Add credential-change delegated applier flow

This commit is contained in:
tegwick 2026-07-01 20:07:26 +02:00
parent c626bfcf15
commit a95236d2e5
21 changed files with 2705 additions and 119 deletions

View file

@ -4,18 +4,19 @@ type: workplan
title: "Workload KV Access Lanes for ops-warden Fetch"
domain: financials
repo: railiance-platform
status: active
status: finished
owner: codex
topic_slug: railiance
planning_priority: high
planning_order: 6
created: "2026-06-27"
updated: "2026-06-28"
updated: "2026-06-29"
depends_on_workplans:
- RAIL-PL-WP-0002
- RAILIANCE-WP-0004
related_state_hub_messages:
- "551031d1-335e-4db8-9535-820fea52d0a3"
- "f76d3a9e-a98f-4081-885d-b79d94312699"
state_hub_workstream_id: "96c8a93d-7a5a-4fa9-8f7b-865119551da3"
---
@ -268,7 +269,7 @@ groups bound-claim mismatch. `platform-root` was restored to the
```task
id: RAILIANCE-WP-0006-T06
status: progress
status: done
priority: high
state_hub_task_id: "8e84ec19-01db-4baf-a532-de87e51d4994"
```
@ -301,6 +302,16 @@ catalog. Keep activation pending until caller verification and catalog update.
to confirm that its dedicated `whynot-design-npm-publish` catalog selector
resolves through the caller-scoped lane.
**2026-06-29:** ops-warden confirmed in State Hub message
`f76d3a9e-a98f-4081-885d-b79d94312699` that catalog selector
`whynot-design-npm-publish` is `status: active`, `resolvable: true`, and wired
to the owner-confirmed lane:
`platform/workloads/coulomb/whynot-design/npm-publish`, field
`NPM_AUTH_TOKEN`, OIDC role `whynot-design-workload-kv-read`, and policy
`workload-kv-read-whynot-design-npm-publish`. ops-warden also confirmed it
notified whynot-design with `warden access whynot-design-npm-publish --exec -- npm publish`,
and that the sibling lanes remain draft for separate planning.
## T07 - Decide whether to batch sibling workload-KV requests
```task
@ -329,6 +340,13 @@ serviced first. The later ops-warden batch follow-up is now represented as
proposed CCRs in `RAILIANCE-WP-0007`, still unapproved and unresolvable until
human review and verification.
**2026-06-29:** Reviewed the sibling lane suggestions against `INTENT.md`.
Created follow-up workplans `RAILIANCE-WP-0009` for the issue-core runtime
ingestion credential lane and `RAILIANCE-WP-0010` for the llm-connect
OpenRouter provider key lane. Both plans keep this repo's scope limited to
shared platform secret custody, least-privilege OpenBao/External Secrets
delivery, verification, and ops-warden front-door handoff.
## Exit Criteria
- The whynot-design npm publish token has a concrete OpenBao KV path, field,