Add activity-core llm-connect reconcile gate

This commit is contained in:
tegwick 2026-06-18 02:10:18 +02:00
parent ff8cbe596c
commit 5f8d2831c7
3 changed files with 393 additions and 1 deletions

View file

@ -0,0 +1,96 @@
---
id: RAILIANCE-WP-0014
type: workplan
title: "activity-core llm-connect live reconcile"
domain: railiance
repo: railiance-cluster
status: blocked
owner: codex
topic_slug: railiance
created: "2026-06-18"
updated: "2026-06-18"
state_hub_workstream_id: "a152ddda-d60a-4a65-9b9c-59e2db9ff2b7"
---
# activity-core llm-connect live reconcile
## Context
activity-core has updated its Railiance runtime manifest so
`actcore-runtime-config` points at the verified in-cluster llm-connect URL:
```text
LLM_CONNECT_URL=http://llm-connect.activity-core.svc.cluster.local:8080
LLM_CONNECT_TIMEOUT_SECONDS=300
```
The remaining live gate belongs at the cluster/operator layer. Provider
credentials must stay outside Git and State Hub, and the fixture smoke should
record only non-secret evidence.
## Add cluster-owned reconcile/check command
```task
id: RAILIANCE-WP-0014-T01
status: done
priority: high
state_hub_task_id: "49288db7-8102-4ad5-af08-1fe6ab3f1d37"
```
Add a repeatable Railiance command that:
- reconciles the non-secret activity-core runtime config keys;
- checks the provider Secret by key count only;
- applies the llm-connect overlay only after the provider Secret exists;
- runs the in-namespace fixture smoke only after deployment readiness;
- posts a non-secret State Hub evidence note.
2026-06-18: Added `tools/cmd/railiance-reconcile-activity-core-llm-connect`
and Makefile target `reconcile-activity-core-llm-connect`.
## Reconcile live non-secret runtime config
```task
id: RAILIANCE-WP-0014-T02
status: done
priority: high
state_hub_task_id: "61df5bad-535f-4ad1-ac7a-f46ff278c388"
```
Patch the live `activity-core/actcore-runtime-config` ConfigMap so it consumes
the verified llm-connect service URL and timeout. Do not touch Secret values.
2026-06-18: The reconcile command patches only `LLM_CONNECT_URL` and
`LLM_CONNECT_TIMEOUT_SECONDS`, then re-reads the live ConfigMap to verify the
values. Live evidence note `c72c514a-399e-4c54-8d5b-d36405932360` confirms
`LLM_CONNECT_URL=http://llm-connect.activity-core.svc.cluster.local:8080` and
`LLM_CONNECT_TIMEOUT_SECONDS=300`.
## Complete provider Secret, deployment, and smoke gate
```task
id: RAILIANCE-WP-0014-T03
status: blocked
priority: high
state_hub_task_id: "ae8af00a-c14f-4b76-933c-46d06cd360ae"
```
After an operator stores provider credentials in
`activity-core/llm-connect-provider-secrets`, rerun:
```bash
make reconcile-activity-core-llm-connect
```
The command will apply the llm-connect overlay, wait for deployment readiness,
run the in-namespace fixture smoke with `imagePullPolicy=Never`, and post
non-secret evidence: provider Secret key count, deployment readiness,
pass/fail, latency/recommendation summary or sanitized failure.
Current live gate on 2026-06-18: provider Secret
`activity-core/llm-connect-provider-secrets` is missing, so deployment and
smoke are intentionally blocked until operator/OpenBao-to-Kubernetes Secret
custody is complete. Evidence note
`c72c514a-399e-4c54-8d5b-d36405932360` records provider Secret status
`missing`, key count `0`, deployment status `not checked; provider Secret gate
not satisfied`, and smoke status `blocked`.