generated from coulomb/repo-seed
Compare commits
4 Commits
9fce939d29
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 21bfd5fa49 | |||
| cec94ac00f | |||
| c0ef8bf52d | |||
| 6aff34cc5b |
20
.claude/rules/agents.md
Normal file
20
.claude/rules/agents.md
Normal file
@@ -0,0 +1,20 @@
|
|||||||
|
## Kaizen Agents
|
||||||
|
|
||||||
|
Specialized agent personas available on demand via the state-hub MCP.
|
||||||
|
|
||||||
|
**Discover:** `list_kaizen_agents()` — returns all agents with name, description, category
|
||||||
|
**Load:** `get_kaizen_agent("tdd-workflow")` — returns full instructions; read and follow them
|
||||||
|
|
||||||
|
Common agents:
|
||||||
|
|
||||||
|
| Agent | Category | When to use |
|
||||||
|
|-------|----------|-------------|
|
||||||
|
| `tdd-workflow` | testing | Step-by-step TDD8 workflow for any feature |
|
||||||
|
| `code-refactoring` | quality | Code quality analysis and safe refactoring |
|
||||||
|
| `test-maintenance` | testing | Diagnose and fix failing tests |
|
||||||
|
| `requirements-engineering` | process | Prevent interface/mock mismatches upfront |
|
||||||
|
| `keepaTodofile` | process | Maintain TODO.md during work |
|
||||||
|
| `project-management` | process | Track status, determine next steps |
|
||||||
|
| `datamodel-optimization` | quality | Optimize dataclasses and data structures |
|
||||||
|
|
||||||
|
All 17 agents: call `list_kaizen_agents()` for the full list.
|
||||||
8
.claude/rules/architecture.md
Normal file
8
.claude/rules/architecture.md
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
## Architecture
|
||||||
|
|
||||||
|
<!-- TODO: Describe the key design decisions and component structure.
|
||||||
|
Key modules, data flows, external integrations, state machines, etc. -->
|
||||||
|
|
||||||
|
## Quick Reference
|
||||||
|
|
||||||
|
`~/state-hub/mcp_server/TOOLS.md` — MCP tool reference
|
||||||
50
.claude/rules/credential-routing.md
Normal file
50
.claude/rules/credential-routing.md
Normal file
@@ -0,0 +1,50 @@
|
|||||||
|
# Credential and access routing
|
||||||
|
|
||||||
|
**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect**
|
||||||
|
for inference. Run this check **before** requesting secrets, API keys, SSH access,
|
||||||
|
login tokens, or database passwords — in any repo, not only `ops-warden`.
|
||||||
|
|
||||||
|
ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every
|
||||||
|
other credential need belongs to another subsystem. **Do not** message
|
||||||
|
`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key.
|
||||||
|
|
||||||
|
### Lookup (do this first)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
warden route find "<describe your need>" --json
|
||||||
|
warden route show <catalog-id> --json
|
||||||
|
```
|
||||||
|
|
||||||
|
Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`).
|
||||||
|
|
||||||
|
| Agent runtime | How to orient |
|
||||||
|
| --- | --- |
|
||||||
|
| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=ops-hub` is for coordination, not secret vending |
|
||||||
|
| **Claude Code** (MCP when available) | `get_domain_summary("custodian")` for workstreams; **still** use `warden route` for credential ownership |
|
||||||
|
| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` |
|
||||||
|
|
||||||
|
### Quick routing table
|
||||||
|
|
||||||
|
| I need… | Owner | ops-warden executes? |
|
||||||
|
| --- | --- | --- |
|
||||||
|
| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes** — `warden sign` |
|
||||||
|
| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only |
|
||||||
|
| Login / OIDC / MFA | key-cape / Keycloak | No — route only |
|
||||||
|
| Authorization decision | flex-auth | No — route only |
|
||||||
|
| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` |
|
||||||
|
| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only |
|
||||||
|
|
||||||
|
### Anti-patterns (do not do these)
|
||||||
|
|
||||||
|
- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
|
||||||
|
- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist
|
||||||
|
- Pasting secrets into Git, State Hub, workplans, logs, or chat
|
||||||
|
|
||||||
|
### Other capabilities (reuse-surface)
|
||||||
|
|
||||||
|
Non-credential capabilities are usually discovered through **reuse-surface** federation
|
||||||
|
(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in
|
||||||
|
every repo's agent instructions because it is high-frequency, high-risk, and easy to
|
||||||
|
get wrong.
|
||||||
|
|
||||||
|
**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`
|
||||||
38
.claude/rules/first-session.md
Normal file
38
.claude/rules/first-session.md
Normal file
@@ -0,0 +1,38 @@
|
|||||||
|
## First Session Protocol
|
||||||
|
|
||||||
|
Triggered when `get_domain_summary("infotech")` shows **no workstreams**.
|
||||||
|
The project is registered but work has not yet been structured.
|
||||||
|
|
||||||
|
**Step 1 — Read, don't write**
|
||||||
|
- `~/the-custodian/canon/projects/infotech/project_charter_v0.1.md` — purpose, scope
|
||||||
|
- `~/the-custodian/canon/projects/infotech/roadmap_v0.1.md` — planned phases
|
||||||
|
- Scan repo root: README, directory structure, existing code or docs
|
||||||
|
|
||||||
|
**Step 2 — Survey in-progress work**
|
||||||
|
Look for TODOs, open branches, half-finished files. Note done vs. started but incomplete.
|
||||||
|
|
||||||
|
**Step 3 — Propose workstreams to Bernd**
|
||||||
|
Propose 1–3 workstreams — each a coherent strand, weeks to months, anchored to a
|
||||||
|
roadmap phase. **Wait for approval before creating.**
|
||||||
|
|
||||||
|
**Step 4 — Create workplan file first, then DB record (ADR-001)**
|
||||||
|
```
|
||||||
|
workplans/OPS-WP-NNNN-<slug>.md ← write this first
|
||||||
|
```
|
||||||
|
Then register in the hub:
|
||||||
|
```
|
||||||
|
create_workstream(topic_id="1f2e4d10-c967-4803-ae6c-7f4b4e806409", title="...", owner="...", description="...")
|
||||||
|
create_task(workstream_id="<id>", title="...", priority="high|medium|low")
|
||||||
|
```
|
||||||
|
|
||||||
|
**Step 5 — Record the setup**
|
||||||
|
```
|
||||||
|
add_progress_event(
|
||||||
|
summary="First session: structured infotech into N workstreams, M tasks",
|
||||||
|
event_type="milestone",
|
||||||
|
topic_id="1f2e4d10-c967-4803-ae6c-7f4b4e806409",
|
||||||
|
detail={"workstreams": [...], "tasks_created": M}
|
||||||
|
)
|
||||||
|
```
|
||||||
|
|
||||||
|
<!-- Delete or archive this file once past first session -->
|
||||||
8
.claude/rules/repo-boundary.md
Normal file
8
.claude/rules/repo-boundary.md
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
## Repo boundary
|
||||||
|
|
||||||
|
This repo owns **ops-hub** only. It does not own:
|
||||||
|
|
||||||
|
<!-- TODO: List what belongs in adjacent repos, e.g.:
|
||||||
|
- SSH key management → railiance-infra/
|
||||||
|
- State hub code → state-hub/
|
||||||
|
-->
|
||||||
5
.claude/rules/repo-identity.md
Normal file
5
.claude/rules/repo-identity.md
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
**Purpose:** Operations / System 1 extension for Inter-Hub, focused on operational truth, readiness evidence, service catalog records, and migration gates.
|
||||||
|
|
||||||
|
**Domain:** infotech
|
||||||
|
**Repo slug:** ops-hub
|
||||||
|
**Topic ID:** 1f2e4d10-c967-4803-ae6c-7f4b4e806409
|
||||||
85
.claude/rules/session-protocol.md
Normal file
85
.claude/rules/session-protocol.md
Normal file
@@ -0,0 +1,85 @@
|
|||||||
|
## Session Protocol
|
||||||
|
|
||||||
|
Dev Hub (State Hub API): http://127.0.0.1:8000
|
||||||
|
MCP server name in `~/.claude.json`: `dev-hub`
|
||||||
|
|
||||||
|
**Step 1 — Orient**
|
||||||
|
|
||||||
|
Read the offline-safe brief first — it works without a live hub connection:
|
||||||
|
```bash
|
||||||
|
cat .custodian-brief.md
|
||||||
|
```
|
||||||
|
Then call the MCP tool for richer cross-domain context when MCP tools are exposed:
|
||||||
|
```
|
||||||
|
get_domain_summary("infotech")
|
||||||
|
```
|
||||||
|
If MCP tools are unavailable in the current agent session, use the REST API:
|
||||||
|
```bash
|
||||||
|
curl -s "http://127.0.0.1:8000/state/summary" | python3 -m json.tool
|
||||||
|
```
|
||||||
|
If the hub is offline: `cd ~/state-hub && make api`
|
||||||
|
|
||||||
|
**Step 2 — Check inbox**
|
||||||
|
With MCP tools:
|
||||||
|
```
|
||||||
|
get_messages(to_agent="ops-hub", unread_only=True)
|
||||||
|
```
|
||||||
|
Mark read with `mark_message_read(message_id)`. Reply or act on coordination
|
||||||
|
requests before proceeding.
|
||||||
|
|
||||||
|
Without MCP tools:
|
||||||
|
```bash
|
||||||
|
curl -s "http://127.0.0.1:8000/messages/?to_agent=ops-hub&unread_only=true" \
|
||||||
|
| python3 -m json.tool
|
||||||
|
curl -s -X PATCH "http://127.0.0.1:8000/messages/<id>/read" \
|
||||||
|
-H "Content-Type: application/json" -d '{}'
|
||||||
|
```
|
||||||
|
|
||||||
|
**Step 3 — Scan workplans**
|
||||||
|
```bash
|
||||||
|
ls workplans/
|
||||||
|
```
|
||||||
|
For each file with `status: ready`, `active`, or `blocked`, note pending
|
||||||
|
`wait`/`todo`/`progress` tasks.
|
||||||
|
|
||||||
|
**Step 4 — Present brief**
|
||||||
|
|
||||||
|
1. **Active workstreams** for `infotech` — title, task counts, blocking decisions
|
||||||
|
2. **Pending tasks** from `workplans/` + any `[repo:ops-hub]` hub tasks
|
||||||
|
3. **Goal guidance** — if `goal_guidance` in summary:
|
||||||
|
- `needs_workplan`: surface as top action — *"Repo goal '{title}' has no workplan yet"*
|
||||||
|
- `alignment_warnings`: flag if active work is not aligned with current goal
|
||||||
|
4. **Suggested next action** — highest-priority open item
|
||||||
|
5. **SBOM status** — flag if `last_sbom_at` is unset for this repo
|
||||||
|
|
||||||
|
If no workstreams: follow First Session Protocol (`first-session.md`).
|
||||||
|
|
||||||
|
**During work:** `record_decision()` · `add_progress_event()` · `resolve_decision()`
|
||||||
|
|
||||||
|
> State Hub is a *read model*. Bootstrap tools (`create_workstream`, `create_task`)
|
||||||
|
> are First Session Protocol only. Work structure belongs in repo files (ADR-001).
|
||||||
|
|
||||||
|
**Session close:**
|
||||||
|
With MCP tools:
|
||||||
|
```
|
||||||
|
add_progress_event(summary="...", topic_id="1f2e4d10-c967-4803-ae6c-7f4b4e806409", workstream_id="<uuid>")
|
||||||
|
```
|
||||||
|
Without MCP tools:
|
||||||
|
```bash
|
||||||
|
curl -s -X POST http://127.0.0.1:8000/progress/ \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
-d '{"topic_id":"1f2e4d10-c967-4803-ae6c-7f4b4e806409","workstream_id":"<uuid>","event_type":"note","summary":"what changed","author":"codex"}'
|
||||||
|
```
|
||||||
|
If workplan files were modified, ensure the local copy is up to date first:
|
||||||
|
```bash
|
||||||
|
git -C <repo_path> pull --ff-only
|
||||||
|
cd ~/state-hub && make fix-consistency REPO=ops-hub
|
||||||
|
```
|
||||||
|
For repos where implementation runs on a remote machine (e.g. CoulombCore),
|
||||||
|
use the combined target which pulls before fixing:
|
||||||
|
```bash
|
||||||
|
cd ~/state-hub && make fix-consistency-remote REPO=ops-hub
|
||||||
|
```
|
||||||
|
**C-15** (DB task ahead of file) is normal in multi-machine workflows — writeback
|
||||||
|
will sync the file to match DB. **C-16** (repo behind remote) blocks all writes
|
||||||
|
until you pull — intentional to prevent clobbering remote progress.
|
||||||
19
.claude/rules/stack-and-commands.md
Normal file
19
.claude/rules/stack-and-commands.md
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
## Stack
|
||||||
|
|
||||||
|
<!-- TODO: Fill in language, frameworks, and key dependencies -->
|
||||||
|
- **Language:**
|
||||||
|
- **Key deps:**
|
||||||
|
|
||||||
|
## Dev Commands
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# TODO: Fill in the standard commands for this repo
|
||||||
|
|
||||||
|
# Install dependencies
|
||||||
|
|
||||||
|
# Run tests
|
||||||
|
|
||||||
|
# Lint / type check
|
||||||
|
|
||||||
|
# Build / package (if applicable)
|
||||||
|
```
|
||||||
40
.claude/rules/workplan-convention.md
Normal file
40
.claude/rules/workplan-convention.md
Normal file
@@ -0,0 +1,40 @@
|
|||||||
|
## Workplan Convention (ADR-001)
|
||||||
|
|
||||||
|
File location: `workplans/OPS-WP-NNNN-<slug>.md`
|
||||||
|
ID prefix: `OPS-WP-`
|
||||||
|
|
||||||
|
Work items originate as files in this repo **before** being registered in the hub.
|
||||||
|
|
||||||
|
Canonical workplan/workstream frontmatter statuses are:
|
||||||
|
`proposed`, `ready`, `active`, `blocked`, `backlog`, `finished`, `archived`.
|
||||||
|
Use `proposed` for a newly drafted plan, `ready` after review against current
|
||||||
|
repo state, and `finished` when implementation is complete. `stalled` and
|
||||||
|
`needs_review` are derived health labels, not stored statuses.
|
||||||
|
|
||||||
|
Closed workplans may be moved to `workplans/archived/` with a completion-date
|
||||||
|
prefix: `YYMMDD-OPS-WP-NNNN-<slug>.md`. The frontmatter id remains
|
||||||
|
unchanged; the prefix is only for quick visual reference.
|
||||||
|
|
||||||
|
Small opportunistic tasks discovered during another session use **Ad Hoc Tasks**:
|
||||||
|
`workplans/ADHOC-YYYY-MM-DD.md`, workstream slug `adhoc-YYYY-MM-DD`, and task ids
|
||||||
|
`ADHOC-YYYY-MM-DD-T01`, `T02`, etc. Use adhocs only for low-risk work completed
|
||||||
|
directly. Promote anything requiring analysis, design, approval, dependencies, or
|
||||||
|
multiple planned phases into a normal workplan.
|
||||||
|
|
||||||
|
Ecosystem todos from other agents arrive as `[repo:ops-hub]` hub tasks —
|
||||||
|
visible at session start. Pick one up by creating the workplan file, then registering
|
||||||
|
the workstream.
|
||||||
|
|
||||||
|
Task blocks use this shape:
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: OPS-WP-NNNN-T01
|
||||||
|
status: wait | todo | progress | done | cancel
|
||||||
|
priority: high | medium | low
|
||||||
|
state_hub_task_id: "<uuid>" # written by fix-consistency — do not edit
|
||||||
|
```
|
||||||
|
|
||||||
|
Status progression is `todo` → `progress` → `done`; use `wait` for waiting or
|
||||||
|
blocked work and `cancel` for stopped work.
|
||||||
|
|
||||||
|
<!-- Ralph Loop rules and HEUREKA sequence: ~/.claude/CLAUDE.md — do not duplicate here -->
|
||||||
24
.repo-classification.yaml
Normal file
24
.repo-classification.yaml
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
repo_classification:
|
||||||
|
standard: Repo Classification Standard
|
||||||
|
version: '1.0'
|
||||||
|
classified_at: '2026-06-22'
|
||||||
|
classified_by: human
|
||||||
|
category: tooling
|
||||||
|
domain: infotech
|
||||||
|
secondary_domains: []
|
||||||
|
capability_tags:
|
||||||
|
- operations
|
||||||
|
- platform
|
||||||
|
- observability
|
||||||
|
- coordination
|
||||||
|
- governance
|
||||||
|
business_stake:
|
||||||
|
- operations
|
||||||
|
- technology
|
||||||
|
- automation
|
||||||
|
business_mechanics:
|
||||||
|
- coordination
|
||||||
|
- operation
|
||||||
|
- control
|
||||||
|
notes: Inter-Hub operations extension (environments, incidents, runbooks); human
|
||||||
|
corrected category project→tooling.
|
||||||
63
AGENTS.md
63
AGENTS.md
@@ -2,9 +2,9 @@
|
|||||||
|
|
||||||
## Repo Identity
|
## Repo Identity
|
||||||
|
|
||||||
**Purpose:** Inter-hub extension for the operations & resiliance subdimension of the orthogonal architecture standard perspective.
|
**Purpose:** Operations / System 1 extension for Inter-Hub, focused on operational truth, readiness evidence, service catalog records, and migration gates.
|
||||||
|
|
||||||
**Domain:** inter_hub
|
**Domain:** infotech
|
||||||
**Repo slug:** ops-hub
|
**Repo slug:** ops-hub
|
||||||
**Topic ID:** `1f2e4d10-c967-4803-ae6c-7f4b4e806409`
|
**Topic ID:** `1f2e4d10-c967-4803-ae6c-7f4b4e806409`
|
||||||
**Workplan prefix:** `OPS-WP-`
|
**Workplan prefix:** `OPS-WP-`
|
||||||
@@ -101,6 +101,63 @@ curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
## Credential and access routing
|
||||||
|
|
||||||
|
**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect**
|
||||||
|
for inference. Run this check **before** requesting secrets, API keys, SSH access,
|
||||||
|
login tokens, or database passwords — in any repo, not only `ops-warden`.
|
||||||
|
|
||||||
|
ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every
|
||||||
|
other credential need belongs to another subsystem. **Do not** message
|
||||||
|
`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key.
|
||||||
|
|
||||||
|
### Lookup (do this first)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
warden route find "<describe your need>" --json
|
||||||
|
warden route show <catalog-id> --json
|
||||||
|
```
|
||||||
|
|
||||||
|
Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`).
|
||||||
|
|
||||||
|
| Agent runtime | How to orient |
|
||||||
|
| --- | --- |
|
||||||
|
| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=ops-hub` is for coordination, not secret vending |
|
||||||
|
| **Claude Code** (MCP when available) | `get_domain_summary("custodian")` for workstreams; **still** use `warden route` for credential ownership |
|
||||||
|
| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` |
|
||||||
|
|
||||||
|
### Quick routing table
|
||||||
|
|
||||||
|
| I need… | Owner | ops-warden executes? |
|
||||||
|
| --- | --- | --- |
|
||||||
|
| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes** — `warden sign` |
|
||||||
|
| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only |
|
||||||
|
| Login / OIDC / MFA | key-cape / Keycloak | No — route only |
|
||||||
|
| Authorization decision | flex-auth | No — route only |
|
||||||
|
| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` |
|
||||||
|
| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only |
|
||||||
|
|
||||||
|
### Anti-patterns (do not do these)
|
||||||
|
|
||||||
|
- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
|
||||||
|
- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist
|
||||||
|
- Pasting secrets into Git, State Hub, workplans, logs, or chat
|
||||||
|
|
||||||
|
### Other capabilities (reuse-surface)
|
||||||
|
|
||||||
|
Non-credential capabilities are usually discovered through **reuse-surface** federation
|
||||||
|
(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in
|
||||||
|
every repo's agent instructions because it is high-frequency, high-risk, and easy to
|
||||||
|
get wrong.
|
||||||
|
|
||||||
|
**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`
|
||||||
|
|
||||||
|
<!-- REPO-AGENTS-EXTENSIONS -->
|
||||||
|
<!-- Append repo-specific agent instructions below this marker.
|
||||||
|
The state-hub template sync preserves content after this line. -->
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
## Workplan Convention (ADR-001)
|
## Workplan Convention (ADR-001)
|
||||||
|
|
||||||
Work items originate as files in this repo — not in the hub. The hub is a
|
Work items originate as files in this repo — not in the hub. The hub is a
|
||||||
@@ -124,7 +181,7 @@ anything needing analysis, design, approval, dependencies, or multiple phases.
|
|||||||
id: OPS-WP-NNNN
|
id: OPS-WP-NNNN
|
||||||
type: workplan
|
type: workplan
|
||||||
title: "..."
|
title: "..."
|
||||||
domain: inter_hub
|
domain: infotech
|
||||||
repo: ops-hub
|
repo: ops-hub
|
||||||
status: proposed | ready | active | blocked | backlog | finished | archived
|
status: proposed | ready | active | blocked | backlog | finished | archived
|
||||||
owner: codex
|
owner: codex
|
||||||
|
|||||||
12
CLAUDE.md
Normal file
12
CLAUDE.md
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
# ops-hub — Claude Code Instructions
|
||||||
|
|
||||||
|
@SCOPE.md
|
||||||
|
@.claude/rules/repo-identity.md
|
||||||
|
@.claude/rules/session-protocol.md
|
||||||
|
@.claude/rules/first-session.md
|
||||||
|
@.claude/rules/workplan-convention.md
|
||||||
|
@.claude/rules/stack-and-commands.md
|
||||||
|
@.claude/rules/architecture.md
|
||||||
|
@.claude/rules/repo-boundary.md
|
||||||
|
@.claude/rules/credential-routing.md
|
||||||
|
@.claude/rules/agents.md
|
||||||
25
INTENT.md
25
INTENT.md
@@ -7,9 +7,16 @@ updated: "2026-06-06"
|
|||||||
|
|
||||||
## Why it exists
|
## Why it exists
|
||||||
|
|
||||||
Inter-hub extension for the operations & resiliance subdimension of the orthogonal architecture standard perspective.
|
`ops-hub` is the Operations / System 1 extension for Inter-Hub. It turns
|
||||||
|
operational reality into governed, queryable, and evidence-backed hub records:
|
||||||
|
environments, hosts, clusters, services, endpoints, releases, backups,
|
||||||
|
incidents, risks, runbooks, readiness gates, and migration waves.
|
||||||
|
|
||||||
Inter-hub extension for the operations & resiliance subdimension of the orthogonal architecture standard perspective.
|
It exists because Railiance and HelixForge operations need a durable
|
||||||
|
operational truth surface while the current CoulombCore environment transitions
|
||||||
|
toward the ThreePhoenix production shape. State Hub continues to own
|
||||||
|
workstreams and decisions; Inter-Hub continues to own the generic hub substrate.
|
||||||
|
`ops-hub` owns the operations extension behavior built on top of that substrate.
|
||||||
|
|
||||||
## Governing principle
|
## Governing principle
|
||||||
|
|
||||||
@@ -17,8 +24,16 @@ This repository should stay focused on the purpose above. Work that changes its
|
|||||||
authority, ownership boundaries, or operational promises should be captured in a
|
authority, ownership boundaries, or operational promises should be captured in a
|
||||||
workplan before implementation.
|
workplan before implementation.
|
||||||
|
|
||||||
|
The first implementation rule is: domain-specific runtime code belongs here,
|
||||||
|
while generic hub framework behavior belongs in `inter-hub`.
|
||||||
|
|
||||||
## What it enables
|
## What it enables
|
||||||
|
|
||||||
- A coding agent can understand why the repository exists before changing it.
|
- Operators can see what runs where, how it is reached, and what evidence proves
|
||||||
- State Hub can register and coordinate work for this repository.
|
it is healthy.
|
||||||
- Future workplans can stay connected to the repository's intended role.
|
- Collectors, adapters, and scheduled probes can report operational facts into
|
||||||
|
Inter-Hub using the ops vocabulary.
|
||||||
|
- Readiness and migration gates can be represented as explicit, auditable
|
||||||
|
operational records.
|
||||||
|
- Future VSM hubs can reuse the extension pattern without turning Inter-Hub
|
||||||
|
itself into a domain-specific operations product.
|
||||||
|
|||||||
25
Makefile
Normal file
25
Makefile
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
IHUB_BASE ?= https://hub.coulomb.social
|
||||||
|
IHUB_OPERATOR_KEY_FILE ?=
|
||||||
|
OPS_HUB_RUNTIME_KEY_OUTPUT ?=
|
||||||
|
|
||||||
|
.PHONY: help interhub-gate interhub-bootstrap interhub-bootstrap-help
|
||||||
|
|
||||||
|
help:
|
||||||
|
@echo "Targets:"
|
||||||
|
@echo " interhub-gate Probe whether production Inter-Hub exposes the ops-hub bootstrap API surface"
|
||||||
|
@echo " interhub-bootstrap-help Show bootstrap helper options"
|
||||||
|
@echo " interhub-bootstrap Run attended ops-hub Inter-Hub bootstrap with IHUB_OPERATOR_KEY_FILE"
|
||||||
|
|
||||||
|
interhub-gate:
|
||||||
|
IHUB_BASE="$(IHUB_BASE)" python3 scripts/interhub-gate-probe.py
|
||||||
|
|
||||||
|
interhub-bootstrap-help:
|
||||||
|
python3 scripts/ops-hub-bootstrap-api.py --help
|
||||||
|
|
||||||
|
interhub-bootstrap:
|
||||||
|
@test -n "$(IHUB_OPERATOR_KEY_FILE)" || \
|
||||||
|
(echo "IHUB_OPERATOR_KEY_FILE is required; materialize the operator key into a 0600 temp file first." >&2; exit 2)
|
||||||
|
IHUB_BASE="$(IHUB_BASE)" \
|
||||||
|
IHUB_OPERATOR_KEY_FILE="$(IHUB_OPERATOR_KEY_FILE)" \
|
||||||
|
OPS_HUB_RUNTIME_KEY_OUTPUT="$(OPS_HUB_RUNTIME_KEY_OUTPUT)" \
|
||||||
|
python3 scripts/ops-hub-bootstrap-api.py
|
||||||
@@ -1 +1,6 @@
|
|||||||
Inter-hub extension for the operations & resiliance subdimension of the orthogonal architecture standard perspective.
|
Operations / System 1 extension for Inter-Hub.
|
||||||
|
|
||||||
|
`ops-hub` is the operational truth surface for environments, hosts, clusters,
|
||||||
|
services, endpoints, releases, backups, incidents, risks, runbooks, readiness
|
||||||
|
gates, and migration waves. Generic hub framework work stays in `inter-hub`;
|
||||||
|
operations-specific extension code belongs here.
|
||||||
|
|||||||
40
SCOPE.md
40
SCOPE.md
@@ -1,32 +1,52 @@
|
|||||||
# SCOPE
|
# SCOPE
|
||||||
|
|
||||||
> This file was generated by `statehub register`. Refine it as the repository
|
|
||||||
> boundaries become clearer.
|
|
||||||
|
|
||||||
## One-liner
|
## One-liner
|
||||||
|
|
||||||
Inter-hub extension for the operations & resiliance subdimension of the orthogonal architecture standard perspective.
|
Operations / System 1 extension for Inter-Hub, focused on operational truth,
|
||||||
|
readiness evidence, and migration gates.
|
||||||
|
|
||||||
## Core Idea
|
## Core Idea
|
||||||
|
|
||||||
ops-hub exists to provide the capability described in INTENT.md.
|
`ops-hub` is a domain-specific Inter-Hub extension. It should professionalize
|
||||||
|
operations by making environments, hosts, clusters, services, endpoints,
|
||||||
|
releases, backups, incidents, risks, runbooks, readiness gates, and migration
|
||||||
|
waves explicit and evidence-backed.
|
||||||
|
|
||||||
|
The repo is intentionally separate from `inter-hub`: generic framework and API
|
||||||
|
substrate work remains in `inter-hub`; operations-specific collectors,
|
||||||
|
adapters, probes, bootstrap clients, UI/extensions, tests, and packaging belong
|
||||||
|
here.
|
||||||
|
|
||||||
## In Scope
|
## In Scope
|
||||||
|
|
||||||
- Maintain the repository's primary implementation.
|
- Operations hub implementation code and tests.
|
||||||
- Keep docs, tests, and operational metadata current.
|
- Ops vocabulary clients, collectors, adapters, and scheduled probes.
|
||||||
|
- Inter-Hub bootstrap/smoke tooling for the `ops-hub` extension.
|
||||||
|
- Operations service catalog, readiness, migration, endpoint, backup, restore,
|
||||||
|
incident, and runbook models.
|
||||||
|
- Repo-local workplans for growing the Operations / System 1 extension.
|
||||||
|
|
||||||
## Out of Scope
|
## Out of Scope
|
||||||
|
|
||||||
- Own unrelated adjacent systems.
|
- Generic Inter-Hub framework behavior, API substrate, authentication, or
|
||||||
- Make irreversible operational decisions without human approval.
|
registry semantics.
|
||||||
|
- State Hub workstream, task, decision, or progress implementation.
|
||||||
|
- Railiance infrastructure, cluster, platform, enablement, or app desired state.
|
||||||
|
- Manual production DB seeding unless the operator explicitly chooses that
|
||||||
|
fallback.
|
||||||
|
- Irreversible operational decisions without human approval.
|
||||||
|
|
||||||
## Current State
|
## Current State
|
||||||
|
|
||||||
- Status: active; implementation and stability should be verified by the repo agent.
|
- Status: active bootstrap.
|
||||||
|
- Implementation: no executable source tree yet; first real workplan is seeded
|
||||||
|
in `workplans/OPS-WP-0002-interhub-extension-bootstrap.md`.
|
||||||
|
- Live Inter-Hub production gate: `/api/v2/hubs` still returned `404` on
|
||||||
|
2026-06-06, so supported API bootstrap is not yet available in production.
|
||||||
|
|
||||||
## Getting Oriented
|
## Getting Oriented
|
||||||
|
|
||||||
- Start with: INTENT.md
|
- Start with: INTENT.md
|
||||||
- Agent instructions: AGENTS.md
|
- Agent instructions: AGENTS.md
|
||||||
- Workplans: workplans/
|
- Workplans: workplans/
|
||||||
|
- HelixForge handoff: `/home/worsch/helix-forge/workplans/HF-WP-0001-establish-ops-hub-first-extension.md`
|
||||||
|
|||||||
15
docs/README.md
Normal file
15
docs/README.md
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
# ops-hub Docs
|
||||||
|
|
||||||
|
This directory contains the first repo-local version of the HelixForge
|
||||||
|
`HF-WP-0001` handoff.
|
||||||
|
|
||||||
|
- `initial-inventory.md` defines the first environment, host, cluster, service,
|
||||||
|
and endpoint catalog.
|
||||||
|
- `readiness-gates.md` defines the CoulombCore-to-ThreePhoenix readiness model.
|
||||||
|
- `bootstrap-runbook.md` defines the operator-ready Inter-Hub bootstrap path.
|
||||||
|
- `../seeds/ops-hub-manifest.draft.json` contains the initial capability
|
||||||
|
manifest draft.
|
||||||
|
- `../seeds/ops-hub-widgets.seed.json` contains the initial widget seed.
|
||||||
|
- `../seeds/ops-hub-bootstrap.sql` is an operator-approved fallback only; do
|
||||||
|
not use direct DB seeding while the supported Inter-Hub API path is viable or
|
||||||
|
pending.
|
||||||
171
docs/bootstrap-runbook.md
Normal file
171
docs/bootstrap-runbook.md
Normal file
@@ -0,0 +1,171 @@
|
|||||||
|
# Ops Hub Bootstrap Runbook
|
||||||
|
|
||||||
|
Date: 2026-06-17
|
||||||
|
|
||||||
|
## Purpose
|
||||||
|
|
||||||
|
This runbook is the operator-ready path for activating `ops-hub` in production
|
||||||
|
Inter-Hub. It covers the preferred API bootstrap, key custody expectations, the
|
||||||
|
ops-warden remote execution lane, and the explicit SQL fallback.
|
||||||
|
|
||||||
|
Use this when finishing `CUST-WP-0047-T05` or any later ops-hub Inter-Hub
|
||||||
|
activation task.
|
||||||
|
|
||||||
|
## Inputs
|
||||||
|
|
||||||
|
- Manifest draft: `seeds/ops-hub-manifest.draft.json`
|
||||||
|
- Widget seed: `seeds/ops-hub-widgets.seed.json`
|
||||||
|
- API helper: `scripts/ops-hub-bootstrap-api.py`
|
||||||
|
- Migration fallback: `seeds/ops-hub-bootstrap.sql`
|
||||||
|
- Production Inter-Hub base URL: `https://hub.coulomb.social`
|
||||||
|
|
||||||
|
## Secret Custody Rules
|
||||||
|
|
||||||
|
- Do not paste operator keys into Codex-visible chat, workplans, commits, or
|
||||||
|
shell transcripts.
|
||||||
|
- Prefer `IHUB_OPERATOR_KEY_FILE` over `IHUB_OPERATOR_KEY`.
|
||||||
|
- Operator key temp files must be mode `0600` and removed after the run.
|
||||||
|
- The generated ops-hub runtime key is display-once material. Store it in
|
||||||
|
OpenBao or the approved operator secret store immediately.
|
||||||
|
- The helper prints only non-secret ids, key prefixes, and file paths.
|
||||||
|
|
||||||
|
## Preferred API Bootstrap
|
||||||
|
|
||||||
|
First confirm the API surface:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make interhub-gate
|
||||||
|
```
|
||||||
|
|
||||||
|
Then materialize the Inter-Hub operator key into a temporary file. Example
|
||||||
|
local pattern:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
umask 077
|
||||||
|
operator_key_file="$(mktemp)"
|
||||||
|
# Write the operator key into "$operator_key_file" from the approved secret
|
||||||
|
# source. Do not echo it into shared logs.
|
||||||
|
```
|
||||||
|
|
||||||
|
Run the attended bootstrap:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make interhub-bootstrap \
|
||||||
|
IHUB_BASE=https://hub.coulomb.social \
|
||||||
|
IHUB_OPERATOR_KEY_FILE="$operator_key_file"
|
||||||
|
```
|
||||||
|
|
||||||
|
The helper creates or reuses:
|
||||||
|
|
||||||
|
- the `ops-hub` hub row
|
||||||
|
- the active ops-hub capability manifest
|
||||||
|
- the `ops-hub` API consumer
|
||||||
|
- an ops-hub runtime API key, when one was not supplied
|
||||||
|
- the seed widgets from `seeds/ops-hub-widgets.seed.json`
|
||||||
|
- the initial Gitea readiness event, unless `--skip-event` is used directly
|
||||||
|
|
||||||
|
If the helper creates a runtime key, it writes the full value to a `0600` file
|
||||||
|
and prints the path plus key prefix. Store that key immediately, then remove the
|
||||||
|
file:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
runtime_key_file="/path/printed/as/runtimeKey.keyFile"
|
||||||
|
# Example path only; use the approved OpenBao mount/path for the environment.
|
||||||
|
bao kv put secret/platform/operators/ops-hub/runtime \
|
||||||
|
OPS_HUB_KEY="$(cat "$runtime_key_file")"
|
||||||
|
|
||||||
|
rm -f "$operator_key_file" "$runtime_key_file"
|
||||||
|
```
|
||||||
|
|
||||||
|
If an ops-hub runtime key already exists in the secret store, materialize it as
|
||||||
|
`OPS_HUB_KEY_FILE` before the run. The helper will reuse it instead of creating
|
||||||
|
a new display-once key.
|
||||||
|
|
||||||
|
## Remote Execution With Ops-Warden
|
||||||
|
|
||||||
|
When the operator key must stay on a trusted host, use the ops-warden access
|
||||||
|
lane instead of moving the key into the workstation session:
|
||||||
|
|
||||||
|
1. Add or reuse an `agt` actor such as `agt-codex-interhub-bootstrap` with a
|
||||||
|
narrow principal such as `agt-interhub-bootstrap` and a short TTL.
|
||||||
|
2. Use `ops-ssh-wrapper` to acquire a short-lived SSH certificate.
|
||||||
|
3. On the target host, railiance-infra should map the principal to a narrow
|
||||||
|
force-command or wrapper that runs only this bootstrap path.
|
||||||
|
4. The host wrapper reads the operator key from OpenBao or an attended temp
|
||||||
|
file, runs `make interhub-bootstrap`, stores the generated ops-hub runtime
|
||||||
|
key back into OpenBao, and emits non-secret JSON evidence.
|
||||||
|
|
||||||
|
See `ops-warden/wiki/InterHubBootstrapAccessLane.md` for the certificate
|
||||||
|
envelope and host-boundary rules.
|
||||||
|
|
||||||
|
## SQL Fallback Path
|
||||||
|
|
||||||
|
Prefer the API bootstrap whenever possible. Use SQL only when the operator
|
||||||
|
explicitly approves deployment-side migration/bootstrap execution.
|
||||||
|
|
||||||
|
From a shell with Railiance01 Kubernetes access:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kubectl exec -i -n databases net-kingdom-pg-1 -- \
|
||||||
|
psql -U postgres -d interhub \
|
||||||
|
< /home/worsch/ops-hub/seeds/ops-hub-bootstrap.sql
|
||||||
|
```
|
||||||
|
|
||||||
|
If using the HostEurope kubeconfig from the workstation:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
KUBECONFIG=~/.kube/config-hosteurope \
|
||||||
|
kubectl exec -i -n databases net-kingdom-pg-1 -- \
|
||||||
|
psql -U postgres -d interhub \
|
||||||
|
< /home/worsch/ops-hub/seeds/ops-hub-bootstrap.sql
|
||||||
|
```
|
||||||
|
|
||||||
|
The SQL fallback creates the hub, active manifest, registry entries, API
|
||||||
|
consumer row, and seed widgets. It does not create the one-time visible static
|
||||||
|
API key. Generate that through the authenticated Inter-Hub UI or the supported
|
||||||
|
API helper and store it outside Git.
|
||||||
|
|
||||||
|
## Validation
|
||||||
|
|
||||||
|
After manifest activation:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -s https://hub.coulomb.social/api/v2/widget-types
|
||||||
|
curl -s https://hub.coulomb.social/api/v2/event-types
|
||||||
|
curl -s https://hub.coulomb.social/api/v2/annotation-categories
|
||||||
|
```
|
||||||
|
|
||||||
|
Expected: ops-owned vocabulary appears in the relevant registries.
|
||||||
|
|
||||||
|
After API key creation or reuse:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -s -X POST https://hub.coulomb.social/api/v2/token \
|
||||||
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
||||||
|
--data-urlencode "grant_type=client_credentials" \
|
||||||
|
--data-urlencode "client_id=<api-consumer-id>" \
|
||||||
|
--data-urlencode "client_secret=<static-api-key>" \
|
||||||
|
--data-urlencode "scope=framework:read hub:ops-hub:read hub:ops-hub:write"
|
||||||
|
```
|
||||||
|
|
||||||
|
Expected: a short-lived access token is returned.
|
||||||
|
|
||||||
|
After widget seeding:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -s https://hub.coulomb.social/api/v2/hub-registry
|
||||||
|
```
|
||||||
|
|
||||||
|
Expected: `ops-hub` is visible, and the operator can see the seeded widgets in
|
||||||
|
the authenticated UI.
|
||||||
|
|
||||||
|
## Current Live-Execution Blocker
|
||||||
|
|
||||||
|
The repo-side helper and runbook are ready. The remaining blocker is an
|
||||||
|
authenticated production execution lane:
|
||||||
|
|
||||||
|
- an operator-provided `IHUB_OPERATOR_KEY_FILE`,
|
||||||
|
- an OpenBao-materialized key on a trusted host, or
|
||||||
|
- an explicitly approved deployment-side migration/bootstrap path.
|
||||||
|
|
||||||
|
Until one of those is available, run only local validation and gate probes.
|
||||||
146
docs/initial-inventory.md
Normal file
146
docs/initial-inventory.md
Normal file
@@ -0,0 +1,146 @@
|
|||||||
|
# Ops Hub Initial Inventory
|
||||||
|
|
||||||
|
Date: 2026-06-06
|
||||||
|
|
||||||
|
## Purpose
|
||||||
|
|
||||||
|
This document is the first structured inventory for `ops-hub`, the VSM
|
||||||
|
Operations / System 1 hub. It turns the current operations situation into a
|
||||||
|
catalogable model for this implementation repo.
|
||||||
|
|
||||||
|
Source background:
|
||||||
|
|
||||||
|
- `/home/worsch/helix-forge/wiki/CurrentOperationsSituation.md`
|
||||||
|
- `/home/worsch/helix-forge/workplans/HF-WP-0001-establish-ops-hub-first-extension.md`
|
||||||
|
|
||||||
|
## Repository Boundary
|
||||||
|
|
||||||
|
As of 2026-06-06, `ops-hub` implementation belongs in `/home/worsch/ops-hub`
|
||||||
|
with remote `gitea-remote:coulomb/ops-hub.git`.
|
||||||
|
|
||||||
|
- `ops-hub` owns collectors, adapters, scheduled probes, runtime
|
||||||
|
packaging, UI/extensions, tests, and Inter-Hub bootstrap/smoke clients.
|
||||||
|
- `inter-hub` remains the generic hub framework, manifest/registry substrate,
|
||||||
|
authentication surface, widget/event API, and bootstrap API owner.
|
||||||
|
- `helix-forge` keeps architecture context and the original coordinating
|
||||||
|
workplan.
|
||||||
|
- Railiance repos own deployable infrastructure/service state and the
|
||||||
|
operational evidence that `ops-hub` should surface.
|
||||||
|
|
||||||
|
## VSM Placement
|
||||||
|
|
||||||
|
| Field | Value |
|
||||||
|
|---|---|
|
||||||
|
| Hub | `ops-hub` |
|
||||||
|
| Hub family | `vsm` |
|
||||||
|
| VSM function | `OPS` |
|
||||||
|
| VSM system | `S1` |
|
||||||
|
| Primary concern | Operational truth and evidence |
|
||||||
|
|
||||||
|
`ops-hub` owns the description of what is currently running, where it runs, how
|
||||||
|
it is reached, what state it is in, and what operational evidence exists. It
|
||||||
|
does not replace State Hub workstreams or Inter-Hub governance.
|
||||||
|
|
||||||
|
## Environments
|
||||||
|
|
||||||
|
| Environment | Role | Current state | Notes |
|
||||||
|
|---|---|---|---|
|
||||||
|
| `local` | Workstation development and local services | Active, important, not production | Hosts State Hub and local build/runtime pieces. |
|
||||||
|
| `coulombcore` | Live transitional production | Active, production-like, historically hand-built | Public IP `92.205.130.254`; runs current Gitea and experimental operational services. |
|
||||||
|
| `railiance01` | Future production foundation | Provisioning target | Public IP `92.205.62.239`; first server of intended ThreePhoenix shape. |
|
||||||
|
| `threephoenix-prod` | Target production topology | Planned | Future governed multi-node production environment. |
|
||||||
|
|
||||||
|
## Hosts
|
||||||
|
|
||||||
|
| Host | Environment | Address | Role | Known gaps |
|
||||||
|
|---|---|---|---|---|
|
||||||
|
| `coulombcore` | `coulombcore` | `92.205.130.254` | Current live production-like server | Needs service catalog, drift tracking, backup/restore evidence, and migration disposition. |
|
||||||
|
| `railiance01` | `railiance01` | `92.205.62.239` | First ThreePhoenix production foundation node | Needs full inventory, readiness gates, and cluster/platform bootstrap evidence. |
|
||||||
|
| local workstation | `local` | local/private | State Hub and development runtime host | Needs explicit service ownership and backup expectations. |
|
||||||
|
|
||||||
|
Ops Bridge may provide reachability evidence for connected servers, but it is
|
||||||
|
not the service catalog. `ops-hub` should turn bridge reachability into
|
||||||
|
inventory signals rather than treating the bridge itself as the inventory.
|
||||||
|
|
||||||
|
## Clusters
|
||||||
|
|
||||||
|
| Cluster | Environment | Role | Current notes |
|
||||||
|
|---|---|---|---|
|
||||||
|
| CoulombCore Kubernetes | `coulombcore` | Current operational Kubernetes runtime | Hosts current Gitea deployment and related services. |
|
||||||
|
| ThreePhoenix Kubernetes | `threephoenix-prod` | Target production runtime | Future governed production cluster assembled through Railiance repos. |
|
||||||
|
|
||||||
|
## Services
|
||||||
|
|
||||||
|
| Service | Current environment | Owner repo | Current evidence | Gaps |
|
||||||
|
|---|---|---|---|---|
|
||||||
|
| Gitea | `coulombcore` | `railiance-apps` | Helm release `gitea`, namespace `default`, app version `1.25.4`, NodePort `32166`, public registry path returns auth challenge. | SOPS Helm values update, package token, `docker login`, push, pull, backup coverage, restore evidence. |
|
||||||
|
| Gitea database | `coulombcore` | `railiance-platform` | Database `gitea-db` in namespace `databases`. | Backup and restore evidence not recorded here yet. |
|
||||||
|
| Gitea shared storage | `coulombcore` | `railiance-platform` / `railiance-apps` | PVC `default/gitea-shared-storage`. | Package blob backup and restore evidence not confirmed. |
|
||||||
|
| State Hub | `local` | `the-custodian/state-hub` | Local API and dashboard are operational enough for repo registration and workplan sync. | Future cluster deployment/readiness still needs gates and evidence. |
|
||||||
|
| Inter-Hub | live public endpoint | `inter-hub` | `https://hub.coulomb.social/api/v2/openapi.json` and docs are reachable. | Hub bootstrap still depends on authenticated UI or migration. |
|
||||||
|
| Ops Bridge | local/remote bridge | `ops-bridge` | Useful for connected-server visibility. | Not a service catalog; should emit reachability evidence into `ops-hub`. |
|
||||||
|
|
||||||
|
## Endpoints
|
||||||
|
|
||||||
|
| Endpoint | Service | Environment | Current status | Evidence |
|
||||||
|
|---|---|---|---|---|
|
||||||
|
| `https://gitea.coulomb.social/v2/` | Gitea OCI registry | `coulombcore` | Route fixed; returns registry auth challenge | Expected `401` with OCI registry challenge. |
|
||||||
|
| `https://hub.coulomb.social/api/v2/openapi.json` | Inter-Hub API | live Inter-Hub | Reachable | OpenAPI document fetched on 2026-05-16. |
|
||||||
|
| `https://hub.coulomb.social/Hubs` | Inter-Hub UI | live Inter-Hub | Requires login | Redirects to `/NewSession`. |
|
||||||
|
| `http://127.0.0.1:8000/state/health` | State Hub API | `local` | Reachable locally | Used for StateHub registration/sync. |
|
||||||
|
|
||||||
|
## Service Catalog Gap
|
||||||
|
|
||||||
|
There is no central place that answers these questions:
|
||||||
|
|
||||||
|
- What runs where?
|
||||||
|
- Which repo owns its desired state?
|
||||||
|
- Which endpoint exposes it?
|
||||||
|
- Which data stores back it?
|
||||||
|
- Which backups and restore tests cover it?
|
||||||
|
- Which migration wave will replace or move it?
|
||||||
|
- Which current evidence proves it is healthy?
|
||||||
|
|
||||||
|
`ops-hub` should be the first place where these answers are explicit and
|
||||||
|
machine-addressable.
|
||||||
|
|
||||||
|
## First Ops Widgets
|
||||||
|
|
||||||
|
Seed these in Inter-Hub once `ops-hub` exists:
|
||||||
|
|
||||||
|
- `ops-env-local`
|
||||||
|
- `ops-env-coulombcore`
|
||||||
|
- `ops-env-railiance01`
|
||||||
|
- `ops-env-threephoenix-prod`
|
||||||
|
- `ops-host-coulombcore`
|
||||||
|
- `ops-host-railiance01`
|
||||||
|
- `ops-service-catalog`
|
||||||
|
- `ops-service-gitea`
|
||||||
|
- `ops-service-state-hub`
|
||||||
|
- `ops-service-inter-hub`
|
||||||
|
- `ops-endpoint-gitea-registry`
|
||||||
|
- `ops-readiness-gitea-registry`
|
||||||
|
- `ops-readiness-state-hub-cluster-deploy`
|
||||||
|
- `ops-migration-coulombcore-to-threephoenix`
|
||||||
|
|
||||||
|
## First Evidence Events
|
||||||
|
|
||||||
|
The first event should be the Gitea registry endpoint verification:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"widgetId": "<ops-endpoint-gitea-registry-widget-id>",
|
||||||
|
"eventType": "ops-endpoint-verified",
|
||||||
|
"viewContext": "railiance-apps/workplans/RAIL-AP-WP-0001",
|
||||||
|
"metadata": {
|
||||||
|
"vsmFunction": "OPS",
|
||||||
|
"vsmSystem": "S1",
|
||||||
|
"endpoint": "https://gitea.coulomb.social/v2/",
|
||||||
|
"expectedStatus": 401,
|
||||||
|
"observedHeader": "Docker-Distribution-Api-Version: registry/2.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
This event is blocked until the ops event type is registered by an active
|
||||||
|
manifest and the target widget exists.
|
||||||
63
docs/readiness-gates.md
Normal file
63
docs/readiness-gates.md
Normal file
@@ -0,0 +1,63 @@
|
|||||||
|
# Ops Hub Readiness Gates
|
||||||
|
|
||||||
|
Date: 2026-06-06
|
||||||
|
|
||||||
|
## Purpose
|
||||||
|
|
||||||
|
These gates define what must be true before operational responsibility can move
|
||||||
|
from the current CoulombCore setup to the future ThreePhoenix production setup.
|
||||||
|
They are the first repo-local `ops-hub` readiness model.
|
||||||
|
|
||||||
|
Statuses:
|
||||||
|
|
||||||
|
- `unknown` means no reliable evidence has been cataloged yet.
|
||||||
|
- `partial` means some evidence exists, but the gate is not complete.
|
||||||
|
- `blocked` means a required precondition is missing.
|
||||||
|
- `ready` means the evidence requirement is satisfied.
|
||||||
|
|
||||||
|
## Gates
|
||||||
|
|
||||||
|
| ID | Gate | Owner repo | Evidence requirement | Current status |
|
||||||
|
|---|---|---|---|---|
|
||||||
|
| OPS-G01 | Environment inventory exists | `ops-hub` | `local`, `coulombcore`, `railiance01`, and `threephoenix-prod` are represented with role, lifecycle state, and owner notes. | `partial` |
|
||||||
|
| OPS-G02 | Service catalog exists | `ops-hub` | Each live and target service has environment, owner repo, endpoint, backing stores, lifecycle state, and evidence links. | `partial` |
|
||||||
|
| OPS-G03 | DNS and TLS are codified | `railiance-cluster` / `railiance-apps` | Public hostnames, ingress routes, certificate sources, and renewal paths are declared in repo files. | `unknown` |
|
||||||
|
| OPS-G04 | Git hosting is reproducible | `railiance-apps` / `railiance-platform` | Gitea or successor deployment can be recreated from repo state, including database and storage dependencies. | `partial` |
|
||||||
|
| OPS-G05 | Container registry publishing is proven | `railiance-apps` | `docker login`, push, and pull succeed against `https://gitea.coulomb.social/v2/` using governed secrets. | `partial` |
|
||||||
|
| OPS-G06 | Persistent data is backed up | `railiance-platform` | Each persistent data store has backup location, schedule, retention, ownership, and latest successful backup evidence. | `unknown` |
|
||||||
|
| OPS-G07 | Restore path is proven | `railiance-platform` / `railiance-apps` | Restore test evidence exists for Gitea database, package blobs, and State Hub data. | `unknown` |
|
||||||
|
| OPS-G08 | Secrets path is governed | `railiance-infra` / `railiance-apps` | SOPS/age keys and operator secret paths are documented; no required secret depends on shell memory. | `partial` |
|
||||||
|
| OPS-G09 | Cluster runtime is reproducible | `railiance-cluster` | Kubernetes runtime, ingress, CNI, operators, and routing primitives are recreated through repo-owned automation. | `unknown` |
|
||||||
|
| OPS-G10 | Platform services are reproducible | `railiance-platform` | PostgreSQL/CNPG, object storage, secret management, and identity dependencies have repo-owned deployment evidence. | `unknown` |
|
||||||
|
| OPS-G11 | Application deployment is reproducible | `railiance-apps` | Gitea, Inter-Hub, State Hub, and other application releases are declared with Helm values and deployment runbooks. | `partial` |
|
||||||
|
| OPS-G12 | Rollback path is documented | owning service repos | Each migration wave has rollback conditions, steps, and data safety notes. | `unknown` |
|
||||||
|
| OPS-G13 | Operator runbooks exist | owning service repos | Deploy, restore, rotate, incident response, and migration runbooks exist for each critical service. | `unknown` |
|
||||||
|
| OPS-G14 | Observability and health checks are explicit | `railiance-cluster` / `railiance-platform` / service repos | Health checks, logs, metrics, and endpoint probes are documented and tied to service catalog entries. | `unknown` |
|
||||||
|
| OPS-G15 | Inter-Hub ops bootstrap is available | `inter-hub` / `ops-hub` / `helix-forge` | `ops-hub` can be created through UI, supported API, or explicit migration fallback, manifest activated, API consumer/key created, widgets seeded, and events accepted. | `partial` |
|
||||||
|
|
||||||
|
## Initial Migration Waves
|
||||||
|
|
||||||
|
| Wave | Goal | Required gates |
|
||||||
|
|---|---|---|
|
||||||
|
| `wave-0-catalog` | Establish the operational truth surface without moving services. | OPS-G01, OPS-G02, OPS-G15 |
|
||||||
|
| `wave-1-registry-proof` | Prove current Gitea registry publishing and evidence capture. | OPS-G03, OPS-G05, OPS-G08, OPS-G14 |
|
||||||
|
| `wave-2-backup-restore` | Confirm backups and restore paths for critical persistent state. | OPS-G06, OPS-G07, OPS-G13 |
|
||||||
|
| `wave-3-threephoenix-foundation` | Recreate cluster and platform foundations on railiance01/ThreePhoenix. | OPS-G09, OPS-G10 |
|
||||||
|
| `wave-4-service-migration` | Move or replace production responsibilities from CoulombCore to ThreePhoenix. | OPS-G04, OPS-G11, OPS-G12 plus service-specific gates |
|
||||||
|
|
||||||
|
## Evidence Shape
|
||||||
|
|
||||||
|
Each readiness gate should eventually be represented in `ops-hub` as a widget
|
||||||
|
or widget family with events like:
|
||||||
|
|
||||||
|
- `ops-readiness-gate-updated`
|
||||||
|
- `ops-endpoint-verified`
|
||||||
|
- `ops-backup-verified`
|
||||||
|
- `ops-restore-tested`
|
||||||
|
- `ops-risk-raised`
|
||||||
|
- `ops-migration-gate-passed`
|
||||||
|
- `ops-migration-gate-failed`
|
||||||
|
|
||||||
|
Until Inter-Hub can create all required records through API calls, the evidence
|
||||||
|
can be maintained in this repo and mirrored into Inter-Hub through the UI or
|
||||||
|
explicit operator-approved migrations.
|
||||||
9
pyproject.toml
Normal file
9
pyproject.toml
Normal file
@@ -0,0 +1,9 @@
|
|||||||
|
[project]
|
||||||
|
name = "ops-hub"
|
||||||
|
version = "0.1.0"
|
||||||
|
description = "Operations / System 1 extension tooling for Inter-Hub"
|
||||||
|
requires-python = ">=3.11"
|
||||||
|
dependencies = []
|
||||||
|
|
||||||
|
[tool.pytest.ini_options]
|
||||||
|
pythonpath = ["src"]
|
||||||
15
scripts/interhub-gate-probe.py
Normal file
15
scripts/interhub-gate-probe.py
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
"""Run the Inter-Hub ops-hub bootstrap gate probe."""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import sys
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
sys.path.insert(0, str(Path(__file__).resolve().parents[1] / "src"))
|
||||||
|
|
||||||
|
from ops_hub.interhub_gate_probe import main
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
raise SystemExit(main())
|
||||||
368
scripts/ops-hub-bootstrap-api.py
Normal file
368
scripts/ops-hub-bootstrap-api.py
Normal file
@@ -0,0 +1,368 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
"""Bootstrap ops-hub in Inter-Hub using the prepared ops-hub seeds.
|
||||||
|
|
||||||
|
The script never prints full API keys. The operator key is read from
|
||||||
|
IHUB_OPERATOR_KEY or IHUB_OPERATOR_KEY_FILE. If an ops-hub runtime key is
|
||||||
|
created, the full key is written to a 0600 temp file and only the file path and
|
||||||
|
key prefix are printed.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import argparse
|
||||||
|
import json
|
||||||
|
import os
|
||||||
|
import stat
|
||||||
|
import sys
|
||||||
|
import tempfile
|
||||||
|
import time
|
||||||
|
import urllib.error
|
||||||
|
import urllib.parse
|
||||||
|
import urllib.request
|
||||||
|
from pathlib import Path
|
||||||
|
from typing import Any
|
||||||
|
|
||||||
|
|
||||||
|
DEFAULT_BASE = "https://hub.coulomb.social"
|
||||||
|
ROOT = Path(__file__).resolve().parents[1]
|
||||||
|
MANIFEST_PATH = ROOT / "seeds" / "ops-hub-manifest.draft.json"
|
||||||
|
WIDGETS_PATH = ROOT / "seeds" / "ops-hub-widgets.seed.json"
|
||||||
|
|
||||||
|
|
||||||
|
class BootstrapError(RuntimeError):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
def load_secret(name: str, file_name: str) -> str:
|
||||||
|
value = os.environ.get(name, "").strip()
|
||||||
|
if value:
|
||||||
|
return value
|
||||||
|
file_path = os.environ.get(file_name, "").strip()
|
||||||
|
if file_path:
|
||||||
|
return Path(file_path).read_text(encoding="utf-8").strip()
|
||||||
|
return ""
|
||||||
|
|
||||||
|
|
||||||
|
def request_json(
|
||||||
|
base_url: str,
|
||||||
|
method: str,
|
||||||
|
path: str,
|
||||||
|
token: str | None,
|
||||||
|
body: dict[str, Any] | None,
|
||||||
|
*,
|
||||||
|
expected: set[int],
|
||||||
|
) -> dict[str, Any]:
|
||||||
|
data = json.dumps(body).encode("utf-8") if body is not None else None
|
||||||
|
request = urllib.request.Request(base_url + path, data=data, method=method)
|
||||||
|
request.add_header("Accept", "application/json")
|
||||||
|
request.add_header("User-Agent", "ops-hub-bootstrap/0.1")
|
||||||
|
if token:
|
||||||
|
request.add_header("Authorization", f"Bearer {token}")
|
||||||
|
if body is not None:
|
||||||
|
request.add_header("Content-Type", "application/json")
|
||||||
|
|
||||||
|
try:
|
||||||
|
with urllib.request.urlopen(request, timeout=30) as response:
|
||||||
|
status = response.status
|
||||||
|
payload = response.read().decode("utf-8")
|
||||||
|
except urllib.error.HTTPError as error:
|
||||||
|
payload = error.read().decode("utf-8", errors="replace")
|
||||||
|
raise BootstrapError(f"{method} {path} failed with HTTP {error.code}: {payload}") from error
|
||||||
|
|
||||||
|
if status not in expected:
|
||||||
|
raise BootstrapError(f"{method} {path} returned HTTP {status}, expected {sorted(expected)}")
|
||||||
|
if not payload:
|
||||||
|
return {}
|
||||||
|
return json.loads(payload)
|
||||||
|
|
||||||
|
|
||||||
|
def list_items(base_url: str, path: str, token: str | None) -> list[dict[str, Any]]:
|
||||||
|
response = request_json(base_url, "GET", path, token, None, expected={200})
|
||||||
|
data = response.get("data", [])
|
||||||
|
if not isinstance(data, list):
|
||||||
|
raise BootstrapError(f"expected paginated data array from {path}")
|
||||||
|
return data
|
||||||
|
|
||||||
|
|
||||||
|
def first_by(items: list[dict[str, Any]], key: str, value: Any) -> dict[str, Any] | None:
|
||||||
|
return next((item for item in items if item.get(key) == value), None)
|
||||||
|
|
||||||
|
|
||||||
|
def load_manifest() -> dict[str, Any]:
|
||||||
|
manifest = json.loads(MANIFEST_PATH.read_text(encoding="utf-8"))
|
||||||
|
required = [
|
||||||
|
"hub",
|
||||||
|
"manifestVersion",
|
||||||
|
"declaredWidgetTypes",
|
||||||
|
"declaredEventTypes",
|
||||||
|
"declaredAnnotationCategories",
|
||||||
|
"declaredPolicyScopes",
|
||||||
|
]
|
||||||
|
missing = [key for key in required if key not in manifest]
|
||||||
|
if missing:
|
||||||
|
raise BootstrapError(f"{MANIFEST_PATH} missing required key(s): {', '.join(missing)}")
|
||||||
|
return manifest
|
||||||
|
|
||||||
|
|
||||||
|
def load_widgets() -> list[dict[str, Any]]:
|
||||||
|
widgets = json.loads(WIDGETS_PATH.read_text(encoding="utf-8"))
|
||||||
|
if not isinstance(widgets, list):
|
||||||
|
raise BootstrapError(f"{WIDGETS_PATH} must contain a JSON array")
|
||||||
|
return widgets
|
||||||
|
|
||||||
|
|
||||||
|
def ensure_hub(base_url: str, operator_key: str, manifest: dict[str, Any]) -> dict[str, Any]:
|
||||||
|
hub_seed = manifest["hub"]
|
||||||
|
slug = hub_seed["slug"]
|
||||||
|
existing = first_by(list_items(base_url, "/api/v2/hubs", operator_key), "slug", slug)
|
||||||
|
if existing:
|
||||||
|
return {"record": existing, "created": False}
|
||||||
|
|
||||||
|
body = {
|
||||||
|
"slug": slug,
|
||||||
|
"name": hub_seed["name"],
|
||||||
|
"domain": hub_seed["domain"],
|
||||||
|
"hubKind": hub_seed.get("hubKind", "domain"),
|
||||||
|
"hubFamily": "vsm",
|
||||||
|
"vsmFunction": "OPS",
|
||||||
|
"vsmSystem": "1",
|
||||||
|
}
|
||||||
|
record = request_json(base_url, "POST", "/api/v2/hubs", operator_key, body, expected={201})
|
||||||
|
return {"record": record, "created": True}
|
||||||
|
|
||||||
|
|
||||||
|
def manifest_body(manifest: dict[str, Any], hub_id: str | None = None) -> dict[str, Any]:
|
||||||
|
body: dict[str, Any] = {
|
||||||
|
"manifestVersion": manifest["manifestVersion"],
|
||||||
|
"declaredWidgetTypes": manifest["declaredWidgetTypes"],
|
||||||
|
"declaredEventTypes": manifest["declaredEventTypes"],
|
||||||
|
"declaredAnnotationCategories": manifest["declaredAnnotationCategories"],
|
||||||
|
"declaredPolicyScopes": manifest["declaredPolicyScopes"],
|
||||||
|
"capabilityDescription": manifest.get("capabilityDescription", ""),
|
||||||
|
"contact": manifest.get("contact", "operator"),
|
||||||
|
}
|
||||||
|
if hub_id:
|
||||||
|
body["hubId"] = hub_id
|
||||||
|
return body
|
||||||
|
|
||||||
|
|
||||||
|
def ensure_manifest(base_url: str, operator_key: str, hub_id: str, manifest: dict[str, Any]) -> dict[str, Any]:
|
||||||
|
query = urllib.parse.urlencode({"hubId": hub_id})
|
||||||
|
manifests = list_items(base_url, f"/api/v2/hub-capability-manifests?{query}", operator_key)
|
||||||
|
active = first_by(manifests, "status", "active")
|
||||||
|
if active:
|
||||||
|
return {"record": active, "created": False, "activated": False}
|
||||||
|
|
||||||
|
draft = first_by(manifests, "status", "draft")
|
||||||
|
if draft:
|
||||||
|
record = request_json(
|
||||||
|
base_url,
|
||||||
|
"PATCH",
|
||||||
|
f"/api/v2/hub-capability-manifests/{draft['id']}",
|
||||||
|
operator_key,
|
||||||
|
manifest_body(manifest),
|
||||||
|
expected={200},
|
||||||
|
)
|
||||||
|
created = False
|
||||||
|
else:
|
||||||
|
record = request_json(
|
||||||
|
base_url,
|
||||||
|
"POST",
|
||||||
|
"/api/v2/hub-capability-manifests",
|
||||||
|
operator_key,
|
||||||
|
manifest_body(manifest, hub_id),
|
||||||
|
expected={201},
|
||||||
|
)
|
||||||
|
created = True
|
||||||
|
|
||||||
|
activated = request_json(
|
||||||
|
base_url,
|
||||||
|
"POST",
|
||||||
|
f"/api/v2/hub-capability-manifests/{record['id']}/activate",
|
||||||
|
operator_key,
|
||||||
|
None,
|
||||||
|
expected={200},
|
||||||
|
)
|
||||||
|
return {"record": activated, "created": created, "activated": True}
|
||||||
|
|
||||||
|
|
||||||
|
def ensure_api_consumer(base_url: str, operator_key: str, manifest_id: str) -> dict[str, Any]:
|
||||||
|
consumers = list_items(base_url, "/api/v2/api-consumers", operator_key)
|
||||||
|
existing = first_by(consumers, "name", "ops-hub")
|
||||||
|
if existing:
|
||||||
|
return {"record": existing, "created": False}
|
||||||
|
|
||||||
|
record = request_json(
|
||||||
|
base_url,
|
||||||
|
"POST",
|
||||||
|
"/api/v2/api-consumers",
|
||||||
|
operator_key,
|
||||||
|
{
|
||||||
|
"name": "ops-hub",
|
||||||
|
"description": "API consumer for the VSM Operations hub",
|
||||||
|
"hubCapabilityManifestId": manifest_id,
|
||||||
|
"rateLimitPerMinute": 120,
|
||||||
|
"quotaPerDay": 50000,
|
||||||
|
},
|
||||||
|
expected={201},
|
||||||
|
)
|
||||||
|
return {"record": record, "created": True}
|
||||||
|
|
||||||
|
|
||||||
|
def write_runtime_key(full_key: str, output_path: str | None) -> Path:
|
||||||
|
if output_path:
|
||||||
|
path = Path(output_path)
|
||||||
|
path.write_text(full_key, encoding="utf-8")
|
||||||
|
else:
|
||||||
|
fd, raw_path = tempfile.mkstemp(prefix="ops-hub-runtime-key-", text=True)
|
||||||
|
path = Path(raw_path)
|
||||||
|
with os.fdopen(fd, "w", encoding="utf-8") as handle:
|
||||||
|
handle.write(full_key)
|
||||||
|
path.chmod(stat.S_IRUSR | stat.S_IWUSR)
|
||||||
|
return path
|
||||||
|
|
||||||
|
|
||||||
|
def ensure_runtime_key(
|
||||||
|
base_url: str,
|
||||||
|
operator_key: str,
|
||||||
|
api_consumer_id: str,
|
||||||
|
output_path: str | None,
|
||||||
|
) -> dict[str, Any]:
|
||||||
|
existing_runtime_key = load_secret("OPS_HUB_KEY", "OPS_HUB_KEY_FILE")
|
||||||
|
if existing_runtime_key:
|
||||||
|
return {
|
||||||
|
"created": False,
|
||||||
|
"token": existing_runtime_key,
|
||||||
|
"keyPrefix": existing_runtime_key[:8],
|
||||||
|
"keyFile": os.environ.get("OPS_HUB_KEY_FILE"),
|
||||||
|
}
|
||||||
|
|
||||||
|
response = request_json(
|
||||||
|
base_url,
|
||||||
|
"POST",
|
||||||
|
f"/api/v2/api-consumers/{api_consumer_id}/api-keys",
|
||||||
|
operator_key,
|
||||||
|
{"scopes": "framework:read hub:ops-hub:read hub:ops-hub:write"},
|
||||||
|
expected={201},
|
||||||
|
)
|
||||||
|
full_key = response.get("fullKey")
|
||||||
|
if not full_key:
|
||||||
|
raise BootstrapError("api key creation did not return display-once fullKey")
|
||||||
|
key_file = write_runtime_key(full_key, output_path)
|
||||||
|
api_key = response.get("apiKey") or {}
|
||||||
|
return {
|
||||||
|
"created": True,
|
||||||
|
"token": full_key,
|
||||||
|
"keyPrefix": api_key.get("keyPrefix", full_key[:8]),
|
||||||
|
"keyFile": str(key_file),
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
def ensure_widgets(base_url: str, runtime_key: str, hub_id: str, widget_seeds: list[dict[str, Any]]) -> dict[str, Any]:
|
||||||
|
existing_widgets = list_items(base_url, "/api/v2/widgets", runtime_key)
|
||||||
|
existing_by_ref = {
|
||||||
|
widget.get("capabilityRef"): widget
|
||||||
|
for widget in existing_widgets
|
||||||
|
if widget.get("hubId") == hub_id and widget.get("capabilityRef")
|
||||||
|
}
|
||||||
|
created: list[dict[str, Any]] = []
|
||||||
|
reused: list[dict[str, Any]] = []
|
||||||
|
for seed in widget_seeds:
|
||||||
|
existing = existing_by_ref.get(seed.get("capabilityRef"))
|
||||||
|
if existing:
|
||||||
|
reused.append(existing)
|
||||||
|
continue
|
||||||
|
body = {"hubId": hub_id, "status": "active", **seed}
|
||||||
|
created.append(request_json(base_url, "POST", "/api/v2/widgets", runtime_key, body, expected={201}))
|
||||||
|
return {"created": created, "reused": reused}
|
||||||
|
|
||||||
|
|
||||||
|
def submit_gitea_event(base_url: str, runtime_key: str, widgets: dict[str, Any]) -> dict[str, Any] | None:
|
||||||
|
all_widgets = widgets["created"] + widgets["reused"]
|
||||||
|
readiness = next(
|
||||||
|
(widget for widget in all_widgets if widget.get("capabilityRef") == "ops:readiness:gitea-registry"),
|
||||||
|
None,
|
||||||
|
)
|
||||||
|
if not readiness:
|
||||||
|
return None
|
||||||
|
return request_json(
|
||||||
|
base_url,
|
||||||
|
"POST",
|
||||||
|
"/api/v2/interaction-events",
|
||||||
|
runtime_key,
|
||||||
|
{
|
||||||
|
"widgetId": readiness["id"],
|
||||||
|
"eventType": "ops-endpoint-verified",
|
||||||
|
"viewContext": "railiance-apps/workplans/RAIL-AP-WP-0001",
|
||||||
|
"metadata": {
|
||||||
|
"vsmFunction": "OPS",
|
||||||
|
"vsmSystem": "S1",
|
||||||
|
"endpoint": "https://gitea.coulomb.social/v2/",
|
||||||
|
"expectedStatus": 401,
|
||||||
|
"observedHeader": "Docker-Distribution-Api-Version: registry/2.0",
|
||||||
|
"recordedBy": "ops-hub/scripts/ops-hub-bootstrap-api.py",
|
||||||
|
"recordedAt": int(time.time()),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expected={201},
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def build_parser() -> argparse.ArgumentParser:
|
||||||
|
parser = argparse.ArgumentParser(description=__doc__)
|
||||||
|
parser.add_argument("--base", default=os.environ.get("IHUB_BASE", DEFAULT_BASE).rstrip("/"))
|
||||||
|
parser.add_argument("--runtime-key-output", default=os.environ.get("OPS_HUB_RUNTIME_KEY_OUTPUT"))
|
||||||
|
parser.add_argument("--skip-event", action="store_true", help="Do not submit the initial Gitea readiness event")
|
||||||
|
return parser
|
||||||
|
|
||||||
|
|
||||||
|
def main() -> int:
|
||||||
|
args = build_parser().parse_args()
|
||||||
|
operator_key = load_secret("IHUB_OPERATOR_KEY", "IHUB_OPERATOR_KEY_FILE")
|
||||||
|
if not operator_key:
|
||||||
|
print("ERROR: set IHUB_OPERATOR_KEY or IHUB_OPERATOR_KEY_FILE", file=sys.stderr)
|
||||||
|
return 2
|
||||||
|
|
||||||
|
manifest = load_manifest()
|
||||||
|
widget_seeds = load_widgets()
|
||||||
|
|
||||||
|
hub = ensure_hub(args.base, operator_key, manifest)
|
||||||
|
hub_record = hub["record"]
|
||||||
|
manifest_result = ensure_manifest(args.base, operator_key, hub_record["id"], manifest)
|
||||||
|
manifest_record = manifest_result["record"]
|
||||||
|
consumer = ensure_api_consumer(args.base, operator_key, manifest_record["id"])
|
||||||
|
runtime_key = ensure_runtime_key(args.base, operator_key, consumer["record"]["id"], args.runtime_key_output)
|
||||||
|
widgets = ensure_widgets(args.base, runtime_key["token"], hub_record["id"], widget_seeds)
|
||||||
|
event = None if args.skip_event else submit_gitea_event(args.base, runtime_key["token"], widgets)
|
||||||
|
|
||||||
|
summary = {
|
||||||
|
"ok": True,
|
||||||
|
"base": args.base,
|
||||||
|
"hub": {"id": hub_record["id"], "slug": hub_record["slug"], "created": hub["created"]},
|
||||||
|
"manifest": {
|
||||||
|
"id": manifest_record["id"],
|
||||||
|
"status": manifest_record["status"],
|
||||||
|
"created": manifest_result["created"],
|
||||||
|
"activated": manifest_result["activated"],
|
||||||
|
},
|
||||||
|
"apiConsumer": {"id": consumer["record"]["id"], "name": consumer["record"]["name"], "created": consumer["created"]},
|
||||||
|
"runtimeKey": {
|
||||||
|
"created": runtime_key["created"],
|
||||||
|
"keyPrefix": runtime_key["keyPrefix"],
|
||||||
|
"keyFile": runtime_key["keyFile"],
|
||||||
|
"storeImmediatelyInOpenBao": "platform/operators/ops-hub/runtime",
|
||||||
|
"field": "OPS_HUB_KEY",
|
||||||
|
},
|
||||||
|
"widgets": {"created": len(widgets["created"]), "reused": len(widgets["reused"])},
|
||||||
|
"event": None if event is None else {"id": event["id"], "eventType": event["eventType"], "widgetId": event["widgetId"]},
|
||||||
|
}
|
||||||
|
print(json.dumps(summary, indent=2, sort_keys=True))
|
||||||
|
return 0
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
try:
|
||||||
|
raise SystemExit(main())
|
||||||
|
except BootstrapError as exc:
|
||||||
|
print(f"ERROR: {exc}", file=sys.stderr)
|
||||||
|
raise SystemExit(1)
|
||||||
287
seeds/ops-hub-bootstrap.sql
Normal file
287
seeds/ops-hub-bootstrap.sql
Normal file
@@ -0,0 +1,287 @@
|
|||||||
|
-- ops-hub bootstrap fallback for Inter-Hub.
|
||||||
|
--
|
||||||
|
-- Use only when authenticated UI bootstrap is not practical and a
|
||||||
|
-- deployment-side migration/bootstrap is acceptable.
|
||||||
|
--
|
||||||
|
-- This creates:
|
||||||
|
-- - Hub row
|
||||||
|
-- - Active HubCapabilityManifest
|
||||||
|
-- - Owned type registry entries
|
||||||
|
-- - ApiConsumer row
|
||||||
|
-- - Seed widgets
|
||||||
|
--
|
||||||
|
-- It intentionally does not create an ApiKey. Generate the key through the
|
||||||
|
-- authenticated Inter-Hub UI so the full static key can be shown once and
|
||||||
|
-- stored in the operator secret store.
|
||||||
|
|
||||||
|
BEGIN;
|
||||||
|
|
||||||
|
INSERT INTO hubs (slug, name, domain, hub_kind)
|
||||||
|
VALUES ('ops-hub', 'Ops Hub', 'ops.coulomb.social', 'domain')
|
||||||
|
ON CONFLICT (slug) DO UPDATE
|
||||||
|
SET name = EXCLUDED.name,
|
||||||
|
domain = EXCLUDED.domain,
|
||||||
|
hub_kind = EXCLUDED.hub_kind;
|
||||||
|
|
||||||
|
-- Newer inter-hub schemas have first-class VSM metadata columns. Keep this
|
||||||
|
-- block conditional so the bootstrap still works against an older deployment
|
||||||
|
-- where the metadata is only carried by the manifest description.
|
||||||
|
DO $$
|
||||||
|
BEGIN
|
||||||
|
IF EXISTS (
|
||||||
|
SELECT 1
|
||||||
|
FROM information_schema.columns
|
||||||
|
WHERE table_name = 'hubs'
|
||||||
|
AND column_name = 'hub_family'
|
||||||
|
) THEN
|
||||||
|
UPDATE hubs
|
||||||
|
SET hub_family = 'vsm',
|
||||||
|
vsm_function = 'OPS',
|
||||||
|
vsm_system = '1'
|
||||||
|
WHERE slug = 'ops-hub';
|
||||||
|
END IF;
|
||||||
|
END $$;
|
||||||
|
|
||||||
|
WITH hub AS (
|
||||||
|
SELECT id FROM hubs WHERE slug = 'ops-hub'
|
||||||
|
)
|
||||||
|
INSERT INTO hub_capability_manifests (
|
||||||
|
hub_id,
|
||||||
|
manifest_version,
|
||||||
|
declared_widget_types,
|
||||||
|
declared_event_types,
|
||||||
|
declared_annotation_categories,
|
||||||
|
declared_policy_scopes,
|
||||||
|
capability_description,
|
||||||
|
contact,
|
||||||
|
status,
|
||||||
|
activated_at
|
||||||
|
)
|
||||||
|
SELECT
|
||||||
|
hub.id,
|
||||||
|
'1.0',
|
||||||
|
'[
|
||||||
|
"ops-environment",
|
||||||
|
"ops-host",
|
||||||
|
"ops-cluster",
|
||||||
|
"ops-service",
|
||||||
|
"ops-service-catalog",
|
||||||
|
"ops-endpoint",
|
||||||
|
"ops-release",
|
||||||
|
"ops-backup-set",
|
||||||
|
"ops-secret-set",
|
||||||
|
"ops-runbook",
|
||||||
|
"ops-incident",
|
||||||
|
"ops-readiness-gate",
|
||||||
|
"ops-migration-wave",
|
||||||
|
"ops-risk"
|
||||||
|
]'::jsonb,
|
||||||
|
'[
|
||||||
|
"ops-inventory-registered",
|
||||||
|
"ops-inventory-updated",
|
||||||
|
"ops-service-discovered",
|
||||||
|
"ops-health-checked",
|
||||||
|
"ops-release-observed",
|
||||||
|
"ops-endpoint-verified",
|
||||||
|
"ops-backup-verified",
|
||||||
|
"ops-restore-tested",
|
||||||
|
"ops-runbook-executed",
|
||||||
|
"ops-drift-detected",
|
||||||
|
"ops-risk-raised",
|
||||||
|
"ops-risk-accepted",
|
||||||
|
"ops-readiness-gate-updated",
|
||||||
|
"ops-migration-gate-passed",
|
||||||
|
"ops-migration-gate-failed"
|
||||||
|
]'::jsonb,
|
||||||
|
'[
|
||||||
|
"ops-drift",
|
||||||
|
"ops-service-catalog-gap",
|
||||||
|
"ops-backup-gap",
|
||||||
|
"ops-security-gap",
|
||||||
|
"ops-routing-gap",
|
||||||
|
"ops-secret-gap",
|
||||||
|
"ops-readiness-blocker",
|
||||||
|
"ops-migration-risk",
|
||||||
|
"ops-observability-gap",
|
||||||
|
"ops-recovery-gap"
|
||||||
|
]'::jsonb,
|
||||||
|
'[
|
||||||
|
"ops-local",
|
||||||
|
"ops-transitional-prod",
|
||||||
|
"ops-production",
|
||||||
|
"ops-threephoenix",
|
||||||
|
"ops-registry",
|
||||||
|
"ops-secrets",
|
||||||
|
"ops-backup-retention"
|
||||||
|
]'::jsonb,
|
||||||
|
'VSM Operations / System 1 hub for operational truth and evidence. Metadata: hub_family=vsm; vsm_function=OPS; vsm_system=S1; scope=operational truth, service catalog, readiness, incidents, runbooks, migration waves, and evidence events.',
|
||||||
|
'operator',
|
||||||
|
'active',
|
||||||
|
NOW()
|
||||||
|
FROM hub
|
||||||
|
ON CONFLICT (hub_id) DO UPDATE
|
||||||
|
SET manifest_version = EXCLUDED.manifest_version,
|
||||||
|
declared_widget_types = EXCLUDED.declared_widget_types,
|
||||||
|
declared_event_types = EXCLUDED.declared_event_types,
|
||||||
|
declared_annotation_categories = EXCLUDED.declared_annotation_categories,
|
||||||
|
declared_policy_scopes = EXCLUDED.declared_policy_scopes,
|
||||||
|
capability_description = EXCLUDED.capability_description,
|
||||||
|
contact = EXCLUDED.contact,
|
||||||
|
status = EXCLUDED.status,
|
||||||
|
activated_at = COALESCE(hub_capability_manifests.activated_at, NOW()),
|
||||||
|
updated_at = NOW();
|
||||||
|
|
||||||
|
WITH hub AS (
|
||||||
|
SELECT id FROM hubs WHERE slug = 'ops-hub'
|
||||||
|
), names(name) AS (
|
||||||
|
VALUES
|
||||||
|
('ops-environment'),
|
||||||
|
('ops-host'),
|
||||||
|
('ops-cluster'),
|
||||||
|
('ops-service'),
|
||||||
|
('ops-service-catalog'),
|
||||||
|
('ops-endpoint'),
|
||||||
|
('ops-release'),
|
||||||
|
('ops-backup-set'),
|
||||||
|
('ops-secret-set'),
|
||||||
|
('ops-runbook'),
|
||||||
|
('ops-incident'),
|
||||||
|
('ops-readiness-gate'),
|
||||||
|
('ops-migration-wave'),
|
||||||
|
('ops-risk')
|
||||||
|
)
|
||||||
|
INSERT INTO widget_type_registry (name, label, owner_hub_id, status)
|
||||||
|
SELECT names.name, names.name, hub.id, 'active'
|
||||||
|
FROM names CROSS JOIN hub
|
||||||
|
ON CONFLICT (name) DO NOTHING;
|
||||||
|
|
||||||
|
WITH hub AS (
|
||||||
|
SELECT id FROM hubs WHERE slug = 'ops-hub'
|
||||||
|
), names(name) AS (
|
||||||
|
VALUES
|
||||||
|
('ops-inventory-registered'),
|
||||||
|
('ops-inventory-updated'),
|
||||||
|
('ops-service-discovered'),
|
||||||
|
('ops-health-checked'),
|
||||||
|
('ops-release-observed'),
|
||||||
|
('ops-endpoint-verified'),
|
||||||
|
('ops-backup-verified'),
|
||||||
|
('ops-restore-tested'),
|
||||||
|
('ops-runbook-executed'),
|
||||||
|
('ops-drift-detected'),
|
||||||
|
('ops-risk-raised'),
|
||||||
|
('ops-risk-accepted'),
|
||||||
|
('ops-readiness-gate-updated'),
|
||||||
|
('ops-migration-gate-passed'),
|
||||||
|
('ops-migration-gate-failed')
|
||||||
|
)
|
||||||
|
INSERT INTO event_type_registry (name, label, owner_hub_id, status)
|
||||||
|
SELECT names.name, names.name, hub.id, 'active'
|
||||||
|
FROM names CROSS JOIN hub
|
||||||
|
ON CONFLICT (name) DO NOTHING;
|
||||||
|
|
||||||
|
WITH hub AS (
|
||||||
|
SELECT id FROM hubs WHERE slug = 'ops-hub'
|
||||||
|
), names(name) AS (
|
||||||
|
VALUES
|
||||||
|
('ops-drift'),
|
||||||
|
('ops-service-catalog-gap'),
|
||||||
|
('ops-backup-gap'),
|
||||||
|
('ops-security-gap'),
|
||||||
|
('ops-routing-gap'),
|
||||||
|
('ops-secret-gap'),
|
||||||
|
('ops-readiness-blocker'),
|
||||||
|
('ops-migration-risk'),
|
||||||
|
('ops-observability-gap'),
|
||||||
|
('ops-recovery-gap')
|
||||||
|
)
|
||||||
|
INSERT INTO annotation_category_registry (name, label, owner_hub_id, status)
|
||||||
|
SELECT names.name, names.name, hub.id, 'active'
|
||||||
|
FROM names CROSS JOIN hub
|
||||||
|
ON CONFLICT (name) DO NOTHING;
|
||||||
|
|
||||||
|
WITH hub AS (
|
||||||
|
SELECT id FROM hubs WHERE slug = 'ops-hub'
|
||||||
|
), names(name) AS (
|
||||||
|
VALUES
|
||||||
|
('ops-local'),
|
||||||
|
('ops-transitional-prod'),
|
||||||
|
('ops-production'),
|
||||||
|
('ops-threephoenix'),
|
||||||
|
('ops-registry'),
|
||||||
|
('ops-secrets'),
|
||||||
|
('ops-backup-retention')
|
||||||
|
)
|
||||||
|
INSERT INTO policy_scope_registry (name, label, owner_hub_id, status)
|
||||||
|
SELECT names.name, names.name, hub.id, 'active'
|
||||||
|
FROM names CROSS JOIN hub
|
||||||
|
ON CONFLICT (name) DO NOTHING;
|
||||||
|
|
||||||
|
WITH manifest AS (
|
||||||
|
SELECT id FROM hub_capability_manifests
|
||||||
|
WHERE hub_id = (SELECT id FROM hubs WHERE slug = 'ops-hub')
|
||||||
|
)
|
||||||
|
INSERT INTO api_consumers (
|
||||||
|
name,
|
||||||
|
description,
|
||||||
|
hub_capability_manifest_id,
|
||||||
|
rate_limit_per_minute,
|
||||||
|
quota_per_day,
|
||||||
|
is_active
|
||||||
|
)
|
||||||
|
SELECT
|
||||||
|
'ops-hub',
|
||||||
|
'API consumer for the VSM Operations hub',
|
||||||
|
manifest.id,
|
||||||
|
60,
|
||||||
|
10000,
|
||||||
|
TRUE
|
||||||
|
FROM manifest
|
||||||
|
WHERE NOT EXISTS (
|
||||||
|
SELECT 1 FROM api_consumers WHERE name = 'ops-hub'
|
||||||
|
);
|
||||||
|
|
||||||
|
WITH hub AS (
|
||||||
|
SELECT id FROM hubs WHERE slug = 'ops-hub'
|
||||||
|
), seed(name, widget_type, capability_ref, view_context, policy_scope) AS (
|
||||||
|
VALUES
|
||||||
|
('Local Environment', 'ops-environment', 'ops:environment:local', 'ops-hub/environments/local', 'ops-local'),
|
||||||
|
('CoulombCore Environment', 'ops-environment', 'ops:environment:coulombcore', 'ops-hub/environments/coulombcore', 'ops-transitional-prod'),
|
||||||
|
('Railiance01 Environment', 'ops-environment', 'ops:environment:railiance01', 'ops-hub/environments/railiance01', 'ops-threephoenix'),
|
||||||
|
('ThreePhoenix Production Environment', 'ops-environment', 'ops:environment:threephoenix-prod', 'ops-hub/environments/threephoenix-prod', 'ops-production'),
|
||||||
|
('CoulombCore Host', 'ops-host', 'ops:host:coulombcore', 'ops-hub/hosts/coulombcore', 'ops-transitional-prod'),
|
||||||
|
('Railiance01 Host', 'ops-host', 'ops:host:railiance01', 'ops-hub/hosts/railiance01', 'ops-threephoenix'),
|
||||||
|
('Operations Service Catalog', 'ops-service-catalog', 'ops:service-catalog', 'ops-hub/service-catalog', 'ops-production'),
|
||||||
|
('Gitea Service', 'ops-service', 'ops:service:gitea', 'ops-hub/services/gitea', 'ops-transitional-prod'),
|
||||||
|
('State Hub Service', 'ops-service', 'ops:service:state-hub', 'ops-hub/services/state-hub', 'ops-local'),
|
||||||
|
('Inter-Hub Service', 'ops-service', 'ops:service:inter-hub', 'ops-hub/services/inter-hub', 'ops-production'),
|
||||||
|
('Gitea Registry Endpoint', 'ops-endpoint', 'ops:endpoint:gitea-registry', 'ops-hub/endpoints/gitea-registry', 'ops-registry'),
|
||||||
|
('Gitea Registry Readiness', 'ops-readiness-gate', 'ops:readiness:gitea-registry', 'ops-hub/readiness/gitea-registry', 'ops-registry'),
|
||||||
|
('State Hub Cluster Deploy Readiness', 'ops-readiness-gate', 'ops:readiness:state-hub-cluster-deploy', 'ops-hub/readiness/state-hub-cluster-deploy', 'ops-production'),
|
||||||
|
('CoulombCore to ThreePhoenix Migration', 'ops-migration-wave', 'ops:migration:coulombcore-to-threephoenix', 'ops-hub/migrations/coulombcore-to-threephoenix', 'ops-threephoenix')
|
||||||
|
)
|
||||||
|
INSERT INTO widgets (
|
||||||
|
hub_id,
|
||||||
|
name,
|
||||||
|
widget_type,
|
||||||
|
capability_ref,
|
||||||
|
view_context,
|
||||||
|
policy_scope,
|
||||||
|
status
|
||||||
|
)
|
||||||
|
SELECT
|
||||||
|
hub.id,
|
||||||
|
seed.name,
|
||||||
|
seed.widget_type,
|
||||||
|
seed.capability_ref,
|
||||||
|
seed.view_context,
|
||||||
|
seed.policy_scope,
|
||||||
|
'active'
|
||||||
|
FROM seed CROSS JOIN hub
|
||||||
|
WHERE NOT EXISTS (
|
||||||
|
SELECT 1 FROM widgets
|
||||||
|
WHERE hub_id = hub.id
|
||||||
|
AND capability_ref = seed.capability_ref
|
||||||
|
);
|
||||||
|
|
||||||
|
COMMIT;
|
||||||
65
seeds/ops-hub-manifest.draft.json
Normal file
65
seeds/ops-hub-manifest.draft.json
Normal file
@@ -0,0 +1,65 @@
|
|||||||
|
{
|
||||||
|
"hub": {
|
||||||
|
"name": "Ops Hub",
|
||||||
|
"slug": "ops-hub",
|
||||||
|
"domain": "ops.coulomb.social",
|
||||||
|
"hubKind": "domain"
|
||||||
|
},
|
||||||
|
"manifestVersion": "1.0",
|
||||||
|
"capabilityDescription": "VSM Operations / System 1 hub for operational truth and evidence. Metadata: hub_family=vsm; vsm_function=OPS; vsm_system=S1; scope=operational truth, service catalog, readiness, incidents, runbooks, migration waves, and evidence events.",
|
||||||
|
"contact": "operator",
|
||||||
|
"declaredWidgetTypes": [
|
||||||
|
"ops-environment",
|
||||||
|
"ops-host",
|
||||||
|
"ops-cluster",
|
||||||
|
"ops-service",
|
||||||
|
"ops-service-catalog",
|
||||||
|
"ops-endpoint",
|
||||||
|
"ops-release",
|
||||||
|
"ops-backup-set",
|
||||||
|
"ops-secret-set",
|
||||||
|
"ops-runbook",
|
||||||
|
"ops-incident",
|
||||||
|
"ops-readiness-gate",
|
||||||
|
"ops-migration-wave",
|
||||||
|
"ops-risk"
|
||||||
|
],
|
||||||
|
"declaredEventTypes": [
|
||||||
|
"ops-inventory-registered",
|
||||||
|
"ops-inventory-updated",
|
||||||
|
"ops-service-discovered",
|
||||||
|
"ops-health-checked",
|
||||||
|
"ops-release-observed",
|
||||||
|
"ops-endpoint-verified",
|
||||||
|
"ops-backup-verified",
|
||||||
|
"ops-restore-tested",
|
||||||
|
"ops-runbook-executed",
|
||||||
|
"ops-drift-detected",
|
||||||
|
"ops-risk-raised",
|
||||||
|
"ops-risk-accepted",
|
||||||
|
"ops-readiness-gate-updated",
|
||||||
|
"ops-migration-gate-passed",
|
||||||
|
"ops-migration-gate-failed"
|
||||||
|
],
|
||||||
|
"declaredAnnotationCategories": [
|
||||||
|
"ops-drift",
|
||||||
|
"ops-service-catalog-gap",
|
||||||
|
"ops-backup-gap",
|
||||||
|
"ops-security-gap",
|
||||||
|
"ops-routing-gap",
|
||||||
|
"ops-secret-gap",
|
||||||
|
"ops-readiness-blocker",
|
||||||
|
"ops-migration-risk",
|
||||||
|
"ops-observability-gap",
|
||||||
|
"ops-recovery-gap"
|
||||||
|
],
|
||||||
|
"declaredPolicyScopes": [
|
||||||
|
"ops-local",
|
||||||
|
"ops-transitional-prod",
|
||||||
|
"ops-production",
|
||||||
|
"ops-threephoenix",
|
||||||
|
"ops-registry",
|
||||||
|
"ops-secrets",
|
||||||
|
"ops-backup-retention"
|
||||||
|
]
|
||||||
|
}
|
||||||
100
seeds/ops-hub-widgets.seed.json
Normal file
100
seeds/ops-hub-widgets.seed.json
Normal file
@@ -0,0 +1,100 @@
|
|||||||
|
[
|
||||||
|
{
|
||||||
|
"name": "Local Environment",
|
||||||
|
"widgetType": "ops-environment",
|
||||||
|
"capabilityRef": "ops:environment:local",
|
||||||
|
"viewContext": "ops-hub/environments/local",
|
||||||
|
"policyScope": "ops-local"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "CoulombCore Environment",
|
||||||
|
"widgetType": "ops-environment",
|
||||||
|
"capabilityRef": "ops:environment:coulombcore",
|
||||||
|
"viewContext": "ops-hub/environments/coulombcore",
|
||||||
|
"policyScope": "ops-transitional-prod"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "Railiance01 Environment",
|
||||||
|
"widgetType": "ops-environment",
|
||||||
|
"capabilityRef": "ops:environment:railiance01",
|
||||||
|
"viewContext": "ops-hub/environments/railiance01",
|
||||||
|
"policyScope": "ops-threephoenix"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "ThreePhoenix Production Environment",
|
||||||
|
"widgetType": "ops-environment",
|
||||||
|
"capabilityRef": "ops:environment:threephoenix-prod",
|
||||||
|
"viewContext": "ops-hub/environments/threephoenix-prod",
|
||||||
|
"policyScope": "ops-production"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "CoulombCore Host",
|
||||||
|
"widgetType": "ops-host",
|
||||||
|
"capabilityRef": "ops:host:coulombcore",
|
||||||
|
"viewContext": "ops-hub/hosts/coulombcore",
|
||||||
|
"policyScope": "ops-transitional-prod"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "Railiance01 Host",
|
||||||
|
"widgetType": "ops-host",
|
||||||
|
"capabilityRef": "ops:host:railiance01",
|
||||||
|
"viewContext": "ops-hub/hosts/railiance01",
|
||||||
|
"policyScope": "ops-threephoenix"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "Operations Service Catalog",
|
||||||
|
"widgetType": "ops-service-catalog",
|
||||||
|
"capabilityRef": "ops:service-catalog",
|
||||||
|
"viewContext": "ops-hub/service-catalog",
|
||||||
|
"policyScope": "ops-production"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "Gitea Service",
|
||||||
|
"widgetType": "ops-service",
|
||||||
|
"capabilityRef": "ops:service:gitea",
|
||||||
|
"viewContext": "ops-hub/services/gitea",
|
||||||
|
"policyScope": "ops-transitional-prod"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "State Hub Service",
|
||||||
|
"widgetType": "ops-service",
|
||||||
|
"capabilityRef": "ops:service:state-hub",
|
||||||
|
"viewContext": "ops-hub/services/state-hub",
|
||||||
|
"policyScope": "ops-local"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "Inter-Hub Service",
|
||||||
|
"widgetType": "ops-service",
|
||||||
|
"capabilityRef": "ops:service:inter-hub",
|
||||||
|
"viewContext": "ops-hub/services/inter-hub",
|
||||||
|
"policyScope": "ops-production"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "Gitea Registry Endpoint",
|
||||||
|
"widgetType": "ops-endpoint",
|
||||||
|
"capabilityRef": "ops:endpoint:gitea-registry",
|
||||||
|
"viewContext": "ops-hub/endpoints/gitea-registry",
|
||||||
|
"policyScope": "ops-registry"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "Gitea Registry Readiness",
|
||||||
|
"widgetType": "ops-readiness-gate",
|
||||||
|
"capabilityRef": "ops:readiness:gitea-registry",
|
||||||
|
"viewContext": "ops-hub/readiness/gitea-registry",
|
||||||
|
"policyScope": "ops-registry"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "State Hub Cluster Deploy Readiness",
|
||||||
|
"widgetType": "ops-readiness-gate",
|
||||||
|
"capabilityRef": "ops:readiness:state-hub-cluster-deploy",
|
||||||
|
"viewContext": "ops-hub/readiness/state-hub-cluster-deploy",
|
||||||
|
"policyScope": "ops-production"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "CoulombCore to ThreePhoenix Migration",
|
||||||
|
"widgetType": "ops-migration-wave",
|
||||||
|
"capabilityRef": "ops:migration:coulombcore-to-threephoenix",
|
||||||
|
"viewContext": "ops-hub/migrations/coulombcore-to-threephoenix",
|
||||||
|
"policyScope": "ops-threephoenix"
|
||||||
|
}
|
||||||
|
]
|
||||||
5
src/ops_hub/__init__.py
Normal file
5
src/ops_hub/__init__.py
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
"""ops-hub implementation helpers."""
|
||||||
|
|
||||||
|
__all__ = ["__version__"]
|
||||||
|
|
||||||
|
__version__ = "0.1.0"
|
||||||
111
src/ops_hub/interhub_gate_probe.py
Normal file
111
src/ops_hub/interhub_gate_probe.py
Normal file
@@ -0,0 +1,111 @@
|
|||||||
|
"""Probe whether Inter-Hub production exposes the ops-hub bootstrap API."""
|
||||||
|
|
||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import argparse
|
||||||
|
import json
|
||||||
|
from dataclasses import asdict, dataclass
|
||||||
|
from typing import Any
|
||||||
|
from urllib.error import HTTPError, URLError
|
||||||
|
from urllib.parse import urljoin
|
||||||
|
from urllib.request import Request, urlopen
|
||||||
|
|
||||||
|
REQUIRED_OPENAPI_PATHS = (
|
||||||
|
"/hubs",
|
||||||
|
"/hub-capability-manifests",
|
||||||
|
"/api-consumers",
|
||||||
|
"/policy-scopes",
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@dataclass(frozen=True)
|
||||||
|
class HttpObservation:
|
||||||
|
url: str
|
||||||
|
status: int | None
|
||||||
|
ok: bool
|
||||||
|
error: str | None = None
|
||||||
|
|
||||||
|
|
||||||
|
@dataclass(frozen=True)
|
||||||
|
class GateResult:
|
||||||
|
base_url: str
|
||||||
|
passed: bool
|
||||||
|
hubs_status: int | None
|
||||||
|
required_paths_present: list[str]
|
||||||
|
required_paths_missing: list[str]
|
||||||
|
observations: list[HttpObservation]
|
||||||
|
|
||||||
|
|
||||||
|
def normalize_base_url(base_url: str) -> str:
|
||||||
|
return base_url.rstrip("/") + "/"
|
||||||
|
|
||||||
|
|
||||||
|
def api_url(base_url: str, path: str) -> str:
|
||||||
|
return urljoin(normalize_base_url(base_url), path.lstrip("/"))
|
||||||
|
|
||||||
|
|
||||||
|
def fetch_json(url: str, timeout: float) -> tuple[HttpObservation, dict[str, Any] | None]:
|
||||||
|
request = Request(url, headers={"Accept": "application/json", "User-Agent": "ops-hub-gate-probe/0.1"})
|
||||||
|
try:
|
||||||
|
with urlopen(request, timeout=timeout) as response:
|
||||||
|
payload = json.loads(response.read().decode("utf-8"))
|
||||||
|
return HttpObservation(url=url, status=response.status, ok=True), payload
|
||||||
|
except HTTPError as exc:
|
||||||
|
body = exc.read().decode("utf-8", errors="replace")
|
||||||
|
return HttpObservation(url=url, status=exc.code, ok=False, error=body[:240]), None
|
||||||
|
except (URLError, TimeoutError, json.JSONDecodeError) as exc:
|
||||||
|
return HttpObservation(url=url, status=None, ok=False, error=str(exc)), None
|
||||||
|
|
||||||
|
|
||||||
|
def observe_status(url: str, timeout: float) -> HttpObservation:
|
||||||
|
request = Request(url, headers={"Accept": "application/json", "User-Agent": "ops-hub-gate-probe/0.1"})
|
||||||
|
try:
|
||||||
|
with urlopen(request, timeout=timeout) as response:
|
||||||
|
response.read()
|
||||||
|
return HttpObservation(url=url, status=response.status, ok=True)
|
||||||
|
except HTTPError as exc:
|
||||||
|
exc.read()
|
||||||
|
return HttpObservation(url=url, status=exc.code, ok=False, error=exc.reason)
|
||||||
|
except (URLError, TimeoutError) as exc:
|
||||||
|
return HttpObservation(url=url, status=None, ok=False, error=str(exc))
|
||||||
|
|
||||||
|
|
||||||
|
def evaluate_openapi_paths(openapi: dict[str, Any] | None) -> tuple[list[str], list[str]]:
|
||||||
|
paths = set((openapi or {}).get("paths", {}).keys())
|
||||||
|
present = [path for path in REQUIRED_OPENAPI_PATHS if path in paths]
|
||||||
|
missing = [path for path in REQUIRED_OPENAPI_PATHS if path not in paths]
|
||||||
|
return present, missing
|
||||||
|
|
||||||
|
|
||||||
|
def probe_interhub_gate(base_url: str, timeout: float = 10.0) -> GateResult:
|
||||||
|
normalized = normalize_base_url(base_url)
|
||||||
|
hubs = observe_status(api_url(normalized, "/api/v2/hubs"), timeout)
|
||||||
|
openapi_observation, openapi = fetch_json(api_url(normalized, "/api/v2/openapi.json"), timeout)
|
||||||
|
present, missing = evaluate_openapi_paths(openapi)
|
||||||
|
passed = hubs.status == 401 and not missing
|
||||||
|
return GateResult(
|
||||||
|
base_url=normalized.rstrip("/"),
|
||||||
|
passed=passed,
|
||||||
|
hubs_status=hubs.status,
|
||||||
|
required_paths_present=present,
|
||||||
|
required_paths_missing=missing,
|
||||||
|
observations=[hubs, openapi_observation],
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def build_parser() -> argparse.ArgumentParser:
|
||||||
|
parser = argparse.ArgumentParser(description=__doc__)
|
||||||
|
parser.add_argument("--base", default="https://hub.coulomb.social", help="Inter-Hub base URL")
|
||||||
|
parser.add_argument("--timeout", default=10.0, type=float, help="HTTP timeout in seconds")
|
||||||
|
return parser
|
||||||
|
|
||||||
|
|
||||||
|
def main(argv: list[str] | None = None) -> int:
|
||||||
|
args = build_parser().parse_args(argv)
|
||||||
|
result = probe_interhub_gate(args.base, timeout=args.timeout)
|
||||||
|
print(json.dumps(asdict(result), indent=2, sort_keys=True))
|
||||||
|
return 0 if result.passed else 1
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
raise SystemExit(main())
|
||||||
41
tests/test_interhub_gate_probe.py
Normal file
41
tests/test_interhub_gate_probe.py
Normal file
@@ -0,0 +1,41 @@
|
|||||||
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import unittest
|
||||||
|
|
||||||
|
from ops_hub.interhub_gate_probe import (
|
||||||
|
REQUIRED_OPENAPI_PATHS,
|
||||||
|
api_url,
|
||||||
|
evaluate_openapi_paths,
|
||||||
|
normalize_base_url,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
class InterHubGateProbeTests(unittest.TestCase):
|
||||||
|
def test_normalize_base_url(self) -> None:
|
||||||
|
self.assertEqual(normalize_base_url("https://hub.example"), "https://hub.example/")
|
||||||
|
self.assertEqual(normalize_base_url("https://hub.example/"), "https://hub.example/")
|
||||||
|
|
||||||
|
def test_api_url_joins_versioned_paths(self) -> None:
|
||||||
|
self.assertEqual(
|
||||||
|
api_url("https://hub.example", "/api/v2/hubs"),
|
||||||
|
"https://hub.example/api/v2/hubs",
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_evaluate_openapi_paths_detects_all_required_paths(self) -> None:
|
||||||
|
openapi = {"paths": {path: {} for path in REQUIRED_OPENAPI_PATHS}}
|
||||||
|
present, missing = evaluate_openapi_paths(openapi)
|
||||||
|
self.assertEqual(present, list(REQUIRED_OPENAPI_PATHS))
|
||||||
|
self.assertEqual(missing, [])
|
||||||
|
|
||||||
|
def test_evaluate_openapi_paths_reports_missing_paths(self) -> None:
|
||||||
|
openapi = {"paths": {"/hubs": {}}}
|
||||||
|
present, missing = evaluate_openapi_paths(openapi)
|
||||||
|
self.assertEqual(present, ["/hubs"])
|
||||||
|
self.assertEqual(
|
||||||
|
missing,
|
||||||
|
["/hub-capability-manifests", "/api-consumers", "/policy-scopes"],
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
unittest.main()
|
||||||
@@ -2,9 +2,9 @@
|
|||||||
id: OPS-WP-0001
|
id: OPS-WP-0001
|
||||||
type: workplan
|
type: workplan
|
||||||
title: "Bootstrap State Hub integration"
|
title: "Bootstrap State Hub integration"
|
||||||
domain: inter_hub
|
domain: infotech
|
||||||
repo: ops-hub
|
repo: ops-hub
|
||||||
status: ready
|
status: finished
|
||||||
owner: codex
|
owner: codex
|
||||||
topic_slug: inter_hub
|
topic_slug: inter_hub
|
||||||
created: "2026-06-06"
|
created: "2026-06-06"
|
||||||
@@ -13,24 +13,28 @@ updated: "2026-06-06"
|
|||||||
|
|
||||||
# Bootstrap State Hub integration
|
# Bootstrap State Hub integration
|
||||||
|
|
||||||
Inter-hub extension for the operations & resiliance subdimension of the orthogonal architecture standard perspective.
|
Bootstrap this repo's State Hub integration and replace generated placeholders
|
||||||
|
with the first concrete `ops-hub` operating frame.
|
||||||
|
|
||||||
## Review Generated Integration Files
|
## Review Generated Integration Files
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: OPS-WP-0001-T01
|
id: OPS-WP-0001-T01
|
||||||
status: todo
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
```
|
```
|
||||||
|
|
||||||
Review `INTENT.md`, `SCOPE.md`, `AGENTS.md`, and `.custodian-brief.md`.
|
Review `INTENT.md`, `SCOPE.md`, `AGENTS.md`, and `.custodian-brief.md`.
|
||||||
Replace generated placeholders with repo-specific facts where needed.
|
Replace generated placeholders with repo-specific facts where needed.
|
||||||
|
|
||||||
|
Completed 2026-06-06: `INTENT.md`, `SCOPE.md`, `AGENTS.md`, and `README.md`
|
||||||
|
now describe `ops-hub` as the Operations / System 1 Inter-Hub extension.
|
||||||
|
|
||||||
## Verify Local Developer Workflow
|
## Verify Local Developer Workflow
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: OPS-WP-0001-T02
|
id: OPS-WP-0001-T02
|
||||||
status: todo
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -38,11 +42,16 @@ Identify the repo's install, test, lint, build, and run commands. Add or refine
|
|||||||
those commands in the agent instructions so future coding sessions can verify
|
those commands in the agent instructions so future coding sessions can verify
|
||||||
changes confidently.
|
changes confidently.
|
||||||
|
|
||||||
|
Completed 2026-06-06: the repo currently has no executable source tree,
|
||||||
|
dependency manifest, test suite, or build command. `AGENTS.md` records
|
||||||
|
documentation/workplan verification commands and requires future source work to
|
||||||
|
add repo-native lint, test, build, and run commands.
|
||||||
|
|
||||||
## Seed First Real Workplan
|
## Seed First Real Workplan
|
||||||
|
|
||||||
```task
|
```task
|
||||||
id: OPS-WP-0001-T03
|
id: OPS-WP-0001-T03
|
||||||
status: todo
|
status: done
|
||||||
priority: medium
|
priority: medium
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -52,3 +61,6 @@ next change. After workplan file updates, run from `~/state-hub`:
|
|||||||
```bash
|
```bash
|
||||||
make fix-consistency REPO=ops-hub
|
make fix-consistency REPO=ops-hub
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Completed 2026-06-06: seeded
|
||||||
|
`workplans/OPS-WP-0002-interhub-extension-bootstrap.md`.
|
||||||
|
|||||||
176
workplans/OPS-WP-0002-interhub-extension-bootstrap.md
Normal file
176
workplans/OPS-WP-0002-interhub-extension-bootstrap.md
Normal file
@@ -0,0 +1,176 @@
|
|||||||
|
---
|
||||||
|
id: OPS-WP-0002
|
||||||
|
type: workplan
|
||||||
|
title: "Bootstrap ops-hub as an Inter-Hub Operations extension"
|
||||||
|
domain: infotech
|
||||||
|
repo: ops-hub
|
||||||
|
status: active
|
||||||
|
owner: codex
|
||||||
|
topic_slug: inter_hub
|
||||||
|
created: "2026-06-06"
|
||||||
|
updated: "2026-06-06"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Bootstrap ops-hub as an Inter-Hub Operations extension
|
||||||
|
|
||||||
|
## Goal
|
||||||
|
|
||||||
|
Turn the HelixForge `HF-WP-0001` handoff into the first concrete `ops-hub`
|
||||||
|
implementation track.
|
||||||
|
|
||||||
|
`ops-hub` should become the Operations / System 1 Inter-Hub extension for
|
||||||
|
operational truth: environments, hosts, clusters, services, endpoints,
|
||||||
|
releases, backups, incidents, risks, runbooks, readiness gates, and migration
|
||||||
|
waves.
|
||||||
|
|
||||||
|
This repo owns domain-specific implementation assets. `inter-hub` remains the
|
||||||
|
generic framework, registry, authentication, manifest, widget, event, and
|
||||||
|
bootstrap API substrate.
|
||||||
|
|
||||||
|
## Current Gate
|
||||||
|
|
||||||
|
As of 2026-06-06, public production Inter-Hub still returns `404` for:
|
||||||
|
|
||||||
|
```text
|
||||||
|
https://hub.coulomb.social/api/v2/hubs
|
||||||
|
```
|
||||||
|
|
||||||
|
Do not run manual database seeding unless the operator explicitly chooses that
|
||||||
|
fallback. The preferred bootstrap path is the supported Inter-Hub API once
|
||||||
|
production exposes the current bootstrap surface.
|
||||||
|
|
||||||
|
Gate criteria:
|
||||||
|
|
||||||
|
- Unauthenticated `GET /api/v2/hubs` returns `401`, not `404`.
|
||||||
|
- OpenAPI lists `/hubs`, `/hub-capability-manifests`, `/api-consumers`, and
|
||||||
|
`/policy-scopes`.
|
||||||
|
- The bootstrap/smoke client can create or reuse the `ops-hub` hub, activate
|
||||||
|
its manifest, create the runtime API consumer/key, seed initial widgets, and
|
||||||
|
persist the first governed ops event.
|
||||||
|
|
||||||
|
## Handoff Sources
|
||||||
|
|
||||||
|
- `/home/worsch/helix-forge/workplans/HF-WP-0001-establish-ops-hub-first-extension.md`
|
||||||
|
- `/home/worsch/helix-forge/wiki/OpsHubInventory.md`
|
||||||
|
- `/home/worsch/helix-forge/wiki/OpsHubReadinessGates.md`
|
||||||
|
- `/home/worsch/helix-forge/wiki/OpsHubBootstrapRunbook.md`
|
||||||
|
- `/home/worsch/helix-forge/wiki/ops-hub-manifest.draft.json`
|
||||||
|
- `/home/worsch/helix-forge/wiki/ops-hub-widgets.seed.json`
|
||||||
|
|
||||||
|
## Port HelixForge Handoff Artifacts
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: OPS-WP-0002-T01
|
||||||
|
status: done
|
||||||
|
priority: high
|
||||||
|
```
|
||||||
|
|
||||||
|
Create repo-local docs and seed data for the ops vocabulary, initial inventory,
|
||||||
|
readiness gates, bootstrap runbook, manifest draft, and widget seed.
|
||||||
|
|
||||||
|
Done when the `ops-hub` repo can be understood without opening HelixForge for
|
||||||
|
routine implementation details. Keep links back to HelixForge for architectural
|
||||||
|
context.
|
||||||
|
|
||||||
|
Completed 2026-06-06:
|
||||||
|
|
||||||
|
- Ported initial inventory to `docs/initial-inventory.md`.
|
||||||
|
- Ported readiness gates to `docs/readiness-gates.md`.
|
||||||
|
- Ported bootstrap runbook to `docs/bootstrap-runbook.md`.
|
||||||
|
- Ported manifest and widget seeds to `seeds/`.
|
||||||
|
- Added `docs/README.md` as the handoff index.
|
||||||
|
|
||||||
|
## Define Repository Source Layout
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: OPS-WP-0002-T02
|
||||||
|
status: done
|
||||||
|
priority: high
|
||||||
|
```
|
||||||
|
|
||||||
|
Choose and create the first source layout for bootstrap/smoke tooling,
|
||||||
|
collectors, adapters, and tests. Add the repo-native lint, test, build, and run
|
||||||
|
commands to `AGENTS.md`.
|
||||||
|
|
||||||
|
Done when future code changes have an obvious home and a verification command.
|
||||||
|
|
||||||
|
Completed 2026-06-06:
|
||||||
|
|
||||||
|
- Added `pyproject.toml`.
|
||||||
|
- Added Python package layout under `src/ops_hub/`.
|
||||||
|
- Added operator scripts under `scripts/`.
|
||||||
|
- Added tests under `tests/`.
|
||||||
|
- Documented current verification commands in `AGENTS.md`.
|
||||||
|
|
||||||
|
## Implement Inter-Hub Production Gate Probe
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: OPS-WP-0002-T03
|
||||||
|
status: done
|
||||||
|
priority: high
|
||||||
|
```
|
||||||
|
|
||||||
|
Build a small probe that checks the public Inter-Hub bootstrap API gate:
|
||||||
|
|
||||||
|
- `/api/v2/hubs` response is `401` unauthenticated.
|
||||||
|
- OpenAPI lists the required bootstrap paths.
|
||||||
|
- The result is machine-readable and suitable for a scheduled ops signal later.
|
||||||
|
|
||||||
|
Done when the probe can run locally without secrets and reports the current
|
||||||
|
gate as pass/fail with clear reasons.
|
||||||
|
|
||||||
|
Completed 2026-06-06: `scripts/interhub-gate-probe.py` checks unauthenticated
|
||||||
|
`/api/v2/hubs` status and required OpenAPI bootstrap paths, emits JSON, and
|
||||||
|
exits nonzero while the gate is closed.
|
||||||
|
|
||||||
|
## Implement Bootstrap Smoke Client
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: OPS-WP-0002-T04
|
||||||
|
status: wait
|
||||||
|
priority: high
|
||||||
|
```
|
||||||
|
|
||||||
|
Implement the authenticated bootstrap/smoke client once Inter-Hub production
|
||||||
|
exposes the supported bootstrap API.
|
||||||
|
|
||||||
|
The client should use `IHUB_BASE` and `IHUB_OPERATOR_KEY` and should create or
|
||||||
|
reuse:
|
||||||
|
|
||||||
|
- `ops-hub` hub row
|
||||||
|
- active capability manifest
|
||||||
|
- runtime API consumer/key
|
||||||
|
- initial governed ops widgets
|
||||||
|
- first `ops-endpoint-verified` event
|
||||||
|
|
||||||
|
Done when a dry-run and an attended real run both produce repeatable evidence
|
||||||
|
without direct DB access.
|
||||||
|
|
||||||
|
Waiting on: Inter-Hub production API gate from T03.
|
||||||
|
|
||||||
|
## Seed First Operational Signal
|
||||||
|
|
||||||
|
```task
|
||||||
|
id: OPS-WP-0002-T05
|
||||||
|
status: wait
|
||||||
|
priority: medium
|
||||||
|
```
|
||||||
|
|
||||||
|
Submit the first governed ops signal for the Gitea registry endpoint once the
|
||||||
|
manifest, widget, event type, and API key exist.
|
||||||
|
|
||||||
|
Initial signal:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"eventType": "ops-endpoint-verified",
|
||||||
|
"endpoint": "https://gitea.coulomb.social/v2/",
|
||||||
|
"expectedStatus": 401,
|
||||||
|
"viewContext": "railiance-apps/workplans/RAIL-AP-WP-0001"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Done when the event is visible in Inter-Hub and traceable to the owning
|
||||||
|
Railiance workplan.
|
||||||
|
|
||||||
|
Waiting on: T04 and an available `ops-hub` runtime API key.
|
||||||
Reference in New Issue
Block a user