feat: add interhub bootstrap helper

2026-06-17 00:17:59 +02:00
parent 9fce939d29
commit 6aff34cc5b
11 changed files with 1197 additions and 0 deletions
--- a/seeds/ops-hub-bootstrap.sql
+++ b/seeds/ops-hub-bootstrap.sql
@@ -0,0 +1,287 @@
+-- ops-hub bootstrap fallback for Inter-Hub.
+--
+-- Use only when authenticated UI bootstrap is not practical and a
+-- deployment-side migration/bootstrap is acceptable.
+--
+-- This creates:
+-- - Hub row
+-- - Active HubCapabilityManifest
+-- - Owned type registry entries
+-- - ApiConsumer row
+-- - Seed widgets
+--
+-- It intentionally does not create an ApiKey. Generate the key through the
+-- authenticated Inter-Hub UI so the full static key can be shown once and
+-- stored in the operator secret store.
+
+BEGIN;
+
+INSERT INTO hubs (slug, name, domain, hub_kind)
+VALUES ('ops-hub', 'Ops Hub', 'ops.coulomb.social', 'domain')
+ON CONFLICT (slug) DO UPDATE
+SET name = EXCLUDED.name,
+    domain = EXCLUDED.domain,
+    hub_kind = EXCLUDED.hub_kind;
+
+-- Newer inter-hub schemas have first-class VSM metadata columns. Keep this
+-- block conditional so the bootstrap still works against an older deployment
+-- where the metadata is only carried by the manifest description.
+DO $$
+BEGIN
+    IF EXISTS (
+        SELECT 1
+        FROM information_schema.columns
+        WHERE table_name = 'hubs'
+          AND column_name = 'hub_family'
+    ) THEN
+        UPDATE hubs
+        SET hub_family = 'vsm',
+            vsm_function = 'OPS',
+            vsm_system = '1'
+        WHERE slug = 'ops-hub';
+    END IF;
+END $$;
+
+WITH hub AS (
+    SELECT id FROM hubs WHERE slug = 'ops-hub'
+)
+INSERT INTO hub_capability_manifests (
+    hub_id,
+    manifest_version,
+    declared_widget_types,
+    declared_event_types,
+    declared_annotation_categories,
+    declared_policy_scopes,
+    capability_description,
+    contact,
+    status,
+    activated_at
+)
+SELECT
+    hub.id,
+    '1.0',
+    '[
+      "ops-environment",
+      "ops-host",
+      "ops-cluster",
+      "ops-service",
+      "ops-service-catalog",
+      "ops-endpoint",
+      "ops-release",
+      "ops-backup-set",
+      "ops-secret-set",
+      "ops-runbook",
+      "ops-incident",
+      "ops-readiness-gate",
+      "ops-migration-wave",
+      "ops-risk"
+    ]'::jsonb,
+    '[
+      "ops-inventory-registered",
+      "ops-inventory-updated",
+      "ops-service-discovered",
+      "ops-health-checked",
+      "ops-release-observed",
+      "ops-endpoint-verified",
+      "ops-backup-verified",
+      "ops-restore-tested",
+      "ops-runbook-executed",
+      "ops-drift-detected",
+      "ops-risk-raised",
+      "ops-risk-accepted",
+      "ops-readiness-gate-updated",
+      "ops-migration-gate-passed",
+      "ops-migration-gate-failed"
+    ]'::jsonb,
+    '[
+      "ops-drift",
+      "ops-service-catalog-gap",
+      "ops-backup-gap",
+      "ops-security-gap",
+      "ops-routing-gap",
+      "ops-secret-gap",
+      "ops-readiness-blocker",
+      "ops-migration-risk",
+      "ops-observability-gap",
+      "ops-recovery-gap"
+    ]'::jsonb,
+    '[
+      "ops-local",
+      "ops-transitional-prod",
+      "ops-production",
+      "ops-threephoenix",
+      "ops-registry",
+      "ops-secrets",
+      "ops-backup-retention"
+    ]'::jsonb,
+    'VSM Operations / System 1 hub for operational truth and evidence. Metadata: hub_family=vsm; vsm_function=OPS; vsm_system=S1; scope=operational truth, service catalog, readiness, incidents, runbooks, migration waves, and evidence events.',
+    'operator',
+    'active',
+    NOW()
+FROM hub
+ON CONFLICT (hub_id) DO UPDATE
+SET manifest_version = EXCLUDED.manifest_version,
+    declared_widget_types = EXCLUDED.declared_widget_types,
+    declared_event_types = EXCLUDED.declared_event_types,
+    declared_annotation_categories = EXCLUDED.declared_annotation_categories,
+    declared_policy_scopes = EXCLUDED.declared_policy_scopes,
+    capability_description = EXCLUDED.capability_description,
+    contact = EXCLUDED.contact,
+    status = EXCLUDED.status,
+    activated_at = COALESCE(hub_capability_manifests.activated_at, NOW()),
+    updated_at = NOW();
+
+WITH hub AS (
+    SELECT id FROM hubs WHERE slug = 'ops-hub'
+), names(name) AS (
+    VALUES
+      ('ops-environment'),
+      ('ops-host'),
+      ('ops-cluster'),
+      ('ops-service'),
+      ('ops-service-catalog'),
+      ('ops-endpoint'),
+      ('ops-release'),
+      ('ops-backup-set'),
+      ('ops-secret-set'),
+      ('ops-runbook'),
+      ('ops-incident'),
+      ('ops-readiness-gate'),
+      ('ops-migration-wave'),
+      ('ops-risk')
+)
+INSERT INTO widget_type_registry (name, label, owner_hub_id, status)
+SELECT names.name, names.name, hub.id, 'active'
+FROM names CROSS JOIN hub
+ON CONFLICT (name) DO NOTHING;
+
+WITH hub AS (
+    SELECT id FROM hubs WHERE slug = 'ops-hub'
+), names(name) AS (
+    VALUES
+      ('ops-inventory-registered'),
+      ('ops-inventory-updated'),
+      ('ops-service-discovered'),
+      ('ops-health-checked'),
+      ('ops-release-observed'),
+      ('ops-endpoint-verified'),
+      ('ops-backup-verified'),
+      ('ops-restore-tested'),
+      ('ops-runbook-executed'),
+      ('ops-drift-detected'),
+      ('ops-risk-raised'),
+      ('ops-risk-accepted'),
+      ('ops-readiness-gate-updated'),
+      ('ops-migration-gate-passed'),
+      ('ops-migration-gate-failed')
+)
+INSERT INTO event_type_registry (name, label, owner_hub_id, status)
+SELECT names.name, names.name, hub.id, 'active'
+FROM names CROSS JOIN hub
+ON CONFLICT (name) DO NOTHING;
+
+WITH hub AS (
+    SELECT id FROM hubs WHERE slug = 'ops-hub'
+), names(name) AS (
+    VALUES
+      ('ops-drift'),
+      ('ops-service-catalog-gap'),
+      ('ops-backup-gap'),
+      ('ops-security-gap'),
+      ('ops-routing-gap'),
+      ('ops-secret-gap'),
+      ('ops-readiness-blocker'),
+      ('ops-migration-risk'),
+      ('ops-observability-gap'),
+      ('ops-recovery-gap')
+)
+INSERT INTO annotation_category_registry (name, label, owner_hub_id, status)
+SELECT names.name, names.name, hub.id, 'active'
+FROM names CROSS JOIN hub
+ON CONFLICT (name) DO NOTHING;
+
+WITH hub AS (
+    SELECT id FROM hubs WHERE slug = 'ops-hub'
+), names(name) AS (
+    VALUES
+      ('ops-local'),
+      ('ops-transitional-prod'),
+      ('ops-production'),
+      ('ops-threephoenix'),
+      ('ops-registry'),
+      ('ops-secrets'),
+      ('ops-backup-retention')
+)
+INSERT INTO policy_scope_registry (name, label, owner_hub_id, status)
+SELECT names.name, names.name, hub.id, 'active'
+FROM names CROSS JOIN hub
+ON CONFLICT (name) DO NOTHING;
+
+WITH manifest AS (
+    SELECT id FROM hub_capability_manifests
+    WHERE hub_id = (SELECT id FROM hubs WHERE slug = 'ops-hub')
+)
+INSERT INTO api_consumers (
+    name,
+    description,
+    hub_capability_manifest_id,
+    rate_limit_per_minute,
+    quota_per_day,
+    is_active
+)
+SELECT
+    'ops-hub',
+    'API consumer for the VSM Operations hub',
+    manifest.id,
+    60,
+    10000,
+    TRUE
+FROM manifest
+WHERE NOT EXISTS (
+    SELECT 1 FROM api_consumers WHERE name = 'ops-hub'
+);
+
+WITH hub AS (
+    SELECT id FROM hubs WHERE slug = 'ops-hub'
+), seed(name, widget_type, capability_ref, view_context, policy_scope) AS (
+    VALUES
+      ('Local Environment', 'ops-environment', 'ops:environment:local', 'ops-hub/environments/local', 'ops-local'),
+      ('CoulombCore Environment', 'ops-environment', 'ops:environment:coulombcore', 'ops-hub/environments/coulombcore', 'ops-transitional-prod'),
+      ('Railiance01 Environment', 'ops-environment', 'ops:environment:railiance01', 'ops-hub/environments/railiance01', 'ops-threephoenix'),
+      ('ThreePhoenix Production Environment', 'ops-environment', 'ops:environment:threephoenix-prod', 'ops-hub/environments/threephoenix-prod', 'ops-production'),
+      ('CoulombCore Host', 'ops-host', 'ops:host:coulombcore', 'ops-hub/hosts/coulombcore', 'ops-transitional-prod'),
+      ('Railiance01 Host', 'ops-host', 'ops:host:railiance01', 'ops-hub/hosts/railiance01', 'ops-threephoenix'),
+      ('Operations Service Catalog', 'ops-service-catalog', 'ops:service-catalog', 'ops-hub/service-catalog', 'ops-production'),
+      ('Gitea Service', 'ops-service', 'ops:service:gitea', 'ops-hub/services/gitea', 'ops-transitional-prod'),
+      ('State Hub Service', 'ops-service', 'ops:service:state-hub', 'ops-hub/services/state-hub', 'ops-local'),
+      ('Inter-Hub Service', 'ops-service', 'ops:service:inter-hub', 'ops-hub/services/inter-hub', 'ops-production'),
+      ('Gitea Registry Endpoint', 'ops-endpoint', 'ops:endpoint:gitea-registry', 'ops-hub/endpoints/gitea-registry', 'ops-registry'),
+      ('Gitea Registry Readiness', 'ops-readiness-gate', 'ops:readiness:gitea-registry', 'ops-hub/readiness/gitea-registry', 'ops-registry'),
+      ('State Hub Cluster Deploy Readiness', 'ops-readiness-gate', 'ops:readiness:state-hub-cluster-deploy', 'ops-hub/readiness/state-hub-cluster-deploy', 'ops-production'),
+      ('CoulombCore to ThreePhoenix Migration', 'ops-migration-wave', 'ops:migration:coulombcore-to-threephoenix', 'ops-hub/migrations/coulombcore-to-threephoenix', 'ops-threephoenix')
+)
+INSERT INTO widgets (
+    hub_id,
+    name,
+    widget_type,
+    capability_ref,
+    view_context,
+    policy_scope,
+    status
+)
+SELECT
+    hub.id,
+    seed.name,
+    seed.widget_type,
+    seed.capability_ref,
+    seed.view_context,
+    seed.policy_scope,
+    'active'
+FROM seed CROSS JOIN hub
+WHERE NOT EXISTS (
+    SELECT 1 FROM widgets
+    WHERE hub_id = hub.id
+      AND capability_ref = seed.capability_ref
+);
+
+COMMIT;