Compare commits

13 Commits

Author SHA1 Message Date
8a7b8fd165 chore(consistency): sync task status from DB [auto]
Some checks failed
Build and Deploy / build-push-deploy (push) Failing after 2m16s
Updated by fix-consistency on 2026-06-22:
  - update .custodian-brief.md for ihp-railiance-probe
2026-06-22 23:22:30 +02:00
994c764d37 Normalize agent instructions and workplan frontmatter (STATE-WP-0067)
Some checks failed
Build and Deploy / build-push-deploy (push) Has been cancelled
- Align agent files with on-disk workplan prefixes (infer from workplan ids)
- Set workplan domain to registered domain_slug; add topic_slug where applicable
- Repair frontmatter delimiter formatting; migrate legacy task status literals
- Regenerate AGENTS.md, CLAUDE.md, and .claude/rules from State Hub templates
2026-06-22 23:16:25 +02:00
049ae0abe3 Add .repo-classification.yaml (CUST-WP-0050 T11 agent first-pass)
Some checks failed
Build and Deploy / build-push-deploy (push) Has been cancelled
2026-06-22 17:47:37 +02:00
84b1a3d23b Add credential routing instructions for all agent runtimes
Some checks failed
Build and Deploy / build-push-deploy (push) Failing after 2m14s
Propagate shared credential-routing section (Codex, Claude, Grok, llm-connect)
from state-hub template via scripts/propagate_credential_routing.py.
2026-06-18 22:48:38 +02:00
11dc2baaf2 Add capability registry scaffold (REUSE-WP-0014-T04 B02)
Some checks failed
Build and Deploy / build-push-deploy (push) Failing after 2m15s
Empty helix_forge registry layout for federation publishing.
2026-06-16 01:52:50 +02:00
b74a501e7c Document probe scope
Some checks failed
Build and Deploy / build-push-deploy (push) Has been cancelled
2026-06-05 00:56:34 +02:00
537a1d6673 Refresh agent instruction files
Some checks failed
Build and Deploy / build-push-deploy (push) Has been cancelled
2026-05-18 16:55:42 +02:00
d0162d5222 chore: mark T12 done — CI pipeline verified end-to-end (run #2297)
All checks were successful
Build and Deploy / build-push-deploy (push) Successful in 38s
Gitea Actions build-and-deploy workflow ran successfully without manual
intervention: checkout → nix build → skopeo push → helm deploy all passed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-08 00:01:40 +02:00
0cc186af5a fix(ci): authenticate git clone with Gitea token
All checks were successful
Build and Deploy / build-push-deploy (push) Successful in 1m12s
2026-05-07 23:51:32 +02:00
64c40f05ec fix(ci): replace actions/checkout with local Gitea clone (no GitHub access from haskelseed)
Some checks failed
Build and Deploy / build-push-deploy (push) Failing after 1h35m31s
2026-05-07 22:15:51 +02:00
6bbfd7430b chore(consistency): sync task status from DB [auto]
Some checks failed
Build and Deploy / build-push-deploy (push) Failing after 11m9s
Updated by fix-consistency on 2026-05-07:
  - IRP-WP-0001-T12: todo → blocked
2026-05-07 12:01:07 +02:00
84f0431c6c ci: re-trigger after installing node on haskelseed runner
Some checks failed
Build and Deploy / build-push-deploy (push) Has been cancelled
2026-05-07 09:18:56 +02:00
477b024db5 Merge pull request 'feat(ci): Gitea Actions build-and-deploy pipeline' (#1) from feat/ci-gitea-actions into main
Some checks failed
Build and Deploy / build-push-deploy (push) Failing after 3m56s
2026-05-07 06:18:22 +00:00
17 changed files with 504 additions and 93 deletions

View File

@@ -5,4 +5,4 @@
## Quick Reference ## Quick Reference
`~/the-custodian/state-hub/mcp_server/TOOLS.md` — MCP tool reference `~/state-hub/mcp_server/TOOLS.md` — MCP tool reference

View File

@@ -0,0 +1,50 @@
# Credential and access routing
**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect**
for inference. Run this check **before** requesting secrets, API keys, SSH access,
login tokens, or database passwords — in any repo, not only `ops-warden`.
ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every
other credential need belongs to another subsystem. **Do not** message
`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key.
### Lookup (do this first)
```bash
warden route find "<describe your need>" --json
warden route show <catalog-id> --json
```
Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`).
| Agent runtime | How to orient |
| --- | --- |
| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=ihp-railiance-probe` is for coordination, not secret vending |
| **Claude Code** (MCP when available) | `get_domain_summary("custodian")` for workstreams; **still** use `warden route` for credential ownership |
| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` |
### Quick routing table
| I need… | Owner | ops-warden executes? |
| --- | --- | --- |
| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes**`warden sign` |
| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only |
| Login / OIDC / MFA | key-cape / Keycloak | No — route only |
| Authorization decision | flex-auth | No — route only |
| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` |
| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only |
### Anti-patterns (do not do these)
- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist
- Pasting secrets into Git, State Hub, workplans, logs, or chat
### Other capabilities (reuse-surface)
Non-credential capabilities are usually discovered through **reuse-surface** federation
(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in
every repo's agent instructions because it is high-frequency, high-risk, and easy to
get wrong.
**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`

View File

@@ -1,11 +1,11 @@
## First Session Protocol ## First Session Protocol
Triggered when `get_domain_summary("stack")` shows **no workstreams**. Triggered when `get_domain_summary("infotech")` shows **no workstreams**.
The project is registered but work has not yet been structured. The project is registered but work has not yet been structured.
**Step 1 — Read, don't write** **Step 1 — Read, don't write**
- `~/the-custodian/canon/projects/stack/project_charter_v0.1.md` — purpose, scope - `~/the-custodian/canon/projects/infotech/project_charter_v0.1.md` — purpose, scope
- `~/the-custodian/canon/projects/stack/roadmap_v0.1.md` — planned phases - `~/the-custodian/canon/projects/infotech/roadmap_v0.1.md` — planned phases
- Scan repo root: README, directory structure, existing code or docs - Scan repo root: README, directory structure, existing code or docs
**Step 2 — Survey in-progress work** **Step 2 — Survey in-progress work**
@@ -17,20 +17,20 @@ roadmap phase. **Wait for approval before creating.**
**Step 4 — Create workplan file first, then DB record (ADR-001)** **Step 4 — Create workplan file first, then DB record (ADR-001)**
``` ```
workplans/ihp-railiance-probe-WP-NNNN-<slug>.md ← write this first workplans/IRP-WP-NNNN-<slug>.md ← write this first
``` ```
Then register in the hub: Then register in the hub:
``` ```
create_workstream(topic_id="(none)", title="...", owner="...", description="...") create_workstream(topic_id="cee7bedf-2b48-46ef-8601-006474f2ad7a", title="...", owner="...", description="...")
create_task(workstream_id="<id>", title="...", priority="high|medium|low") create_task(workstream_id="<id>", title="...", priority="high|medium|low")
``` ```
**Step 5 — Record the setup** **Step 5 — Record the setup**
``` ```
add_progress_event( add_progress_event(
summary="First session: structured stack into N workstreams, M tasks", summary="First session: structured infotech into N workstreams, M tasks",
event_type="milestone", event_type="milestone",
topic_id="(none)", topic_id="cee7bedf-2b48-46ef-8601-006474f2ad7a",
detail={"workstreams": [...], "tasks_created": M} detail={"workstreams": [...], "tasks_created": M}
) )
``` ```

View File

@@ -4,5 +4,5 @@ This repo owns **ihp-railiance-probe** only. It does not own:
<!-- TODO: List what belongs in adjacent repos, e.g.: <!-- TODO: List what belongs in adjacent repos, e.g.:
- SSH key management → railiance-infra/ - SSH key management → railiance-infra/
- State hub code → the-custodian/state-hub/ - State hub code → state-hub/
--> -->

View File

@@ -1,6 +1,5 @@
**Purpose:** ihp-railiance-probe (fill in purpose) **Purpose:** ihp-railiance-probe - (fill in purpose)
**Domain:** stack **Domain:** infotech
**Repo slug:** ihp-railiance-probe **Repo slug:** ihp-railiance-probe
**Topic slug:** stack **Topic ID:** cee7bedf-2b48-46ef-8601-006474f2ad7a
**Topic ID:** 595afc64-bd28-47bf-aafb-ba230b28371b

View File

@@ -1,6 +1,7 @@
## Session Protocol ## Session Protocol
State Hub: http://127.0.0.1:8000 Dev Hub (State Hub API): http://127.0.0.1:8000
MCP server name in `~/.claude.json`: `dev-hub`
**Step 1 — Orient** **Step 1 — Orient**
@@ -8,28 +9,42 @@ Read the offline-safe brief first — it works without a live hub connection:
```bash ```bash
cat .custodian-brief.md cat .custodian-brief.md
``` ```
Then call the MCP tool for richer cross-domain context (skip if unreachable): Then call the MCP tool for richer cross-domain context when MCP tools are exposed:
``` ```
get_domain_summary("stack") get_domain_summary("infotech")
``` ```
If the hub is offline: `cd ~/the-custodian/state-hub && make api` If MCP tools are unavailable in the current agent session, use the REST API:
```bash
curl -s "http://127.0.0.1:8000/state/summary" | python3 -m json.tool
```
If the hub is offline: `cd ~/state-hub && make api`
**Step 2 — Check inbox** **Step 2 — Check inbox**
With MCP tools:
``` ```
get_messages(to_agent="ihp-railiance-probe", unread_only=True) get_messages(to_agent="ihp-railiance-probe", unread_only=True)
``` ```
Mark read with `mark_message_read(message_id)`. Reply or act on coordination Mark read with `mark_message_read(message_id)`. Reply or act on coordination
requests before proceeding. requests before proceeding.
Without MCP tools:
```bash
curl -s "http://127.0.0.1:8000/messages/?to_agent=ihp-railiance-probe&unread_only=true" \
| python3 -m json.tool
curl -s -X PATCH "http://127.0.0.1:8000/messages/<id>/read" \
-H "Content-Type: application/json" -d '{}'
```
**Step 3 — Scan workplans** **Step 3 — Scan workplans**
```bash ```bash
ls workplans/ ls workplans/
``` ```
For each file with `status: active`, note pending `todo`/`in_progress` tasks. For each file with `status: ready`, `active`, or `blocked`, note pending
`wait`/`todo`/`progress` tasks.
**Step 4 — Present brief** **Step 4 — Present brief**
1. **Active workstreams** for `stack` — title, task counts, blocking decisions 1. **Active workstreams** for `infotech` — title, task counts, blocking decisions
2. **Pending tasks** from `workplans/` + any `[repo:ihp-railiance-probe]` hub tasks 2. **Pending tasks** from `workplans/` + any `[repo:ihp-railiance-probe]` hub tasks
3. **Goal guidance** — if `goal_guidance` in summary: 3. **Goal guidance** — if `goal_guidance` in summary:
- `needs_workplan`: surface as top action — *"Repo goal '{title}' has no workplan yet"* - `needs_workplan`: surface as top action — *"Repo goal '{title}' has no workplan yet"*
@@ -45,18 +60,25 @@ If no workstreams: follow First Session Protocol (`first-session.md`).
> are First Session Protocol only. Work structure belongs in repo files (ADR-001). > are First Session Protocol only. Work structure belongs in repo files (ADR-001).
**Session close:** **Session close:**
With MCP tools:
``` ```
add_progress_event(summary="...", topic_id="(none)", workstream_id="<uuid>") add_progress_event(summary="...", topic_id="cee7bedf-2b48-46ef-8601-006474f2ad7a", workstream_id="<uuid>")
```
Without MCP tools:
```bash
curl -s -X POST http://127.0.0.1:8000/progress/ \
-H "Content-Type: application/json" \
-d '{"topic_id":"cee7bedf-2b48-46ef-8601-006474f2ad7a","workstream_id":"<uuid>","event_type":"note","summary":"what changed","author":"codex"}'
``` ```
If workplan files were modified, ensure the local copy is up to date first: If workplan files were modified, ensure the local copy is up to date first:
```bash ```bash
git -C <repo_path> pull --ff-only git -C <repo_path> pull --ff-only
cd ~/the-custodian/state-hub && make fix-consistency REPO=ihp-railiance-probe cd ~/state-hub && make fix-consistency REPO=ihp-railiance-probe
``` ```
For repos where implementation runs on a remote machine (e.g. CoulombCore), For repos where implementation runs on a remote machine (e.g. CoulombCore),
use the combined target which pulls before fixing: use the combined target which pulls before fixing:
```bash ```bash
cd ~/the-custodian/state-hub && make fix-consistency-remote REPO=ihp-railiance-probe cd ~/state-hub && make fix-consistency-remote REPO=ihp-railiance-probe
``` ```
**C-15** (DB task ahead of file) is normal in multi-machine workflows — writeback **C-15** (DB task ahead of file) is normal in multi-machine workflows — writeback
will sync the file to match DB. **C-16** (repo behind remote) blocks all writes will sync the file to match DB. **C-16** (repo behind remote) blocks all writes

View File

@@ -1,12 +1,18 @@
## Workplan Convention (ADR-001) ## Workplan Convention (ADR-001)
File location: `workplans/ihp-railiance-probe-WP-NNNN-<slug>.md` File location: `workplans/IRP-WP-NNNN-<slug>.md`
ID prefix: `IHP-WP` ID prefix: `IRP-WP-`
Work items originate as files in this repo **before** being registered in the hub. Work items originate as files in this repo **before** being registered in the hub.
Canonical workplan/workstream frontmatter statuses are:
`proposed`, `ready`, `active`, `blocked`, `backlog`, `finished`, `archived`.
Use `proposed` for a newly drafted plan, `ready` after review against current
repo state, and `finished` when implementation is complete. `stalled` and
`needs_review` are derived health labels, not stored statuses.
Closed workplans may be moved to `workplans/archived/` with a completion-date Closed workplans may be moved to `workplans/archived/` with a completion-date
prefix: `YYMMDD-ihp-railiance-probe-WP-NNNN-<slug>.md`. The frontmatter id remains prefix: `YYMMDD-IRP-WP-NNNN-<slug>.md`. The frontmatter id remains
unchanged; the prefix is only for quick visual reference. unchanged; the prefix is only for quick visual reference.
Small opportunistic tasks discovered during another session use **Ad Hoc Tasks**: Small opportunistic tasks discovered during another session use **Ad Hoc Tasks**:
@@ -19,4 +25,16 @@ Ecosystem todos from other agents arrive as `[repo:ihp-railiance-probe]` hub tas
visible at session start. Pick one up by creating the workplan file, then registering visible at session start. Pick one up by creating the workplan file, then registering
the workstream. the workstream.
Task blocks use this shape:
```task
id: IRP-WP-NNNN-T01
status: wait | todo | progress | done | cancel
priority: high | medium | low
state_hub_task_id: "<uuid>" # written by fix-consistency — do not edit
```
Status progression is `todo``progress``done`; use `wait` for waiting or
blocked work and `cancel` for stopped work.
<!-- Ralph Loop rules and HEUREKA sequence: ~/.claude/CLAUDE.md — do not duplicate here --> <!-- Ralph Loop rules and HEUREKA sequence: ~/.claude/CLAUDE.md — do not duplicate here -->

View File

@@ -1,8 +1,8 @@
<!-- custodian-brief: generated by fix-consistency — do not edit manually --> <!-- custodian-brief: generated by fix-consistency — do not edit manually -->
# Custodian Brief — ihp-railiance-probe # Custodian Brief — ihp-railiance-probe
**Domain:** stack **Domain:** infotech
**Last synced:** 2026-05-07 02:12 UTC **Last synced:** 2026-06-22 21:22 UTC
**State Hub:** http://127.0.0.1:8000 *(adjust if running on a remote machine)* **State Hub:** http://127.0.0.1:8000 *(adjust if running on a remote machine)*
## Active Workstreams ## Active Workstreams
@@ -13,6 +13,6 @@
## MCP Orientation (when available) ## MCP Orientation (when available)
If the state-hub MCP server is reachable, call: If the state-hub MCP server is reachable, call:
`get_domain_summary("stack")` `get_domain_summary("infotech")`
This provides richer cross-domain context. This provides richer cross-domain context.
If the MCP call fails, use this file as your orientation source. If the MCP call fails, use this file as your orientation source.

View File

@@ -9,7 +9,12 @@ jobs:
build-push-deploy: build-push-deploy:
runs-on: haskelseed runs-on: haskelseed
steps: steps:
- uses: actions/checkout@v3 - name: checkout
env:
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: |
git clone --depth 1 http://tegwick:${REGISTRY_TOKEN}@92.205.130.254:32166/coulomb/ihp-railiance-probe.git .
git checkout ${{ gitea.sha }}
- name: nix build docker image - name: nix build docker image
run: nix build .#docker --log-format raw run: nix build .#docker --log-format raw

18
.repo-classification.yaml Normal file
View File

@@ -0,0 +1,18 @@
repo_classification:
standard: Repo Classification Standard
version: '1.0'
classified_at: '2026-06-22'
classified_by: agent
category: project
domain: infotech
secondary_domains: []
capability_tags:
- platform
- operations
business_stake:
- technology
- product
- operations
business_mechanics:
- coordination
- operation

219
AGENTS.md Normal file
View File

@@ -0,0 +1,219 @@
# ihp-railiance-probe — Agent Instructions
## Repo Identity
**Purpose:** ihp-railiance-probe - (fill in purpose)
**Domain:** infotech
**Repo slug:** ihp-railiance-probe
**Topic ID:** `cee7bedf-2b48-46ef-8601-006474f2ad7a`
**Workplan prefix:** `IRP-WP-`
---
## State Hub Integration
The Custodian State Hub tracks work across all domains. Interact via HTTP REST —
there is no MCP server for Codex agents.
| Context | URL |
|---------|-----|
| Local workstation | `http://127.0.0.1:8000` |
| Remote via tunnel | `http://127.0.0.1:18000` |
### Orient at session start
```bash
# Offline brief — works without hub connection
cat .custodian-brief.md
# Active workstreams for this domain
curl -s "http://127.0.0.1:8000/workstreams/?topic_id=cee7bedf-2b48-46ef-8601-006474f2ad7a&status=active" \
| python3 -m json.tool
# Check inbox
curl -s "http://127.0.0.1:8000/messages/?to_agent=ihp-railiance-probe&unread_only=true" \
| python3 -m json.tool
```
Mark a message read:
```bash
curl -s -X PATCH "http://127.0.0.1:8000/messages/<id>/read" \
-H "Content-Type: application/json" -d '{}'
```
### Log progress (required at session close)
```bash
curl -s -X POST http://127.0.0.1:8000/progress/ \
-H "Content-Type: application/json" \
-d '{
"summary": "what was done",
"event_type": "note",
"author": "codex",
"workstream_id": "<uuid>",
"task_id": "<uuid>"
}'
```
Omit `workstream_id` / `task_id` when not applicable.
### Update task status
```bash
curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
-H "Content-Type: application/json" \
-d '{"status": "progress"}'
# values: wait | todo | progress | done | cancel
```
### Flag a task for human review
```bash
curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
-H "Content-Type: application/json" \
-d '{"needs_human": true, "intervention_note": "reason"}'
```
---
## Session Protocol
**Start:**
1. `cat .custodian-brief.md` — domain goal and open workstreams (offline-safe)
2. Check inbox: `GET /messages/?to_agent=ihp-railiance-probe&unread_only=true`; mark read
3. Scan workplans: `ls workplans/` — note `status: ready`, `active`, or `blocked` files and open tasks
4. Check human-needed tasks: `GET /tasks/?needs_human=true`
**During work:**
- Update task statuses in workplan files as tasks progress
- Record significant decisions via `POST /decisions/`
**Close:**
1. Update workplan file task statuses to reflect progress
2. Log: `POST /progress/` with a summary of what changed
3. Note for the custodian operator: after workplan file changes, run from
`~/state-hub`:
```bash
make fix-consistency REPO=ihp-railiance-probe
```
This syncs task status from files into the hub DB.
---
## Credential and access routing
**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect**
for inference. Run this check **before** requesting secrets, API keys, SSH access,
login tokens, or database passwords — in any repo, not only `ops-warden`.
ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every
other credential need belongs to another subsystem. **Do not** message
`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key.
### Lookup (do this first)
```bash
warden route find "<describe your need>" --json
warden route show <catalog-id> --json
```
Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`).
| Agent runtime | How to orient |
| --- | --- |
| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=ihp-railiance-probe` is for coordination, not secret vending |
| **Claude Code** (MCP when available) | `get_domain_summary("custodian")` for workstreams; **still** use `warden route` for credential ownership |
| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` |
### Quick routing table
| I need… | Owner | ops-warden executes? |
| --- | --- | --- |
| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes** — `warden sign` |
| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only |
| Login / OIDC / MFA | key-cape / Keycloak | No — route only |
| Authorization decision | flex-auth | No — route only |
| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` |
| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only |
### Anti-patterns (do not do these)
- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist
- Pasting secrets into Git, State Hub, workplans, logs, or chat
### Other capabilities (reuse-surface)
Non-credential capabilities are usually discovered through **reuse-surface** federation
(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in
every repo's agent instructions because it is high-frequency, high-risk, and easy to
get wrong.
**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`
<!-- REPO-AGENTS-EXTENSIONS -->
<!-- Append repo-specific agent instructions below this marker.
The state-hub template sync preserves content after this line. -->
---
## Workplan Convention (ADR-001)
Work items originate as files in this repo — not in the hub. The hub is a
read/cache/index layer that rebuilds from files.
**File location:** `workplans/IHP-WP-NNNN-<slug>.md`
**Archived location:** finished workplans may move to
`workplans/archived/YYMMDD-IHP-WP-NNNN-<slug>.md`. The `YYMMDD` prefix is
the completion/archive date; the frontmatter `id` does not change.
**Ad Hoc Tasks:** small opportunistic fixes discovered during a session use
`workplans/ADHOC-YYYY-MM-DD.md` with task ids `ADHOC-YYYY-MM-DD-T01`, etc. Use
this only for low-risk work completed directly; create a normal workplan for
anything needing analysis, design, approval, dependencies, or multiple phases.
**Frontmatter:**
```yaml
---
id: IHP-WP-NNNN
type: workplan
title: "..."
domain: infotech
repo: ihp-railiance-probe
status: proposed | ready | active | blocked | backlog | finished | archived
owner: codex
topic_slug: ...
created: "YYYY-MM-DD"
updated: "YYYY-MM-DD"
state_hub_workstream_id: "<uuid>" # written by fix-consistency — do not edit
---
```
Use `proposed` for a new draft, `ready` after review against current repo
state, and `finished` after implementation. `stalled` and `needs_review` are
derived health labels, not frontmatter statuses.
**Task block format** (one per `##` section):
```
## Task Title
` ` `task
id: IHP-WP-NNNN-T01
status: wait | todo | progress | done | cancel
priority: high | medium | low
state_hub_task_id: "<uuid>" # written by fix-consistency — do not edit
` ` `
Task description text.
```
Status progression: `todo` → `progress` → `done`; use `wait` for waiting/blocked work and `cancel` for stopped work.
To create a new workplan:
1. Write the file following the format above
2. Notify the custodian operator to run `make fix-consistency REPO=ihp-railiance-probe`
(or send a message to the hub agent via `POST /messages/`)

View File

@@ -8,4 +8,5 @@
@.claude/rules/stack-and-commands.md @.claude/rules/stack-and-commands.md
@.claude/rules/architecture.md @.claude/rules/architecture.md
@.claude/rules/repo-boundary.md @.claude/rules/repo-boundary.md
@.claude/rules/credential-routing.md
@.claude/rules/agents.md @.claude/rules/agents.md

185
SCOPE.md
View File

@@ -1,137 +1,200 @@
# SCOPE # SCOPE
> This file helps you quickly understand what this repository is about, This file defines what `ihp-railiance-probe` owns, when to use it, and where
> when it is relevant, and when it is not. its boundaries stop.
> It is intentionally lightweight and may be incomplete.
Last reviewed: 2026-06-04
--- ---
## One-liner ## One-liner
<!-- Describe the purpose of this repository in one precise sentence. --> A minimal IHP-on-Railiance canary application that proves the full path from
<!-- Example: "Provides a lightweight event router for Kubernetes-native systems." --> Nix production build to Gitea OCI image, Helm deployment on Railiance01, and
live HTTP smoke verification.
--- ---
## Core Idea ## Core Idea
<!-- What is the main capability or idea behind this repository? --> `ihp-railiance-probe` is intentionally small. It exists to make expensive
<!-- What problem does it try to solve? --> IHP/GHC/Nix/deployment failures cheap to reproduce before larger applications
such as `inter-hub` rely on the same path.
The repo owns a tiny IHP app, the production build shape, a Helm deployment
chart, and the evidence trail for end-to-end validation. Its value is not
business functionality; its value is proving that the IHP workload pipeline is
healthy enough for real apps to use.
--- ---
## In Scope ## In Scope
<!-- What this repository is responsible for. --> - Minimal IHP application code:
<!-- Be explicit and concrete. --> - `Web/Controller/Health.hs` for `GET /healthz -> ok`;
- `Web/Controller/Probes.hs` for basic `probes` CRUD;
- - routes, views, schema, and fixtures needed for the small probe surface.
- - Minimal database schema in `Application/Schema.sql`:
- - `uuid-ossp` extension;
- one `probes` table with `id`, `name`, and `created_at`.
- Test-first validation surface:
- `Test/ProbeControllerSpec.hs`;
- `Test/Main.hs`;
- Hspec checks for `/probes` and `/healthz`.
- IHP/Nix production build configuration:
- `flake.nix`;
- IHP v1.5 inputs;
- `nix build .#docker`;
- low-memory GHC runtime settings and the GHC 9.10.3 mitigation overlay.
- Kubernetes deployment artifact:
- Helm chart under `chart/`;
- deployment, service, ingress, image settings, resource limits, and
`/healthz` liveness probe.
- Pipeline documentation and evidence:
- `INTENT.md`;
- `DeploymentBlueprint.md`;
- `PIPELINE_LOG.md`;
- completed workplan `workplans/IRP-WP-0001-pipeline-validation.md`.
--- ---
## Out of Scope ## Out of Scope
<!-- What this repository deliberately does NOT do. --> - Production business functionality. This is a probe, not an application
<!-- This is often more important than "In Scope". --> product.
- `inter-hub` source code, domain model, features, or release ownership.
- - Generic IHP framework maintenance.
- - Railiance OS provisioning, Kubernetes runtime setup, and shared platform
- services.
- Long-term ownership of Gitea, registries, PostgreSQL, ingress controllers, or
k3s cluster configuration.
- Secret custody. The chart references an environment Secret name, but this
repo must not store live secret values.
- A general-purpose application template. Lessons may inform templates
elsewhere, but this repo stays a small validation target.
--- ---
## Relevant When ## Relevant When
<!-- When should someone consider using or exploring this repository? --> - Validating that an IHP project can build a production OCI image with the
current Nix/IHP/GHC stack.
- - Checking whether known GHC 9.10.3 production-build mitigations still work.
- - Proving the Gitea container registry push path for an IHP image.
- - Testing that Railiance01 can pull and run the image from the Gitea registry.
- Verifying Helm deployment, service routing, ingress, and `/healthz` behavior
for an IHP workload.
- Rehearsing the path before promoting a larger IHP app.
--- ---
## Not Relevant When ## Not Relevant When
<!-- When should someone ignore this repository? --> - You need application features or user-facing product behavior.
- You need to debug the internals of `inter-hub`.
- - You are provisioning hosts, installing k3s, or managing cluster-level addons.
- - You are designing shared Railiance platform services such as databases,
- secret management, object storage, or caches.
- You need a durable production service with real data and recovery guarantees.
- You need canonical CI/CD or developer enablement templates rather than this
specific probe implementation.
--- ---
## Current State ## Current State
<!-- Rough indication of maturity. No strict format required. --> - Status: validated canary.
- Implementation: minimal IHP app, schema, health endpoint, probe CRUD, tests,
Nix Docker image build config, Helm chart, deployment blueprint, and pipeline
log are present.
- Stability: suitable as a regression probe; intentionally narrow.
- Usage: two end-to-end pipeline runs are recorded in `PIPELINE_LOG.md`
(`e372a0c` on 2026-05-03 and `511a503` on 2026-05-07), both with build,
push, deploy, and smoke marked PASS.
- Status: <!-- e.g. concept / experimental / active / stable / deprecated --> The completed workplan records Gitea Actions automation as done, but the
- Implementation: <!-- e.g. idea / partial / substantial / complete --> repository surface visible here does not currently include a
- Stability: <!-- e.g. unstable / evolving / stable --> `.gitea/workflows/` file. Treat that as a documentation/state gap to verify
- Usage: <!-- e.g. none / personal / internal / production --> before relying on unattended CI.
<!-- Add any notes that help set expectations. -->
--- ---
## How It Fits ## How It Fits
<!-- Where does this repository sit in the bigger picture? -->
- Upstream dependencies: - Upstream dependencies:
IHP v1.5, GHC 9.10.3, Nix/devenv, haskelseed build host, Gitea OCI registry,
Railiance01/k3s, Helm, and a PostgreSQL-compatible `DATABASE_URL`.
- Downstream consumers: - Downstream consumers:
humans and agents validating the IHP-on-Railiance release path; larger IHP
applications that want confidence before promotion.
- Often used with: - Often used with:
`inter-hub`, `railiance-apps`, `railiance-enablement`, Gitea on CoulombCore,
and Railiance01.
--- ---
## Terminology ## Terminology
<!-- Terms that are important to understand this repo. -->
<!-- Especially useful if naming differs from other repos. -->
- Preferred terms: - Preferred terms:
probe, canary, pipeline validation, smoke test, IHP-on-Railiance.
- Also known as: - Also known as:
IHP deployment probe, Railiance IHP canary.
- Potentially confusing terms: - Potentially confusing terms:
this repo is "upstream in confidence" from `inter-hub`, not a source-code
dependency of it.
--- ---
## Related / Overlapping Repositories ## Related / Overlapping Repositories
<!-- List repositories that have similar or adjacent responsibilities. --> - `inter-hub` - the larger IHP workload whose expensive build/deployment
<!-- Helps detect duplication and navigate the ecosystem. --> failures motivated this small probe.
- `railiance-apps` - owns S5 application release patterns and app workload
- <repo-name> — <!-- how it relates --> operations for Railiance; this repo is a source workload used to validate an
IHP path into that layer.
- `railiance-enablement` - eventual home for reusable CI/CD, templates, and
developer delivery paths that this probe may inform.
- `railiance-cluster` - owns Kubernetes runtime concerns such as k3s and
cluster-level registry configuration.
- `railiance-platform` - owns shared stateful services such as databases and
secrets consumed by workloads.
--- ---
## Getting Oriented ## Getting Oriented
<!-- If someone decides to look deeper, where should they start? --> 1. Read `INTENT.md` to understand why the repo exists.
2. Read `DeploymentBlueprint.md` for the full workstation -> haskelseed ->
- Start with: Gitea registry -> Railiance01 flow.
- Key files / directories: 3. Read `PIPELINE_LOG.md` for recorded successful pipeline runs.
- Entry points: 4. Inspect `flake.nix` for the production image build and GHC mitigations.
5. Inspect `chart/` for Kubernetes deployment shape.
6. Inspect `Web/Controller/Health.hs`, `Web/Controller/Probes.hs`, and
`Test/ProbeControllerSpec.hs` for the app and smoke-test surface.
7. Inspect `workplans/IRP-WP-0001-pipeline-validation.md` for the completed
validation sequence and operational caveats.
--- ---
## Provided Capabilities ## Provided Capabilities
<!-- What can this repo's domain provide to other domains on request? -->
<!-- Each capability block is parsed by the state-hub capability catalog ingest. -->
<!-- Remove the examples and add your own, or leave empty if none. -->
<!--
```capability ```capability
type: infrastructure type: validation
title: Example capability title title: IHP-on-Railiance pipeline canary
description: What this capability provides, in one or two sentences. description: Minimal IHP application used to validate Nix production builds, Gitea OCI registry push, Helm deployment on Railiance01, and live HTTP smoke checks before larger IHP workloads are promoted.
keywords: [keyword1, keyword2, keyword3] keywords: [ihp, railiance, probe, canary, nix, ghc, gitea, helm, kubernetes, smoke-test]
```
```capability
type: documentation
title: IHP deployment blueprint and evidence log
description: Documents the full IHP build-to-deploy path, known infrastructure constraints, and recorded end-to-end pipeline smoke evidence.
keywords: [deployment-blueprint, pipeline-log, haskelseed, railiance01, registry, evidence]
``` ```
-->
--- ---
## Notes ## Notes
<!-- Anything else worth knowing. Keep it short. --> The README still looks like the original seed template. Use `INTENT.md`,
`DeploymentBlueprint.md`, and this file as the current orientation documents.

12
registry/README.md Normal file
View File

@@ -0,0 +1,12 @@
# Capability Registry
Markdown-first capability index for federation and reuse planning.
## Authoring
1. Copy a capability entry template (see reuse-surface `templates/capability-entry.template.md`).
2. Add the row to `indexes/capabilities.yaml`.
3. Run `reuse-surface validate` from a checkout with the CLI installed.
4. Merge to `main` and verify publish with `reuse-surface establish --publish-check`.
Federation contract: reuse-surface `docs/RegistryFederation.md`.

View File

View File

@@ -0,0 +1,4 @@
version: 1
updated: '2026-06-16'
domain: helix_forge
capabilities: []

View File

@@ -2,7 +2,7 @@
id: IRP-WP-0001 id: IRP-WP-0001
type: workplan type: workplan
title: "ihp-railiance-probe — Full Pipeline Validation" title: "ihp-railiance-probe — Full Pipeline Validation"
domain: stack domain: infotech
repo: ihp-railiance-probe repo: ihp-railiance-probe
status: done status: done
owner: tegwick owner: tegwick
@@ -398,7 +398,7 @@ Verify the full pipeline produced a live application:
```task ```task
id: IRP-WP-0001-T12 id: IRP-WP-0001-T12
status: todo status: done
priority: low priority: low
state_hub_task_id: "0bf9c616-54e6-48f3-ae6d-d91a9f7517c9" state_hub_task_id: "0bf9c616-54e6-48f3-ae6d-d91a9f7517c9"
``` ```
@@ -450,4 +450,4 @@ Automate the build → push → deploy pipeline via Gitea Actions:
| T09 | k3s can pull from HTTP registry | done | | T09 | k3s can pull from HTTP registry | done |
| T10 | Pod Running on Railiance01 | done | | T10 | Pod Running on Railiance01 | done |
| T11 | Smoke tests pass; log entry committed | done | | T11 | Smoke tests pass; log entry committed | done |
| T12 | CI pipeline automated (optional) | todo | | T12 | CI pipeline automated (optional) | done |