docs(access): gate ACCESS.md in checklist + new-role runbook (ADR-021)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
384b94e34b
commit
649925b303
2 changed files with 17 additions and 1 deletions
|
|
@ -91,7 +91,19 @@ For a **service** role, copy `docs/testing/service-verify-template.md` to
|
||||||
Level 4 `/verify-service` check (ADR-008 / ADR-017) and is part of the pre-production
|
Level 4 `/verify-service` check (ADR-008 / ADR-017) and is part of the pre-production
|
||||||
service-clearance gate (`docs/security/service-checklist.md`).
|
service-clearance gate (`docs/security/service-checklist.md`).
|
||||||
|
|
||||||
### 11. Commit
|
### 11. Write the per-service operational-access record (services)
|
||||||
|
|
||||||
|
For a **service** role, copy `docs/access/service-access-template.md` to
|
||||||
|
`roles/<rolename>/ACCESS.md` and populate the role's `access__*` data
|
||||||
|
(`access__service`, `access__compose_project`/`_path`, `access__containers`,
|
||||||
|
`access__log.loki_labels`, and `access__api` — `enabled` + endpoint + `firewall_ref` +
|
||||||
|
`auth.vault_ref` + `health_path`, or `enabled: false` with a reason). `ACCESS.md` is
|
||||||
|
rendered from that data; the admin-API path must `firewall_ref` an entry in the
|
||||||
|
`group_vars` firewall catalog, never open a port itself (ADR-020/021). Once hosts exist,
|
||||||
|
`/check-access <rolename>` proves the documented paths are live — part of the
|
||||||
|
service-clearance gate (`docs/security/service-checklist.md`).
|
||||||
|
|
||||||
|
### 12. Commit
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
git checkout -b role/<rolename>
|
git checkout -b role/<rolename>
|
||||||
|
|
|
||||||
|
|
@ -51,6 +51,10 @@ This checklist is the generic **bar**. Each service answers it in its own
|
||||||
- [ ] Passed Level 4 service-UI verification (`/verify-service`) against staging — the
|
- [ ] Passed Level 4 service-UI verification (`/verify-service`) against staging — the
|
||||||
service has a populated `roles/<service>/VERIFY.md` and its critical journeys
|
service has a populated `roles/<service>/VERIFY.md` and its critical journeys
|
||||||
verified (ADR-008 Level 4 / ADR-017)
|
verified (ADR-008 Level 4 / ADR-017)
|
||||||
|
- [ ] Operational access recorded and verifiable (ADR-021): the role carries `access__*`
|
||||||
|
data, `roles/<service>/ACCESS.md` is rendered, and `/check-access` reports the
|
||||||
|
documented paths green — or a deviation is recorded in
|
||||||
|
`docs/security/accepted-risks.md`
|
||||||
|
|
||||||
> Deviations are allowed but must be **conscious**: record them in
|
> Deviations are allowed but must be **conscious**: record them in
|
||||||
> `docs/security/accepted-risks.md`, don't leave them implicit.
|
> `docs/security/accepted-risks.md`, don't leave them implicit.
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue