Bound break-glass and operator-specific compatibility paths

[shiny-code-bot]

Current Status

Current focus: bounded compatibility paths in small, reviewable slices.

Done:

• Bound direct Dokploy rollback break-glass #1061 / PR Add identity access inputs to ingress dry run #1062 bounded the Launchplane self-deploy break-glass rollback fallback.
• Move seed writes to manual import workflow #1064 / PR Move ingress provider env wiring behind adapter #1066 moved ingress provider env/client construction behind the ingress provider adapter.
• Bound local owner product-config grants #1067 / PR Scope local operator product config grants #1068 scoped local-operator product-config grants instead of defaulting to wildcard product/context grants.
• Replace reusable workflow Launchplane URL/audience defaults #1069 / PR Configure Launchplane workflow service identity #1070 replaced hard-coded workflow Launchplane service URL/audience defaults with configured workflow service identity.
• PR Harden direct Dokploy rollback break-glass #1074 hardened the manual direct Dokploy rollback path: blank rollback image/reason now fail before mutation, and the operator reason is passed into the reviewable break-glass evidence JSON.
• PR Bound local operator product-config grant scopes #1075 removed the deploy-time seed catalog fallback for routine local-operator product-config grant scopes. Deploy now skips local-operator product-config grant reconciliation when LAUNCHPLANE_LOCAL_OPERATOR_PRODUCT_CONFIG_SCOPES_JSON is unset or empty, fails malformed explicit JSON, and keeps seed catalogs as explicit import material rather than deploy-time authority.
• PR Narrow product onboarding apply authority #1076 narrowed product onboarding seed import authority. /v1/product-onboarding/apply now requires dedicated product_onboarding.apply authority, the seed-import workflow is granted that action instead of broad launchplane_service_deploy.execute, and tests reject self-deploy authority on the onboarding route.
• PR Remove runtime key-safety deploy fallback #1077 removed the runtime key-safety policy apply compatibility fallback to launchplane_service_deploy.execute. /v1/runtime-key-safety/policies/apply now requires dedicated runtime_key_safety.write authority, and tests reject self-deploy authority on the route.
• PR Narrow merge train policy import authority #1078 narrowed merge-train policy import authority. /v1/merge-train/policies/import now requires dedicated merge_train.policy_import authority, the import workflow is granted that action instead of broad launchplane_service_deploy.execute, and tests reject self-deploy authority on the route.
• PR Seed authz policy grant authority #1079 staged dedicated authz policy grant authority. The deploy grant script now reconciles authz_policy_grant.write for deploy-launchplane.yml on both manual dispatch and automatic CI-success deploy entrypoints; Deploy Launchplane succeeded at 1fab8bae, so the staged grant is present in the live DB.
• PR Narrow authz grant maintenance authority #1080 narrowed authz policy grant maintenance authority. The five /v1/authz-policies/*/grants routes now require authz_policy_grant.write, /v1/drivers/launchplane/self-deploy remains on launchplane_service_deploy.execute, and tests reject self-deploy authority on policy-grant maintenance.
• PR Add GitHub Actions authz rule removals #1081 added a service-backed exact GitHub Actions authz rule removal route and CLI client. The route requires authz_policy_grant.write, supports dry-run/apply, writes audited active policy records only on apply, and rejects self-deploy authority.
• PR Remove stale import workflow authz rules #1082 used the already-authorized deploy workflow identity to remove stale broad launchplane_service_deploy.execute rules for merge-train-policy-import.yml and launchplane-seed-import.yml. Deploy Launchplane run 26765763919 succeeded on 8c2f6acb; each removal matched 1 and removed 1, dropping active GitHub Actions authz rules from 145 to 143.
• PR Remove one-shot authz cleanup #1083 removed the one-shot deploy cleanup code after successful application, leaving a regression assertion that the stale broad import workflow rules and temporary removal calls are not restored. Post-merge CI, Security, CodeQL, and Deploy Launchplane succeeded on f400caea.

Validation for #1081-#1083:

• Targeted local unit tests for authz removal service helpers, service routes, CLI request shape, deploy-script cleanup request shape, and post-cleanup regression behavior passed.
• shellcheck -x scripts/deploy/ensure-authz-grants.sh passed where shell changes were made.
• uv run --extra dev ruff check passed for changed Python tests.
• npx --no-install markdownlint-cli2 docs/operations.md docs/service-boundary.md passed for docs slices.
• git diff --check passed.
• JetBrains changed-file inspection was clean for each PR.
• GitHub CI, Security, CodeQL, and Deploy Launchplane passed after each merge through Remove one-shot authz cleanup #1083.

Next candidate slices:

• Verify whether any remaining launchplane_service_deploy.execute grant outside the actual self-deploy route is still persisted and reachable. If any remain, use the service-backed removals route rather than adding a fallback.
• Continue provider-neutral deploy/Dokploy contract work under Keep provider adapter seams real #1065 instead of expanding Bound break-glass and operator-specific compatibility paths #1049.

Notes:

• Existing DB-backed local-operator product-config grants are not revoked by Bound local operator product-config grant scopes #1075; that PR removes deploy-time authority expansion from seed material.
• The import-workflow broad self-deploy grants identified in Bound break-glass and operator-specific compatibility paths #1049 have now been removed from the live DB, and the normal deploy grant reconciler no longer carries the temporary cleanup code.
• Local worktree cleanup remains separate from product behavior; several preserved auto-review worktrees are intentionally not blocking.

Acceptance Criteria

• Direct provider fallback paths are removed or emit equivalent service-backed audit/evidence.
• Reusable workflows do not hard-code real tenant/product/domain/operator defaults except in approved fixtures/import material.
• Authz grant seeding is data-driven or backed by typed helpers instead of large shell manifests with embedded real values.
• Compatibility paths have explicit retirement criteria and tests preventing quiet reintroduction.

Target Areas

• .github/workflows/deploy-launchplane.yml
• .github/workflows/reusable-*.yml
• scripts/deploy/ensure-authz-grants.sh
• docs/compatibility-retirement.md
• coding-standards guard tests

Finish Line

Emergency provider mutations, operator-specific workflow defaults, and seed manifests are explicit, auditable, and removable instead of quiet alternate authorities.

[cbusillo]

Update 2026-05-31: First #1049 slice shipped via #1061 and deployed at merge commit 91a5788. Live health is ok with trace launchplane_req_9a428bf8d887442d8c28befb2bad7b22.

What changed: automatic failed self-deploy rollback no longer mutates Dokploy directly. Normal rollback stays on the Launchplane service route; direct Dokploy rollback is now a manual break-glass job guarded by exact confirmation inputs, previous image reference, operator reason, fail-closed script gating, and an uploaded evidence artifact.

Remaining #1049 work from the agent audit:

• Move deploy-time product onboarding/runtime-key-safety seed catalogs out of normal deploy reconciliation.
• Bound local owner/operator compatibility grants to configured product/context scope or split them into an explicit bootstrap/import flow.
• Replace hard-coded Launchplane URL/audience defaults in reusable workflows with configured inputs/vars while preserving product repo compatibility.
• Continue retiring omit_* compatibility deploy inputs as their downstream env contracts stabilize.

[cbusillo]

Update 2026-05-31: Second #1049 slice shipped via #1064 and deployed at merge commit ea0dd94. Live health is ok with trace launchplane_req_bb1c814b75ae4fac9da567380afb27a6.

What changed: normal Launchplane deploy no longer reapplies product onboarding manifests or runtime key-safety policies. Those mutable DB records now live behind explicit import material in import-material/launchplane/seed-imports/ and a manual Launchplane Seed Import workflow with dry-run default, apply confirmation, OIDC service calls, reason, and evidence artifacts.

Remaining #1049 work:

• Bound local owner/operator compatibility grants, especially wildcard product_config plan/apply grants.
• Replace hard-coded Launchplane URL/audience defaults in reusable workflows with configured inputs/vars while preserving product repo compatibility.
• Continue retiring omit_* compatibility deploy inputs as downstream runtime env contracts stabilize.
• Consider a typed import catalog module if more import-material workflows appear; avoid re-growing shell manifests.