CCR-2026-0002/0003 approved + applied via constrained applier; WP-0008 finished, WP-0009/0010 advanced
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
8395862760
commit
ddd916d71c
5 changed files with 103 additions and 15 deletions
|
|
@ -3,9 +3,9 @@ kind: credential-change-request
|
||||||
schema_version: 1
|
schema_version: 1
|
||||||
request_type: workload-kv-read
|
request_type: workload-kv-read
|
||||||
title: issue-core runtime ingestion key lane
|
title: issue-core runtime ingestion key lane
|
||||||
status: proposed
|
status: applied
|
||||||
created: '2026-06-27'
|
created: '2026-06-27'
|
||||||
updated: '2026-06-30'
|
updated: '2026-07-02'
|
||||||
requester:
|
requester:
|
||||||
agent: ops-warden
|
agent: ops-warden
|
||||||
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||||
|
|
@ -27,6 +27,13 @@ review:
|
||||||
path is the platform ClusterSecretStore/openbao role external-secrets-issue-core
|
path is the platform ClusterSecretStore/openbao role external-secrets-issue-core
|
||||||
bound to service account external-secrets/external-secrets. Keep CCR status
|
bound to service account external-secrets/external-secrets. Keep CCR status
|
||||||
proposed until platform/operator and issue-core-owner approval.
|
proposed until platform/operator and issue-core-owner approval.
|
||||||
|
- at: '2026-07-02T09:59:54+00:00'
|
||||||
|
reviewer: bernd.worsch
|
||||||
|
decision: approved
|
||||||
|
comment: 'Approved in chat (Claude Code coached-approvals session, 2026-07-02)
|
||||||
|
acting as all required approvers: platform-operator, issue-core-owner. Field-set
|
||||||
|
decision: keep both ISSUE_CORE_API_KEY and GITEA_BACKEND_TOKEN, matching the
|
||||||
|
live ExternalSecret mapping.'
|
||||||
target:
|
target:
|
||||||
domain: financials
|
domain: financials
|
||||||
tenant: issue-core
|
tenant: issue-core
|
||||||
|
|
@ -94,6 +101,16 @@ verification:
|
||||||
External Secrets delivery path.
|
External Secrets delivery path.
|
||||||
- Secret values provisioned directly in OpenBao through approved operator custody.
|
- Secret values provisioned directly in OpenBao through approved operator custody.
|
||||||
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
||||||
|
evidence:
|
||||||
|
- at: '2026-07-02T10:08:00+00:00'
|
||||||
|
actor: bernd.worsch
|
||||||
|
kind: delegated_metadata_apply
|
||||||
|
result: passed
|
||||||
|
details:
|
||||||
|
- Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority.
|
||||||
|
- 'Policy metadata write: sys/policies/acl/workload-kv-read-issue-core-runtime'
|
||||||
|
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-issue-core'
|
||||||
|
- No secret values were read, written, printed, or accepted in argv.
|
||||||
lifecycle:
|
lifecycle:
|
||||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||||
rotate: Replace issue-core runtime secret values directly in OpenBao and record
|
rotate: Replace issue-core runtime secret values directly in OpenBao and record
|
||||||
|
|
|
||||||
|
|
@ -3,9 +3,9 @@ kind: credential-change-request
|
||||||
schema_version: 1
|
schema_version: 1
|
||||||
request_type: workload-kv-read
|
request_type: workload-kv-read
|
||||||
title: llm-connect OpenRouter provider key lane
|
title: llm-connect OpenRouter provider key lane
|
||||||
status: proposed
|
status: applied
|
||||||
created: '2026-06-27'
|
created: '2026-06-27'
|
||||||
updated: '2026-07-01'
|
updated: '2026-07-02'
|
||||||
requester:
|
requester:
|
||||||
agent: ops-warden
|
agent: ops-warden
|
||||||
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
message_id: fe5b1696-8956-4bd5-9d6f-dbde1901a076
|
||||||
|
|
@ -21,9 +21,9 @@ review:
|
||||||
reviewer: codex
|
reviewer: codex
|
||||||
decision: selector_aligned_to_ops_warden_catalog
|
decision: selector_aligned_to_ops_warden_catalog
|
||||||
comment: ops-warden registry/routing/catalog.yaml and wiki/playbooks/openrouter-llm-connect.md
|
comment: ops-warden registry/routing/catalog.yaml and wiki/playbooks/openrouter-llm-connect.md
|
||||||
define openrouter-llm-connect as the draft OpenRouter/llm-connect route.
|
define openrouter-llm-connect as the draft OpenRouter/llm-connect route. Updated
|
||||||
Updated CCR access_frontdoor metadata to use that canonical selector; approval
|
CCR access_frontdoor metadata to use that canonical selector; approval and live
|
||||||
and live apply remain pending.
|
apply remain pending.
|
||||||
- at: '2026-06-29T22:53:03+00:00'
|
- at: '2026-06-29T22:53:03+00:00'
|
||||||
reviewer: codex
|
reviewer: codex
|
||||||
decision: metadata_review_binding_confirmed_pending_owner_approval
|
decision: metadata_review_binding_confirmed_pending_owner_approval
|
||||||
|
|
@ -35,6 +35,11 @@ review:
|
||||||
No activity-core ExternalSecret exists yet; a namespace-limited ClusterSecretStore
|
No activity-core ExternalSecret exists yet; a namespace-limited ClusterSecretStore
|
||||||
source manifest was added for future rollout. Keep CCR status proposed until
|
source manifest was added for future rollout. Keep CCR status proposed until
|
||||||
platform/operator and activity-core-owner approval.
|
platform/operator and activity-core-owner approval.
|
||||||
|
- at: '2026-07-02T09:59:54+00:00'
|
||||||
|
reviewer: bernd.worsch
|
||||||
|
decision: approved
|
||||||
|
comment: 'Approved in chat (Claude Code coached-approvals session, 2026-07-02)
|
||||||
|
acting as all required approvers: platform-operator, activity-core-owner.'
|
||||||
target:
|
target:
|
||||||
domain: financials
|
domain: financials
|
||||||
tenant: activity-core
|
tenant: activity-core
|
||||||
|
|
@ -98,6 +103,16 @@ verification:
|
||||||
External Secrets delivery path.
|
External Secrets delivery path.
|
||||||
- Secret value provisioned directly in OpenBao through approved operator custody.
|
- Secret value provisioned directly in OpenBao through approved operator custody.
|
||||||
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
||||||
|
evidence:
|
||||||
|
- at: '2026-07-02T10:08:00+00:00'
|
||||||
|
actor: bernd.worsch
|
||||||
|
kind: delegated_metadata_apply
|
||||||
|
result: passed
|
||||||
|
details:
|
||||||
|
- Delegated metadata applier ran as bernd.worsch using local bao CLI ambient authority.
|
||||||
|
- 'Policy metadata write: sys/policies/acl/workload-kv-read-llm-connect-provider-secrets'
|
||||||
|
- 'Auth role metadata write: auth/kubernetes/role/external-secrets-activity-core'
|
||||||
|
- No secret values were read, written, printed, or accepted in argv.
|
||||||
lifecycle:
|
lifecycle:
|
||||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||||
rotate: Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation
|
rotate: Replace OPENROUTER_API_KEY directly in OpenBao and record non-secret rotation
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@ type: workplan
|
||||||
title: "OpenBao Approved Automation Delegation"
|
title: "OpenBao Approved Automation Delegation"
|
||||||
domain: financials
|
domain: financials
|
||||||
repo: railiance-platform
|
repo: railiance-platform
|
||||||
status: active
|
status: finished
|
||||||
owner: codex
|
owner: codex
|
||||||
topic_slug: railiance
|
topic_slug: railiance
|
||||||
planning_priority: high
|
planning_priority: high
|
||||||
|
|
@ -173,7 +173,7 @@ credential-tests` passed with 28 tests.
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAILIANCE-WP-0008-T03
|
id: RAILIANCE-WP-0008-T03
|
||||||
status: progress
|
status: done
|
||||||
priority: medium
|
priority: medium
|
||||||
state_hub_task_id: "ff927a19-50fb-4351-8db1-c60a0cce0995"
|
state_hub_task_id: "ff927a19-50fb-4351-8db1-c60a0cce0995"
|
||||||
```
|
```
|
||||||
|
|
@ -302,3 +302,24 @@ CCR.
|
||||||
requirements.
|
requirements.
|
||||||
- CCR approval, apply, verification, and front-door activation form one
|
- CCR approval, apply, verification, and front-door activation form one
|
||||||
reviewable chain.
|
reviewable chain.
|
||||||
|
|
||||||
|
|
||||||
|
## Completion 2026-07-02 — T03 live probe and workplan finish
|
||||||
|
|
||||||
|
T03 closed with live positive and negative evidence from a
|
||||||
|
`credential-change-nonprod-applier` child token (accessor
|
||||||
|
`pCznHtid1O0vy36QHqMbzu5Y`, revoked after use):
|
||||||
|
|
||||||
|
- allowed: `policy_write workload-kv-read-nonprod-probe-test` (test artifact
|
||||||
|
deleted afterwards by the operator session) and `policy_read
|
||||||
|
workload-kv-read-issue-core-runtime`;
|
||||||
|
- denied: `policy_read platform-admin`, out-of-pattern `policy_write
|
||||||
|
evil-probe-test`, KV secret read on the issue-core path, and
|
||||||
|
`auth/token/roles/credential-change-nonprod-applier` write;
|
||||||
|
- all recorded in `/openbao/audit/openbao-audit.log` (2026-07-02T10:09Z
|
||||||
|
window).
|
||||||
|
|
||||||
|
The production applier path was proven the same day: both `CCR-2026-0002`
|
||||||
|
and `CCR-2026-0003` were applied with a `credential-change-prod-applier`
|
||||||
|
child token holding only that policy — no `platform-admin` handoff. All
|
||||||
|
tasks are done; the workplan is finished.
|
||||||
|
|
|
||||||
|
|
@ -157,7 +157,7 @@ applier-dry-run CCR-2026-0002` now blocks only because the CCR is still
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAILIANCE-WP-0009-T03
|
id: RAILIANCE-WP-0009-T03
|
||||||
status: wait
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
state_hub_task_id: "e8566cf4-bb74-4515-b434-7cbf60f9f684"
|
state_hub_task_id: "e8566cf4-bb74-4515-b434-7cbf60f9f684"
|
||||||
```
|
```
|
||||||
|
|
@ -181,7 +181,7 @@ Acceptance:
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAILIANCE-WP-0009-T04
|
id: RAILIANCE-WP-0009-T04
|
||||||
status: wait
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
state_hub_task_id: "4990fe6a-ae84-4720-bc8d-e026d73a304b"
|
state_hub_task_id: "4990fe6a-ae84-4720-bc8d-e026d73a304b"
|
||||||
```
|
```
|
||||||
|
|
@ -202,7 +202,7 @@ Acceptance:
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAILIANCE-WP-0009-T05
|
id: RAILIANCE-WP-0009-T05
|
||||||
status: wait
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
state_hub_task_id: "65e83572-2e46-4196-8f4d-4ab35ba8d1a6"
|
state_hub_task_id: "65e83572-2e46-4196-8f4d-4ab35ba8d1a6"
|
||||||
```
|
```
|
||||||
|
|
@ -226,7 +226,7 @@ Acceptance:
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAILIANCE-WP-0009-T06
|
id: RAILIANCE-WP-0009-T06
|
||||||
status: wait
|
status: progress
|
||||||
priority: medium
|
priority: medium
|
||||||
state_hub_task_id: "0d9a02da-c032-43d5-8019-61ab4d87b40b"
|
state_hub_task_id: "0d9a02da-c032-43d5-8019-61ab4d87b40b"
|
||||||
```
|
```
|
||||||
|
|
@ -274,3 +274,22 @@ Acceptance:
|
||||||
- ops-warden can resolve `issue-core-ingestion-api-key` without storing the
|
- ops-warden can resolve `issue-core-ingestion-api-key` without storing the
|
||||||
value.
|
value.
|
||||||
- No secret values appear in Git, State Hub, chat, prompts, logs, or workplans.
|
- No secret values appear in Git, State Hub, chat, prompts, logs, or workplans.
|
||||||
|
|
||||||
|
|
||||||
|
## Progress 2026-07-02 — approval, apply, verification
|
||||||
|
|
||||||
|
`CCR-2026-0002` approved by bernd.worsch (both required approver roles) with
|
||||||
|
the field-set decision to keep `ISSUE_CORE_API_KEY` and `GITEA_BACKEND_TOKEN`.
|
||||||
|
|
||||||
|
- T03 done: policy `workload-kv-read-issue-core-runtime` and kubernetes auth
|
||||||
|
role applied via the constrained `credential-change-prod-applier` child
|
||||||
|
token (accessor revoked after use); State Hub apply evidence `4a66c84f`.
|
||||||
|
- T04 done: KV entry exists at the approved path (metadata `current_version
|
||||||
|
2`, created 2026-06-25); values were provisioned through operator custody.
|
||||||
|
- T05 done: positive = ExternalSecret `issue-core/issue-core-runtime`
|
||||||
|
Ready=True/SecretSynced (refresh 2026-07-02T09:42Z); negative =
|
||||||
|
default-policy token denied on the KV data path (2026-07-02T10:08Z, probe
|
||||||
|
accessor revoked); both recorded in the file audit device
|
||||||
|
`/openbao/audit/openbao-audit.log`.
|
||||||
|
- T06 progress: front-door handoff sent to ops-warden (State Hub message
|
||||||
|
`5d47caaa-dd3f-496f-94ba-a488722f8d82`); waiting on catalog confirmation.
|
||||||
|
|
|
||||||
|
|
@ -97,7 +97,7 @@ The plan supports these `INTENT.md` principles:
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAILIANCE-WP-0010-T01
|
id: RAILIANCE-WP-0010-T01
|
||||||
status: progress
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
state_hub_task_id: "307b75a6-a3a8-473b-b171-7379d2848698"
|
state_hub_task_id: "307b75a6-a3a8-473b-b171-7379d2848698"
|
||||||
```
|
```
|
||||||
|
|
@ -170,7 +170,7 @@ CCR is still `proposed`.
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: RAILIANCE-WP-0010-T03
|
id: RAILIANCE-WP-0010-T03
|
||||||
status: wait
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
state_hub_task_id: "42796ef5-c4a0-45a7-ae41-0ebdeccdb01d"
|
state_hub_task_id: "42796ef5-c4a0-45a7-ae41-0ebdeccdb01d"
|
||||||
```
|
```
|
||||||
|
|
@ -288,3 +288,19 @@ Acceptance:
|
||||||
- ops-warden can resolve the agreed OpenRouter/llm-connect selector without
|
- ops-warden can resolve the agreed OpenRouter/llm-connect selector without
|
||||||
storing the value.
|
storing the value.
|
||||||
- No secret values appear in Git, State Hub, chat, prompts, logs, or workplans.
|
- No secret values appear in Git, State Hub, chat, prompts, logs, or workplans.
|
||||||
|
|
||||||
|
|
||||||
|
## Progress 2026-07-02 — approval and metadata apply
|
||||||
|
|
||||||
|
`CCR-2026-0003` approved by bernd.worsch (platform-operator +
|
||||||
|
activity-core-owner); T01 closes on that approval with the
|
||||||
|
`openrouter-llm-connect` selector already aligned.
|
||||||
|
|
||||||
|
- T03 done: policy `workload-kv-read-llm-connect-provider-secrets` and
|
||||||
|
kubernetes auth role applied via the constrained prod-applier child token;
|
||||||
|
State Hub apply evidence `04c70285`.
|
||||||
|
- T04 remains the live gate: the KV entry at
|
||||||
|
`platform/workloads/activity-core/llm-connect/llm-connect-provider-secrets`
|
||||||
|
does not exist yet — the operator must enter `OPENROUTER_API_KEY` through
|
||||||
|
OpenBao custody. The activity-core namespace also has no ExternalSecret
|
||||||
|
object for this lane yet. ops-warden checkpoint message: `6b058584`.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue