Record policy gate support closeouts
This commit is contained in:
@@ -71,7 +71,8 @@ separate ops-warden worker.
|
||||
| Daily-triage live proof | activity-core deploy/runtime operator | State Hub `daily_triage` id, output-valid or partial/quarantine status, working-memory path | Deploy WP-0016 code/schema and bounded runtime prompt bundle, then run railiance01 smoke. |
|
||||
| activity-core to issue-core | route `activity-core-issue-sink` | `actcore-runtime-secret` has key, activity-core points to issue-core port `8765`, HTTP 201, Gitea issue id | Inject `ISSUE_CORE_API_KEY` through approved custody, set REST sink env, restart/sync, run safe emission. |
|
||||
| Forgejo production design | Forgejo/operator decisions plus OpenBao/KeyCape/ops-bridge routes as needed | Decision id, SMTP smoke, backup/restore drill, package/action smoke, cutover approval id | Resolve T02 production choices before any production cutover work. |
|
||||
| OpenBao unseal and credential helper | `openbao-api-key`, `railiance-infra-principals`, `ssh-cert-host-access`, `key-cape-oidc-login` | Policy names, role names, token accessor only, allow/deny smoke | Approve custody profile and apply narrow issuer policies before live helper smokes. |
|
||||
| OpenBao unseal and credential helper | `openbao-api-key`, `railiance-infra-principals`, `ssh-cert-host-access`, `key-cape-oidc-login` | Policy names, role names, token accessor only, allow/deny smoke | `warden-sign` lane is verified/banked; broader custody profile and issuer automation remain separate operator-design gates. |
|
||||
| ops-warden policy gate / warden-sign lane | `SECRETS-WP-0004` + `FLEX-WP-0007` finished; ops-warden operator posture | `decision:032b096c433ad80c`, `ttl_out_of_bounds`, backend `vault`; no token/role/secret/accessor values | No Custodian action. Keep `policy.enabled` off until testing/production maturity. |
|
||||
|
||||
## Daily Automation Evidence
|
||||
|
||||
@@ -104,6 +105,7 @@ Resume from `docs/daily-triage-stabilization-status.md` and
|
||||
| issue-core | ArgoCD service is healthy on port `8765`; image `0.2.1`; ExternalSecret Ready; authenticated smoke created Gitea issue `175`. | activity-core still needs `ISSUE_CORE_API_KEY`, URL port `8765`, `ISSUE_SINK_TYPE=rest`, and a safe emission smoke. |
|
||||
| Forgejo | Migration inventory/design lane is active but pre-cutover. | Production design decisions, SMTP/email recovery, package registry, Actions, backup/restore, migration drill, cutover approval. |
|
||||
| artifact-store | D7.1 is done; D7.2 has an opt-in live MinIO compatibility harness and manual smoke docs. No live secret handoff is recorded. | Run D7.2 against an approved MinIO-compatible endpoint, then route D7.3 STS vending through identity/platform custody before changing credential behavior. |
|
||||
| secrets-engine | `SECRETS-WP-0004` is finished: the scoped `warden-sign` lane supported the vault-backed policy-gate smoke without exposing token material. `SECRETS-WP-0003` remains active for the real whynot-design npm publish pilot. | Finish or park `SECRETS-WP-0003` behind Gitea bot/package-token provisioning, OpenBao custody, ops-warden route confirmation, and real package publish evidence. |
|
||||
| FOS hub | Old NK-WP-0001 Keycloak prerequisite is cancelled; NK-WP-0002 local identity, IAM Profile v0.2, the Core Hub FastAPI IAM Profile integration test, and Core Hub operator UI first screens are done; hub-core extraction/dev-hub work is done; CUST-WP-0025 Phase 3 has been rewritten for Core Hub. | Execute the remaining Core Hub deployed evidence and cutover gates: `CUST-WP-0025-T16` and `T17`. |
|
||||
|
||||
## Next-Pick List
|
||||
@@ -123,7 +125,10 @@ Resume from `docs/daily-triage-stabilization-status.md` and
|
||||
record that WSL2 remains primary for the next operating period.
|
||||
6. Run artifact-store D7.2 live MinIO-compatible evidence; Forgejo and storage
|
||||
work can now inherit the finished staged-promotion gates.
|
||||
7. Keep Forgejo cutover and State Hub HA work parked until their human decision
|
||||
7. Keep `SECRETS-WP-0003` parked until Gitea bot/package-token provisioning,
|
||||
OpenBao custody, route confirmation, and a coordinated whynot-design version
|
||||
bump are available.
|
||||
8. Keep Forgejo cutover and State Hub HA work parked until their human decision
|
||||
and drill gates are satisfied.
|
||||
|
||||
## Resume Commands
|
||||
|
||||
Reference in New Issue
Block a user