. | Use the finished promotion gates as prerequisites for Forgejo/source-forge and storage production work. | ## Credential And Operator Routing @@ -45,5 +46,7 @@ No secret value was read or written. The required non-secret evidence is: 3. Run artifact-store D7.2 live evidence against an approved MinIO-compatible endpoint, with D7.3 routed to identity/platform custody if STS vending is not artifact-store-owned. -4. Keep Forgejo production cutover parked behind explicit T02 decisions and the +4. Keep `secrets-wp-0003` parked behind Gitea bot/token, OpenBao custody, + ops-warden route confirmation, and coordinated whynot-design version bump. +5. Keep Forgejo production cutover parked behind explicit T02 decisions and the staged-promotion/backup/email/package/action gates. diff --git a/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md b/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md index b849e27..d4b2be1 100644 --- a/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md +++ b/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md @@ -161,6 +161,15 @@ boundary plus WARDEN-WP-0015 environment-posture/workload-maturity triage. This turns vague IT-security blockers into dev/test doubles, owner-routed production custody gates, or real maturity/posture violations. +Refined 2026-06-30: closed the adjacent ops-warden policy-gate support lanes +without changing ops-warden itself. `/home/worsch/flex-auth` `FLEX-WP-0007` +finished at commit `339c35e`, and `/home/worsch/secrets-engine` +`SECRETS-WP-0004` finished at commit `e0ab1b8`. Non-secret evidence records the +deployed flex-auth runtime, `decision:032b096c433ad80c`, +`ttl_out_of_bounds`, backend `vault`, and the scoped `warden-sign` OpenBao lane. +`policy.enabled` remains intentionally off until testing/production maturity, so +this gate is verified and banked rather than live-enforced. + ## Task: Close The Ops-Hub Inter-Hub Evidence Lane ```task @@ -279,6 +288,9 @@ Priority order: cutover approval gates. - `artifact-store-wp-0007`: complete MinIO compatibility and STS credential vending assessment if it is required by backup, registry, or app lanes. +- `secrets-wp-0003`: finish or explicitly park the whynot-design real npm + publish pilot behind Gitea bot, OpenBao provisioning, route confirmation, and + real package publish evidence. - `staged-promotion-lifecycle`: make production promotion gates explicit before further cluster/source-forge cutovers. @@ -401,6 +413,21 @@ Progress 2026-06-27 staged promotion T07 and finish: REPO=railiance-cluster` synced the finished workstream with only pre-existing C-12 orphan-row warnings. +Progress 2026-06-30 policy-gate support closeout: + +- Closed `/home/worsch/flex-auth` `FLEX-WP-0007` from ops-warden's non-secret + production smoke handoff. The deployed runtime at `127.0.0.1:18090` was used + from CoulombCore, allow produced `decision:032b096c433ad80c`, and excessive + TTL was denied with `ttl_out_of_bounds`. +- Closed `/home/worsch/secrets-engine` `SECRETS-WP-0004` from the same evidence: + the scoped `warden-sign` OpenBao policy/AppRole lane was applied and used for + the vault-backed smoke. No token, role id, secret id, accessor, or raw smoke + log was recorded in Git or State Hub. +- This removes the `warden-sign` / `FLEX-WP-0007` blocker from CUST-WP-0051. + The remaining production credential lanes are different gates: + `SECRETS-WP-0003` real npm publish, activity-core -> issue-core, + artifact-store live MinIO/STS evidence, and Forgejo migration credentials. + ## Task: Decide State Hub Migration Strategy ```task