Record policy gate support closeouts
This commit is contained in:
@@ -161,6 +161,15 @@ boundary plus WARDEN-WP-0015 environment-posture/workload-maturity triage. This
|
||||
turns vague IT-security blockers into dev/test doubles, owner-routed production
|
||||
custody gates, or real maturity/posture violations.
|
||||
|
||||
Refined 2026-06-30: closed the adjacent ops-warden policy-gate support lanes
|
||||
without changing ops-warden itself. `/home/worsch/flex-auth` `FLEX-WP-0007`
|
||||
finished at commit `339c35e`, and `/home/worsch/secrets-engine`
|
||||
`SECRETS-WP-0004` finished at commit `e0ab1b8`. Non-secret evidence records the
|
||||
deployed flex-auth runtime, `decision:032b096c433ad80c`,
|
||||
`ttl_out_of_bounds`, backend `vault`, and the scoped `warden-sign` OpenBao lane.
|
||||
`policy.enabled` remains intentionally off until testing/production maturity, so
|
||||
this gate is verified and banked rather than live-enforced.
|
||||
|
||||
## Task: Close The Ops-Hub Inter-Hub Evidence Lane
|
||||
|
||||
```task
|
||||
@@ -279,6 +288,9 @@ Priority order:
|
||||
cutover approval gates.
|
||||
- `artifact-store-wp-0007`: complete MinIO compatibility and STS credential
|
||||
vending assessment if it is required by backup, registry, or app lanes.
|
||||
- `secrets-wp-0003`: finish or explicitly park the whynot-design real npm
|
||||
publish pilot behind Gitea bot, OpenBao provisioning, route confirmation, and
|
||||
real package publish evidence.
|
||||
- `staged-promotion-lifecycle`: make production promotion gates explicit before
|
||||
further cluster/source-forge cutovers.
|
||||
|
||||
@@ -401,6 +413,21 @@ Progress 2026-06-27 staged promotion T07 and finish:
|
||||
REPO=railiance-cluster` synced the finished workstream with only pre-existing
|
||||
C-12 orphan-row warnings.
|
||||
|
||||
Progress 2026-06-30 policy-gate support closeout:
|
||||
|
||||
- Closed `/home/worsch/flex-auth` `FLEX-WP-0007` from ops-warden's non-secret
|
||||
production smoke handoff. The deployed runtime at `127.0.0.1:18090` was used
|
||||
from CoulombCore, allow produced `decision:032b096c433ad80c`, and excessive
|
||||
TTL was denied with `ttl_out_of_bounds`.
|
||||
- Closed `/home/worsch/secrets-engine` `SECRETS-WP-0004` from the same evidence:
|
||||
the scoped `warden-sign` OpenBao policy/AppRole lane was applied and used for
|
||||
the vault-backed smoke. No token, role id, secret id, accessor, or raw smoke
|
||||
log was recorded in Git or State Hub.
|
||||
- This removes the `warden-sign` / `FLEX-WP-0007` blocker from CUST-WP-0051.
|
||||
The remaining production credential lanes are different gates:
|
||||
`SECRETS-WP-0003` real npm publish, activity-core -> issue-core,
|
||||
artifact-store live MinIO/STS evidence, and Forgejo migration credentials.
|
||||
|
||||
## Task: Decide State Hub Migration Strategy
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user