generated from coulomb/repo-seed
Make hub discovery public
All checks were successful
Build and Deploy / build-push-deploy (push) Successful in 3m6s
All checks were successful
Build and Deploy / build-push-deploy (push) Successful in 3m6s
This commit is contained in:
@@ -142,7 +142,7 @@ state_hub_task_id: "5ab45e4e-16bc-4feb-8b1b-e8eeb05bf39a"
|
||||
On haskelseed, run the container image against the existing `interhub` database.
|
||||
Confirm:
|
||||
- `curl http://localhost:8000/` returns 200 (LandingAction)
|
||||
- `curl http://localhost:8000/api/v2/hubs` returns 401 (auth required)
|
||||
- `curl http://localhost:8000/api/v2/hubs` returns 200 (public discovery)
|
||||
- Static assets load (Tailwind CSS present in image)
|
||||
- Container exits cleanly on SIGTERM
|
||||
|
||||
@@ -438,7 +438,7 @@ Follow the Railiance staged promotion lifecycle:
|
||||
curl -s https://hub.coulomb.social/capabilities # Capabilities
|
||||
curl -H "Authorization: Bearer <key>" \
|
||||
https://hub.coulomb.social/api/v2/hubs # API (200)
|
||||
curl https://hub.coulomb.social/api/v2/hubs # Unauthenticated (401)
|
||||
curl https://hub.coulomb.social/api/v2/hubs # Unauthenticated (200)
|
||||
```
|
||||
4. **Verify restart persistence:**
|
||||
```bash
|
||||
@@ -472,8 +472,8 @@ Let's Encrypt certificate for the host, and the app deployment is serving image
|
||||
database ingress from `inter-hub` to `net-kingdom-pg` and the blank production
|
||||
schema. Added/applied the platform NetworkPolicy, initialized the `interhub`
|
||||
schema and framework type registries, granted privileges to the app role, and
|
||||
restarted the deployment. The ops-hub gate probe now passes:
|
||||
`/api/v2/hubs` returns the expected unauthenticated `401`,
|
||||
restarted the deployment. The ops-hub route probe now passes:
|
||||
`/api/v2/hubs` returns an unauthenticated response,
|
||||
`/api/v2/openapi.json` returns `200`, and OpenAPI exposes `/hubs`,
|
||||
`/hub-capability-manifests`, `/api-consumers`, and `/policy-scopes`.
|
||||
|
||||
@@ -521,12 +521,14 @@ Added after the helix-forge follow-up asking Inter-Hub to re-check the
|
||||
production bootstrap API gate from an external client before ops-hub proceeds.
|
||||
|
||||
**Verification note (2026-06-14):** External public probes from this workstation
|
||||
confirmed the gate is still green:
|
||||
confirmed the deployed route existed, but this check treated the wrong status as
|
||||
success:
|
||||
|
||||
- `getent ahosts hub.coulomb.social` resolves to `92.205.130.254`.
|
||||
- `curl -s -o /tmp/interhub-hubs-body.txt -w "%{http_code}" \
|
||||
https://hub.coulomb.social/api/v2/hubs` returned `401`.
|
||||
- The unauthenticated response body was the expected API auth failure:
|
||||
https://hub.coulomb.social/api/v2/hubs` returned `401`, which confirmed the
|
||||
route existed but not the correct public-discovery contract.
|
||||
- The unauthenticated response body was an API auth failure:
|
||||
`{"code":"invalid_api_key","error":"Unauthorized"}`.
|
||||
- `curl -s -o /tmp/interhub-openapi.json -w "%{http_code}" \
|
||||
https://hub.coulomb.social/api/v2/openapi.json` returned `200`.
|
||||
@@ -538,10 +540,33 @@ The deployed workflow smoke test also now captures `/api/v2/hubs` status
|
||||
without `curl -f`, verifies it equals `401`, and fails deployment if any of the
|
||||
four bootstrap OpenAPI paths are missing.
|
||||
|
||||
### R11 - Correct public hub discovery bootstrap contract
|
||||
|
||||
```task
|
||||
id: IHUB-WP-0018-T11
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
Follow-up correction after reviewing the ops-hub bootstrap hurdle: `GET
|
||||
/api/v2/hubs` is a discovery endpoint and should return `200` without an API
|
||||
key, not `401`. The authenticated boundary belongs on mutating bootstrap
|
||||
operations such as `POST /api/v2/hubs`, manifest writes/activation, API
|
||||
consumer creation, API key creation, and runtime widget/event submission.
|
||||
|
||||
**Implementation note (2026-06-14):** Updated the Hubs v2 controller so
|
||||
unauthenticated `GET /api/v2/hubs` returns the paginated hub list, while
|
||||
`POST /api/v2/hubs` still requires an API consumer. Updated generated OpenAPI
|
||||
contract helpers so public discovery operations explicitly set `security: []`
|
||||
instead of inheriting top-level Bearer auth. Updated the deployment workflow to
|
||||
require `/api/v2/hubs` to return `200` with a paginated `data` response, and
|
||||
updated the ops-hub bootstrap smoke helper to use unauthenticated hub discovery
|
||||
before authenticated mutations.
|
||||
|
||||
## Exit Criteria
|
||||
|
||||
- `https://hub.coulomb.social/` returns the Landing page (200, no auth)
|
||||
- `/api/v2/hubs` returns 401 unauthenticated, 200 with valid API key
|
||||
- `/api/v2/hubs` returns 200 unauthenticated for discovery
|
||||
- All 12 IHF dashboards accessible after admin login
|
||||
- `kubectl rollout restart` followed by smoke test passes (K3s restart
|
||||
persistence confirmed)
|
||||
|
||||
Reference in New Issue
Block a user