CCR-2026-0002/0003 approved + applied via constrained applier; WP-0008 finished, WP-0009/0010 advanced

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
tegwick 2026-07-02 12:12:49 +02:00
parent 8395862760
commit ddd916d71c
5 changed files with 103 additions and 15 deletions

View file

@ -3,9 +3,9 @@ kind: credential-change-request
schema_version: 1
request_type: workload-kv-read
title: issue-core runtime ingestion key lane
status: proposed
status: applied
created: '2026-06-27'
updated: '2026-06-30'
updated: '2026-07-02'
requester:
agent: ops-warden
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
@ -27,6 +27,13 @@ review:
path is the platform ClusterSecretStore/openbao role external-secrets-issue-core
bound to service account external-secrets/external-secrets. Keep CCR status
proposed until platform/operator and issue-core-owner approval.
- at: '2026-07-02T09:59:54+00:00'
reviewer: bernd.worsch
decision: approved
comment: 'Approved in chat (Claude Code coached-approvals session, 2026-07-02)
acting as all required approvers: platform-operator, issue-core-owner. Field-set
decision: keep both ISSUE_CORE_API_KEY and GITEA_BACKEND_TOKEN, matching the
live ExternalSecret mapping.'
target:
domain: financials
tenant: issue-core
@ -94,6 +101,16 @@ verification:
External Secrets delivery path.
- Secret values provisioned directly in OpenBao through approved operator custody.
- Positive and negative verification recorded with non-secret audit ids or timestamps.
evidence:
- at: '2026-07-02T10:08:00+00:00'
actor: bernd.worsch
kind: delegated_metadata_apply
result: passed
details:
- Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority.
- 'Policy metadata write: sys/policies/acl/workload-kv-read-issue-core-runtime'
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-issue-core'
- No secret values were read, written, printed, or accepted in argv.
lifecycle:
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
rotate: Replace issue-core runtime secret values directly in OpenBao and record

View file

@ -3,9 +3,9 @@ kind: credential-change-request
schema_version: 1
request_type: workload-kv-read
title: llm-connect OpenRouter provider key lane
status: proposed
status: applied
created: '2026-06-27'
updated: '2026-07-01'
updated: '2026-07-02'
requester:
agent: ops-warden
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
@ -21,9 +21,9 @@ review:
reviewer: codex
decision: selector_aligned_to_ops_warden_catalog
comment: ops-warden registry/routing/catalog.yaml and wiki/playbooks/openrouter-llm-connect.md
define openrouter-llm-connect as the draft OpenRouter/llm-connect route.
Updated CCR access_frontdoor metadata to use that canonical selector; approval
and live apply remain pending.
define openrouter-llm-connect as the draft OpenRouter/llm-connect route. Updated
CCR access_frontdoor metadata to use that canonical selector; approval and live
apply remain pending.
- at: '2026-06-29T22:53:03+00:00'
reviewer: codex
decision: metadata_review_binding_confirmed_pending_owner_approval
@ -35,6 +35,11 @@ review:
No activity-core ExternalSecret exists yet; a namespace-limited ClusterSecretStore
source manifest was added for future rollout. Keep CCR status proposed until
platform/operator and activity-core-owner approval.
- at: '2026-07-02T09:59:54+00:00'
reviewer: bernd.worsch
decision: approved
comment: 'Approved in chat (Claude Code coached-approvals session, 2026-07-02)
acting as all required approvers: platform-operator, activity-core-owner.'
target:
domain: financials
tenant: activity-core
@ -98,6 +103,16 @@ verification:
External Secrets delivery path.
- Secret value provisioned directly in OpenBao through approved operator custody.
- Positive and negative verification recorded with non-secret audit ids or timestamps.
evidence:
- at: '2026-07-02T10:08:00+00:00'
actor: bernd.worsch
kind: delegated_metadata_apply
result: passed
details:
- Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority.
- 'Policy metadata write: sys/policies/acl/workload-kv-read-llm-connect-provider-secrets'
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-activity-core'
- No secret values were read, written, printed, or accepted in argv.
lifecycle:
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
rotate: Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation