RAILIANCE-WP-0009/0010 finished: front doors active; WP-0005 T10 done
- CCR-2026-0002/0003: frontdoor_activation evidence recorded, status active, readiness ready/resolvable (ops-warden catalog promotion commit 364eb7d) - WP-0009/0010 T06 done; both workplans finished - WP-0005 T10 closed on acceptance (fast path, break-glass, routing truth consistent); phase-2 readonly-diagnostics grant deferred as follow-up - WP-0005 T07 stays wait: flex-auth lacks a credential-grant authorization surface (capability request sent, State Hub message 893ff109) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
d284fea400
commit
4936b8970b
5 changed files with 86 additions and 16 deletions
|
|
@ -10,7 +10,7 @@ topic_slug: railiance
|
|||
planning_priority: high
|
||||
planning_order: 5
|
||||
created: "2026-06-24"
|
||||
updated: "2026-07-01"
|
||||
updated: "2026-07-02"
|
||||
depends_on_workplans:
|
||||
- RAIL-PL-WP-0002
|
||||
state_hub_workstream_id: "2731fece-6c49-45b8-ab8a-4ea6c04ac603"
|
||||
|
|
@ -329,6 +329,18 @@ The helper records only non-secret metadata. T07 is `wait` until a live flex-aut
|
|||
credential authorization endpoint is available and the OpenBao live gate is
|
||||
cleared.
|
||||
|
||||
**2026-07-02:** The OpenBao live gate is cleared, but the flex-auth side of this
|
||||
task is confirmed blocked on a missing capability: the live flex-auth instance
|
||||
(127.0.0.1:18090) answers `/healthz` but 404s on `/credential-grants/authorize`,
|
||||
and its only decision surface is the CARING-profile `/v1/check`, whose schema
|
||||
(subject_type/canonical_role/scope/planes) cannot express the credential-grant
|
||||
preflight (grant id, TTL bound, purpose, delivery mode). No FLEX-WP workplan
|
||||
covers this endpoint. Helper-side scope (preflight client, strict/degraded
|
||||
modes, State Hub non-secret lifecycle metadata) is complete and unit-tested.
|
||||
Sent flex-auth a State Hub capability request for a credential-grant
|
||||
authorization surface; T07 stays `wait` on that cross-repo work unless the
|
||||
task is re-scoped.
|
||||
|
||||
## T08 - Integrate ops-warden smoke and routing catalog
|
||||
|
||||
```task
|
||||
|
|
@ -405,7 +417,7 @@ items are met.
|
|||
|
||||
```task
|
||||
id: RAILIANCE-WP-0005-T10
|
||||
status: progress
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "44ce4082-fa8f-44d0-8f86-172d14ecfb0e"
|
||||
```
|
||||
|
|
@ -432,6 +444,22 @@ external routing-doc/catalog updates.
|
|||
|
||||
**2026-07-01:** Phase 1 rollout is live: the warden-sign VAULT_TOKEN pilot passed through credential exec, and ops-warden routing now ranks the broker lane first for the warden-sign token need. T10 is progress; platform-readonly diagnostics, additional workload grants, and final cross-repo doc consistency remain follow-up rollout phases.
|
||||
|
||||
**2026-07-02:** T10 closed on its acceptance criteria. (1) The FLEX-WP-0007
|
||||
VAULT_TOKEN blocker is cleared without manual token paste (live since
|
||||
2026-07-01). (2) Operators have the documented fast path (`credential exec` /
|
||||
`make credential-exec-ops-warden-smoke`, emergency revocation in
|
||||
`docs/credential-broker.md`) and break-glass path (root-token/unseal ceremony
|
||||
in `docs/openbao.md`). (3) Routing truth is consistent: ops-warden
|
||||
`CredentialRouting.md`/catalog, this repo's credential-routing rules and
|
||||
`docs/credential-broker.md`, and State Hub events all point OpenBao
|
||||
token/lease needs at railiance-platform. Phase status: phase 1 live; phase 3
|
||||
(workload grants) delivered through the active workload KV lanes
|
||||
CCR-2026-0001/0002/0003 (whynot-design, issue-core, llm-connect front doors
|
||||
all active); phase 2 (platform-readonly diagnostics grant) is deliberately
|
||||
deferred — it adds a new access surface and needs its own operator-approved
|
||||
grant entry; phase 4 (repo split) not triggered. Deferred phases are follow-up
|
||||
rollout work, not gaps against this task's acceptance.
|
||||
|
||||
## Exit Criteria
|
||||
|
||||
- A policy-approved actor can request or exec with a short-lived OpenBao token without seeing or pasting the raw token.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue