Record WP-0026 T07 promotion evidence (no secret values), mark the
offsite backup lane front door resolvable/ready, and add OpenBao policy
agent-high-risk-boundary for coding-agent metadata-only access.
Adds collect_live_cluster_versions() — enumerates pod container images via
kubectl and protects any forgejo.coulomb.social/coulomb/<name>:<tag>. Closes the
gap where CI-deployed apps (e.g. state-hub) pin a live tag absent from Helm
values. On by default (--no-protect-live to skip); emits protection_notes +
live_protection in the JSON summary so consumers can detect reduced coverage.
Verified against production: protects state-hub/vergabe/issue-core live tags.
ACTIVITY-WP-0020 T07 (partial — see workplan note re multi-cluster coverage).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Forgejo has no per-package /versions endpoint — the list endpoint returns one
entry per (name, version). build_delete_plans now groups list results by name
instead of calling a 404ing /versions sub-path. Removed dead list_versions/_paginate.
Added retry + longer timeout to _api_request for slow/large registry listings
(container list was timing out). Updated fixture test to the grouped model.
Dry-run now clean: 29 candidate deletions across 5 container packages, 0 errors
(was 53× HTTP 404). ACTIVITY-WP-0020 T02 fix; enable/apply still gated on
protection-coverage review (T05).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Establish proposed workload-kv-read custody for the Forgejo site-admin
PAT at platform/workloads/forgejo/forgejo-admin, sibling to forgejo-mailer.
OIDC workstation fetch mirrors the railiance-backup-offsite pattern.
List and optionally delete package versions beyond the newest three,
protecting production Helm image tags. Adds Make targets and unit tests
for ACTIVITY-WP-0020.
Remove interim ClusterSecretStores (forgejo, activity-core, reuse) from
coulombcore ArgoCD kustomization. Those stores target railiance01 namespaces
and are bootstrapped via railiance-apps/activity-core Make targets.
ArgoCD was still tracking gitea.coulomb.social, which lags Forgejo after the
registry migration. Sync issue-core workload manifests from forgejo.coulomb.social
so backend ConfigMap updates land on CoulombCore.
Also allow forgejo.coulomb.social in railiance-tenants AppProject sourceRepos.
Sync AGENTS.md, CLAUDE.md, and .claude/rules from updated project_rules
templates: workplan-first session protocol, legacy terminology footnote,
and GET /workplans/ examples.
Switch openbao-activity-core ClusterSecretStore to interim coulombcore
token auth like forgejo/reuse, broaden the activity-core ESO policy to
include the shared issue-core runtime path, and document ESO-managed rotation.
RAILIANCE-WP-0011-T01: propose OpenBao path
platform/workloads/reuse/reuse-surface/runtime-secrets with
REUSE_SURFACE_TOKEN and REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET, matching
read policy, and metadata review for Railiance01 interim ESO delivery.
RAILIANCE-WP-0011 plans migration of REUSE_SURFACE_TOKEN and
REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET from bootstrap K8s Secret custody to
OpenBao KV plus External Secrets, following the issue-core lane pattern.
Add Burstable CPU/memory requests and relax liveness/readiness probes so
pg_dump and forgejo-backup I/O no longer trip :8000 health checks on the
~4Gi railiance01 node (was BestEffort with 5 probe-driven restarts).
Add workload KV lane for Nextcloud WebDAV token, URL, and age recovery
escrow at platform/workloads/railiance/backup/offsite-lane. Apply read
policy and OIDC role railiance-backup-workload-kv-read; wire forgejo-backup
to load credentials from OpenBao when env is unset.
Introduce external-secrets-forgejo policy/role, ClusterSecretStore
openbao-forgejo (forgejo namespace), and make openbao-configure-external-secrets-forgejo.
Honest first-pass maturity vector grounded in README/docs/tests present
in this repo; no invented evidence. Flagged for human review before
publish. See reuse-surface history/2026-07-06-coverage-classification.md.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Commented seal "transit" stanza in the OpenBao server config plus an
'Auto-Unseal via Transit Seal' doc section covering provisioning, seal
migration, pod-restart proof, and the net-kingdom console evidence flags.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Helper-side preflight scope is complete and unit-tested; the live flex-auth
deny capability is re-scoped to flex-auth-side work (capability request
893ff109). Autonomous decision, documented in the task note for easy revert.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>