docs(access): gate ACCESS.md in checklist + new-role runbook (ADR-021)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
384b94e34b
commit
649925b303
2 changed files with 17 additions and 1 deletions
|
|
@ -91,7 +91,19 @@ For a **service** role, copy `docs/testing/service-verify-template.md` to
|
|||
Level 4 `/verify-service` check (ADR-008 / ADR-017) and is part of the pre-production
|
||||
service-clearance gate (`docs/security/service-checklist.md`).
|
||||
|
||||
### 11. Commit
|
||||
### 11. Write the per-service operational-access record (services)
|
||||
|
||||
For a **service** role, copy `docs/access/service-access-template.md` to
|
||||
`roles/<rolename>/ACCESS.md` and populate the role's `access__*` data
|
||||
(`access__service`, `access__compose_project`/`_path`, `access__containers`,
|
||||
`access__log.loki_labels`, and `access__api` — `enabled` + endpoint + `firewall_ref` +
|
||||
`auth.vault_ref` + `health_path`, or `enabled: false` with a reason). `ACCESS.md` is
|
||||
rendered from that data; the admin-API path must `firewall_ref` an entry in the
|
||||
`group_vars` firewall catalog, never open a port itself (ADR-020/021). Once hosts exist,
|
||||
`/check-access <rolename>` proves the documented paths are live — part of the
|
||||
service-clearance gate (`docs/security/service-checklist.md`).
|
||||
|
||||
### 12. Commit
|
||||
|
||||
```bash
|
||||
git checkout -b role/<rolename>
|
||||
|
|
|
|||
|
|
@ -51,6 +51,10 @@ This checklist is the generic **bar**. Each service answers it in its own
|
|||
- [ ] Passed Level 4 service-UI verification (`/verify-service`) against staging — the
|
||||
service has a populated `roles/<service>/VERIFY.md` and its critical journeys
|
||||
verified (ADR-008 Level 4 / ADR-017)
|
||||
- [ ] Operational access recorded and verifiable (ADR-021): the role carries `access__*`
|
||||
data, `roles/<service>/ACCESS.md` is rendered, and `/check-access` reports the
|
||||
documented paths green — or a deviation is recorded in
|
||||
`docs/security/accepted-risks.md`
|
||||
|
||||
> Deviations are allowed but must be **conscious**: record them in
|
||||
> `docs/security/accepted-risks.md`, don't leave them implicit.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue