Wire ops inventory probes for Railiance

k8s/railiance/20-runtime.yaml

@@ -15,6 +15,9 @@ data:
   ISSUE_CORE_URL: http://issue-core.issue-core.svc.cluster.local:8010
   ISSUE_SINK_TYPE: "null"
   ACTIVITY_DEFINITION_DIRS: /etc/activity-core/external-definitions
+  OPS_INVENTORY_PATH: /etc/activity-core/ops/service-inventory.yml
+  INTER_HUB_URL: ""
+  OPS_HUB_WIDGET_MAPPING: ""
   PROMETHEUS_BIND_ADDR: 0.0.0.0:9090
   ACTIVITY_CURATOR_GATE: disabled
 ---
@@ -58,6 +61,219 @@ data:
 
     Kubernetes projection of the Custodian-owned definition in
     `/home/worsch/the-custodian/activity-definitions/hourly-recently-on-scope.md`.
+  ops-service-inventory-probes.md: |
+    ---
+    id: "40d15a87-7ff6-4d8e-992c-37df15f95110"
+    name: "Ops Service Inventory Probes"
+    type: activity-definition
+    version: "0.1"
+    enabled: false
+    owner: custodian
+    governance: custodian
+    status: proposed
+    created: "2026-06-05"
+    trigger:
+      type: cron
+      cron_expression: "15 * * * *"
+      timezone: Europe/Berlin
+      misfire_policy: skip
+    context_sources:
+      - type: ops-inventory
+        query: probe_services
+        required: false
+        params:
+          inventory_path: /etc/activity-core/ops/service-inventory.yml
+          timeout_seconds: 10
+          include_kinds:
+            - http
+            - https
+          allow_network: true
+          evidence_sinks:
+            - type: state-hub-progress
+              event_type: ops_inventory_probe
+              author: activity-core
+        bind_to: context.ops_inventory_probe
+    ---
+
+    # ActivityDefinition: Ops Service Inventory Probes
+
+    Disabled Railiance projection of the Custodian-owned definition in
+    `/home/worsch/the-custodian/activity-definitions/ops-service-inventory-probes.md`.
+    Keep disabled until ops-hub Inter-Hub evidence intake is active.
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: actcore-ops-service-inventory
+  namespace: activity-core
+  labels:
+    app.kubernetes.io/name: activity-core
+    app.kubernetes.io/part-of: activity-core
+data:
+  service-inventory.yml: |
+    version: 1
+    last_reviewed: "2026-06-05"
+    policy:
+      non_secret_inventory: true
+      source_of_truth: "/home/worsch/the-custodian/ops/service-inventory.yml"
+      projection: "Railiance activity-core ConfigMap snapshot for disabled probes"
+    environments:
+      - id: local
+        name: "Local Workstation"
+        role: "Workstation development and local operations"
+        lifecycle_state: observed
+      - id: coulombcore
+        name: "CoulombCore"
+        role: "Transitional production-like runtime"
+        lifecycle_state: observed
+      - id: railiance01
+        name: "Railiance01"
+        role: "First ThreePhoenix foundation node"
+        lifecycle_state: observed
+      - id: threephoenix-prod
+        name: "ThreePhoenix Production"
+        role: "Target governed production topology"
+        lifecycle_state: planned
+    hosts:
+      - id: local-workstation
+        environment: local
+        role: "State Hub and operator workstation runtime"
+      - id: coulombcore
+        environment: coulombcore
+        address: "92.205.130.254"
+        role: "Current live production-like server"
+      - id: railiance01
+        environment: railiance01
+        address: "92.205.62.239"
+        role: "First ThreePhoenix foundation node"
+    clusters:
+      - id: coulombcore-k3s
+        environment: coulombcore
+        host: coulombcore
+        kind: k3s
+        lifecycle_state: observed
+      - id: railiance01-k3s
+        environment: railiance01
+        host: railiance01
+        kind: k3s
+        lifecycle_state: observed
+    services:
+      - id: gitea
+        name: "Gitea"
+        kind: application
+        lifecycle_state: observed
+        health_status: unknown
+        environment: coulombcore
+        owner_repos:
+          - railiance-apps
+        runtime:
+          type: k3s
+          cluster: coulombcore-k3s
+          namespace: default
+        endpoints:
+          - id: gitea-oci-registry
+            type: https
+            url: "https://gitea.coulomb.social/v2/"
+            expected_status: 401
+            expected_signal: "OCI registry auth challenge"
+            widget_ref: "ops:endpoint:gitea-registry"
+        backing_stores:
+          - "database:gitea-db"
+          - "pvc:default/gitea-shared-storage"
+        access_paths:
+          - type: k8s
+            target: "coulombcore-k3s/default"
+            status: unknown
+        evidence: []
+        gaps:
+          - "Backup and restore evidence for database and shared storage not recorded in ops inventory."
+      - id: state-hub
+        name: "State Hub"
+        kind: coordination-service
+        lifecycle_state: observed
+        health_status: observed_ok
+        environment: local
+        owner_repos:
+          - state-hub
+          - the-custodian
+        runtime:
+          type: local-process
+          host: local-workstation
+        endpoints:
+          - id: state-hub-local-api
+            type: http
+            url: "http://actcore-state-hub-bridge:8000/state/health"
+            expected_status: 200
+            expected_signal: "health response"
+        backing_stores:
+          - "postgresql:state-hub"
+        access_paths:
+          - type: http
+            target: "http://actcore-state-hub-bridge:8000"
+            status: observed_ok
+        evidence: []
+        gaps:
+          - "Future cluster deployment readiness still needs ops evidence."
+      - id: inter-hub
+        name: "Inter-Hub"
+        kind: governance-service
+        lifecycle_state: observed
+        health_status: unknown
+        environment: threephoenix-prod
+        owner_repos:
+          - inter-hub
+        runtime:
+          type: external
+          public_endpoint: "https://hub.coulomb.social"
+        endpoints:
+          - id: inter-hub-openapi
+            type: https
+            url: "https://hub.coulomb.social/api/v2/openapi.json"
+            expected_status: 200
+            expected_signal: "OpenAPI document"
+          - id: inter-hub-ui
+            type: https
+            url: "https://hub.coulomb.social/Hubs"
+            expected_status: 302
+            expected_signal: "login redirect when unauthenticated"
+        backing_stores: []
+        access_paths:
+          - type: https
+            target: "https://hub.coulomb.social"
+            status: unknown
+        evidence: []
+        gaps:
+          - "ops-hub bootstrap requires authenticated UI flow or deployment-side migration."
+      - id: activity-core
+        name: "activity-core"
+        kind: automation-service
+        lifecycle_state: observed
+        health_status: observed_ok
+        environment: railiance01
+        owner_repos:
+          - activity-core
+          - the-custodian
+        runtime:
+          type: k3s
+          cluster: railiance01-k3s
+          namespace: activity-core
+        endpoints:
+          - id: activity-core-api
+            type: cluster-http
+            url: "http://actcore-api:8010/health"
+            expected_status: 200
+            expected_signal: "db"
+        backing_stores:
+          - "postgresql:activity-core"
+          - "temporal:activity-core"
+          - "nats:railiance01"
+        access_paths:
+          - type: k8s
+            target: "railiance01-k3s/activity-core"
+            status: observed_ok
+        evidence: []
+        gaps:
+          - "Add explicit ops inventory probes and evidence events."
 ---
 apiVersion: v1
 kind: Service
@@ -360,10 +576,16 @@ spec:
             - name: external-activity-definitions
               mountPath: /etc/activity-core/external-definitions/activity-definitions
               readOnly: true
+            - name: ops-service-inventory
+              mountPath: /etc/activity-core/ops
+              readOnly: true
       volumes:
         - name: external-activity-definitions
           configMap:
             name: actcore-external-activity-definitions
+        - name: ops-service-inventory
+          configMap:
+            name: actcore-ops-service-inventory
 ---
 apiVersion: apps/v1
 kind: Deployment

k8s/railiance/README.md

@@ -16,6 +16,14 @@ name and access policy.
 The runtime image tag is `activity-core:railiance01-prod` and is expected to be
 loaded into the railiance01 K3s containerd image store.
 
+`20-runtime.yaml` also projects the disabled Custodian-owned
+`ops-service-inventory-probes.md` ActivityDefinition and a non-secret
+`actcore-ops-service-inventory` ConfigMap snapshot. The source of truth for the
+inventory remains `/home/worsch/the-custodian/ops/service-inventory.yml`; update
+the ConfigMap projection from that file before enabling the probe schedule.
+`OPS_HUB_KEY` is created only as an empty Secret placeholder until the operator
+provisions the Inter-Hub ops-hub key.
+
 ## Deploy
 
 ```bash

k8s/railiance/bootstrap-secrets.sh

@@ -36,5 +36,6 @@ if ! secret_exists actcore-runtime-secret; then
   kubectl -n "$NS" create secret generic actcore-runtime-secret \
     --from-literal=ACTCORE_DB_URL="$ACTCORE_DB_URL" \
     --from-literal=WEBHOOK_SECRET_GITEA="" \
-    --from-literal=WEBHOOK_SECRET_GITHUB=""
+    --from-literal=WEBHOOK_SECRET_GITHUB="" \
+    --from-literal=OPS_HUB_KEY=""
 fi