Record policy gate support closeouts

This commit is contained in:
2026-06-30 09:49:04 +02:00
parent a6e987bc23
commit 3ef57f63c1
4 changed files with 43 additions and 6 deletions

View File

@@ -161,6 +161,15 @@ boundary plus WARDEN-WP-0015 environment-posture/workload-maturity triage. This
turns vague IT-security blockers into dev/test doubles, owner-routed production
custody gates, or real maturity/posture violations.
Refined 2026-06-30: closed the adjacent ops-warden policy-gate support lanes
without changing ops-warden itself. `/home/worsch/flex-auth` `FLEX-WP-0007`
finished at commit `339c35e`, and `/home/worsch/secrets-engine`
`SECRETS-WP-0004` finished at commit `e0ab1b8`. Non-secret evidence records the
deployed flex-auth runtime, `decision:032b096c433ad80c`,
`ttl_out_of_bounds`, backend `vault`, and the scoped `warden-sign` OpenBao lane.
`policy.enabled` remains intentionally off until testing/production maturity, so
this gate is verified and banked rather than live-enforced.
## Task: Close The Ops-Hub Inter-Hub Evidence Lane
```task
@@ -279,6 +288,9 @@ Priority order:
cutover approval gates.
- `artifact-store-wp-0007`: complete MinIO compatibility and STS credential
vending assessment if it is required by backup, registry, or app lanes.
- `secrets-wp-0003`: finish or explicitly park the whynot-design real npm
publish pilot behind Gitea bot, OpenBao provisioning, route confirmation, and
real package publish evidence.
- `staged-promotion-lifecycle`: make production promotion gates explicit before
further cluster/source-forge cutovers.
@@ -401,6 +413,21 @@ Progress 2026-06-27 staged promotion T07 and finish:
REPO=railiance-cluster` synced the finished workstream with only pre-existing
C-12 orphan-row warnings.
Progress 2026-06-30 policy-gate support closeout:
- Closed `/home/worsch/flex-auth` `FLEX-WP-0007` from ops-warden's non-secret
production smoke handoff. The deployed runtime at `127.0.0.1:18090` was used
from CoulombCore, allow produced `decision:032b096c433ad80c`, and excessive
TTL was denied with `ttl_out_of_bounds`.
- Closed `/home/worsch/secrets-engine` `SECRETS-WP-0004` from the same evidence:
the scoped `warden-sign` OpenBao policy/AppRole lane was applied and used for
the vault-backed smoke. No token, role id, secret id, accessor, or raw smoke
log was recorded in Git or State Hub.
- This removes the `warden-sign` / `FLEX-WP-0007` blocker from CUST-WP-0051.
The remaining production credential lanes are different gates:
`SECRETS-WP-0003` real npm publish, activity-core -> issue-core,
artifact-store live MinIO/STS evidence, and Forgejo migration credentials.
## Task: Decide State Hub Migration Strategy
```task