CCR-2026-0002/0003 approved + applied via constrained applier; WP-0008 finished, WP-0009/0010 advanced
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
8395862760
commit
ddd916d71c
5 changed files with 103 additions and 15 deletions
|
|
@ -3,9 +3,9 @@ kind: credential-change-request
|
|||
schema_version: 1
|
||||
request_type: workload-kv-read
|
||||
title: issue-core runtime ingestion key lane
|
||||
status: proposed
|
||||
status: applied
|
||||
created: '2026-06-27'
|
||||
updated: '2026-06-30'
|
||||
updated: '2026-07-02'
|
||||
requester:
|
||||
agent: ops-warden
|
||||
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||
|
|
@ -27,6 +27,13 @@ review:
|
|||
path is the platform ClusterSecretStore/openbao role external-secrets-issue-core
|
||||
bound to service account external-secrets/external-secrets. Keep CCR status
|
||||
proposed until platform/operator and issue-core-owner approval.
|
||||
- at: '2026-07-02T09:59:54+00:00'
|
||||
reviewer: bernd.worsch
|
||||
decision: approved
|
||||
comment: 'Approved in chat (Claude Code coached-approvals session, 2026-07-02)
|
||||
acting as all required approvers: platform-operator, issue-core-owner. Field-set
|
||||
decision: keep both ISSUE_CORE_API_KEY and GITEA_BACKEND_TOKEN, matching the
|
||||
live ExternalSecret mapping.'
|
||||
target:
|
||||
domain: financials
|
||||
tenant: issue-core
|
||||
|
|
@ -94,6 +101,16 @@ verification:
|
|||
External Secrets delivery path.
|
||||
- Secret values provisioned directly in OpenBao through approved operator custody.
|
||||
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
||||
evidence:
|
||||
- at: '2026-07-02T10:08:00+00:00'
|
||||
actor: bernd.worsch
|
||||
kind: delegated_metadata_apply
|
||||
result: passed
|
||||
details:
|
||||
- Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority.
|
||||
- 'Policy metadata write: sys/policies/acl/workload-kv-read-issue-core-runtime'
|
||||
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-issue-core'
|
||||
- No secret values were read, written, printed, or accepted in argv.
|
||||
lifecycle:
|
||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||
rotate: Replace issue-core runtime secret values directly in OpenBao and record
|
||||
|
|
|
|||
|
|
@ -3,9 +3,9 @@ kind: credential-change-request
|
|||
schema_version: 1
|
||||
request_type: workload-kv-read
|
||||
title: llm-connect OpenRouter provider key lane
|
||||
status: proposed
|
||||
status: applied
|
||||
created: '2026-06-27'
|
||||
updated: '2026-07-01'
|
||||
updated: '2026-07-02'
|
||||
requester:
|
||||
agent: ops-warden
|
||||
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||
|
|
@ -21,9 +21,9 @@ review:
|
|||
reviewer: codex
|
||||
decision: selector_aligned_to_ops_warden_catalog
|
||||
comment: ops-warden registry/routing/catalog.yaml and wiki/playbooks/openrouter-llm-connect.md
|
||||
define openrouter-llm-connect as the draft OpenRouter/llm-connect route.
|
||||
Updated CCR access_frontdoor metadata to use that canonical selector; approval
|
||||
and live apply remain pending.
|
||||
define openrouter-llm-connect as the draft OpenRouter/llm-connect route. Updated
|
||||
CCR access_frontdoor metadata to use that canonical selector; approval and live
|
||||
apply remain pending.
|
||||
- at: '2026-06-29T22:53:03+00:00'
|
||||
reviewer: codex
|
||||
decision: metadata_review_binding_confirmed_pending_owner_approval
|
||||
|
|
@ -35,6 +35,11 @@ review:
|
|||
No activity-core ExternalSecret exists yet; a namespace-limited ClusterSecretStore
|
||||
source manifest was added for future rollout. Keep CCR status proposed until
|
||||
platform/operator and activity-core-owner approval.
|
||||
- at: '2026-07-02T09:59:54+00:00'
|
||||
reviewer: bernd.worsch
|
||||
decision: approved
|
||||
comment: 'Approved in chat (Claude Code coached-approvals session, 2026-07-02)
|
||||
acting as all required approvers: platform-operator, activity-core-owner.'
|
||||
target:
|
||||
domain: financials
|
||||
tenant: activity-core
|
||||
|
|
@ -98,6 +103,16 @@ verification:
|
|||
External Secrets delivery path.
|
||||
- Secret value provisioned directly in OpenBao through approved operator custody.
|
||||
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
||||
evidence:
|
||||
- at: '2026-07-02T10:08:00+00:00'
|
||||
actor: bernd.worsch
|
||||
kind: delegated_metadata_apply
|
||||
result: passed
|
||||
details:
|
||||
- Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority.
|
||||
- 'Policy metadata write: sys/policies/acl/workload-kv-read-llm-connect-provider-secrets'
|
||||
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-activity-core'
|
||||
- No secret values were read, written, printed, or accepted in argv.
|
||||
lifecycle:
|
||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||
rotate: Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue