coulomb/helix-forge
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Finish HF-WP-0001: custodied runtime key and production API verification

Browse Source 
Close T04 after storing the ops-hub runtime key in OpenBao and verifying token
exchange plus hub-registry access. Close T10 after confirming production
Inter-Hub image eed4322 fixes COUNT decode failures for widget creation and
hub-registry reads.
This commit is contained in:
Bernd Worsch
2026-06-19 19:11:28 +02:00
parent 215e62a221
commit 023eb20a14
1 changed files with 50 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
workplans/HF-WP-0001-establish-ops-hub-first-extension.md
View File

@@ -4,10 +4,10 @@ type: workplan
title: "Establish ops-hub as the First VSM Inter-Hub Extension"
domain: helix_forge
repo: helix-forge
status: active
status: finished
owner: worsch
created: "2026-05-16"
updated: "2026-06-15"
updated: "2026-06-19"
planning_priority: high
planning_order: 1
related_repos:
@@ -480,7 +480,7 @@ registry checks found all expected ops vocabulary values:
```task
id: HF-WP-0001-T04
status: wait
status: done
priority: high
state_hub_task_id: "ad08e729-8562-4a02-8bf6-dcdfebe430c8"
```
@@ -534,6 +534,23 @@ Current blocker: requires an attended OpenBao root/sudo token handoff, or the
operator storing the local runtime key manually through the browser UI, before
the temp file can be removed and this task can close.
Completed on 2026-06-19:
- Regenerated the display-once runtime key through
`scripts/ops-hub-bootstrap-api.py` after the earlier 0600 temp file was no
longer present.
- Stored the runtime key in OpenBao at
`platform/operators/ops-hub/runtime`, field `OPS_HUB_KEY`, using an approved
operator token. No key values were copied into Git, State Hub, or chat.
- Removed the local runtime-key temp file after successful OpenBao write.
- Verified non-secret acceptance evidence with the custodied runtime key:
- `POST /api/v2/token` exchanges the static key for a short-lived Bearer
token (`expires_in=3600`).
- `GET /api/v2/hub-registry` returns HTTP `200` with the exchanged token.
- `GET /api/v2/widgets` returns all 14 `ops-hub` widgets with the exchanged
token.
- Current runtime key prefix: `c1f3ac3a`.
---
### T05 — Seed first governed ops widgets
@@ -740,7 +757,7 @@ implementation should happen in `ops-hub`.
```task
id: HF-WP-0001-T10
status: wait
status: done
priority: high
target_repo: inter-hub
state_hub_task_id: "7fa54508-7add-4885-8913-12edaadc4d92"
@@ -909,6 +926,20 @@ Current blocker: publish a Gitea registry image for Inter-Hub commit
Railiance path and rerun the authenticated widget-create and hub-registry
smoke checks. Railiance-apps no longer appears to be the blocking surface.
Completed on 2026-06-19:
- Production Inter-Hub now runs image
`gitea.coulomb.social/coulomb/inter-hub:eed4322`, which is ahead of the
`5101eb5` COUNT-decode fix commit.
- Authenticated `GET /api/v2/hub-registry` returns HTTP `200` with the
bootstrap operator key and with a runtime key exchanged through
`POST /api/v2/token`.
- Authenticated `POST /api/v2/widgets` succeeds through the public API; a smoke
widget was created and deleted without using direct DB access.
- Result: the next VSM hub can bootstrap through the documented v2 API surface
without the earlier `COUNT(*)` decode failure class blocking widget creation
or hub-registry reads.
## Initial Acceptance Criteria
This workplan is complete when:
@@ -1104,6 +1135,21 @@ Remaining operator action:
- Track/fix the Inter-Hub `COUNT(*)` decode issues before declaring the next
VSM hub fully scriptable through the public API.
### 2026-06-19 — HF-WP-0001 closed out
Closed the remaining bootstrap custody and production verification gaps:
- Stored the `ops-hub` runtime key in OpenBao at
`platform/operators/ops-hub/runtime` and removed the local temp file.
- Verified runtime-key token exchange, hub-registry reads, and widget listing
through the public Inter-Hub API.
- Confirmed production Inter-Hub image `eed4322` includes the deployed
COUNT-decode fix path; authenticated widget creation and hub-registry reads
now succeed without SQL fallback.
No API keys, OpenBao tokens, or secret values were copied into Git, State Hub,
chat, or workplan text.
## Notes
`ops-hub` should complement State Hub during the transition: