coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add activity-core-issue-sink routing playbook and catalog entry

Browse Source 
Agents can discover the activity-core → issue-core emission contract via
`warden route show activity-core-issue-sink` instead of messaging ops-warden
for ISSUE_CORE_API_KEY. The playbook points at owner-repo docs per the
no-double-source rule.
This commit is contained in:
Bernd Worsch
2026-06-18 22:34:59 +02:00
parent 2778bb9f71
commit 03a7901347
3 changed files with 79 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
registry/routing/catalog.yaml
View File

@@ -103,6 +103,17 @@ entries:
reviewed: "2026-06-18"
status: active
- id: activity-core-issue-sink
title: activity-core IssueSink → issue-core REST emission
need_keywords: [activity-core, issue-sink, issue-core, emission, issue_core_url, issue_core_api_key, tasks, ingest, rest, issuesink]
owner_repo: activity-core
subsystem: activity-core + issue-core
warden_executes: false
wiki_ref: wiki/playbooks/activity-core-issue-sink.md#worker-checklist
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
reviewed: "2026-06-18"
status: active
# --- draft: owner path not yet shipped; hidden from default lookup ---
- id: issue-core-ingestion-api-key
title: issue-core ingestion API key (OpenBao path TBD)

1
wiki/CredentialRouting.md
View File

@@ -86,6 +86,7 @@ executes.
| `key-cape-oidc-login` | "key-cape / Keycloak owns identity" | Authenticate via IAM Profile |
| `ops-bridge-tunnel` | "ops-bridge owns transport — supply a `cert_command`" | Open the tunnel with ops-bridge |
| `railiance-infra-principals` | "railiance-infra deploys host principals" | Run the infra Ansible |
| `activity-core-issue-sink` | "activity-core + issue-core own emission — pair `ISSUE_CORE_*` env vars" | See `wiki/playbooks/activity-core-issue-sink.md` |
ops-warden answers *where + who*; the worker acts on the owning system. ops-warden
never performs the non-SSH step on the worker's behalf.

67
wiki/playbooks/activity-core-issue-sink.md Normal file
View File

@@ -0,0 +1,67 @@
# activity-core IssueSink → issue-core REST emission
Date: 2026-06-18
Pointer playbook for agents wiring **activity-core** task emission to the
**issue-core** REST ingestion endpoint. Authoritative contracts live in the
owner repos — this page is a checklist and index only (no-double-source rule).
---
## Owners
| Concern | Owner repo | Authoritative doc |
| --- | --- | --- |
| IssueSink consumer (`IssueCoreRestSink`) | `activity-core` | `docs/issue-core-emission-boundary.md` |
| Ingestion server (`POST /issues/`) | `issue-core` | `README.md` — REST Ingestion Server |
| Production secret injection (K8s/OpenBao) | `railiance-platform` | catalog id `issue-core-ingestion-api-key` (draft until path ships) |
---
## Do not ask ops-warden
`ISSUE_CORE_API_KEY` is a **shared ingestion key** between activity-core and
issue-core. It is not an SSH certificate and ops-warden does not vend it.
- Generic API-key routing: `warden route show openbao-api-key --json`
- This emission lane: `warden route show activity-core-issue-sink --json`
- State Hub messages to `ops-warden` expecting a key value will not succeed.
Never paste key values into Git, State Hub, workplans, logs, or agent chat.
---
## Worker checklist
1. **Confirm sink mode**`ISSUE_SINK_TYPE=rest` for live emission; `null` for
dry-run (Railiance production default today). See activity-core `SCOPE.md`.
2. **Pair env vars on both sides** (same value):
- `ISSUE_CORE_URL` — e.g. `http://127.0.0.1:8765` locally
- `ISSUE_CORE_API_KEY` — shared secret; activity-core sends
`Authorization: Bearer <key>`; issue-core validates on ingest
3. **Local dev** — generate once, export on both processes:
```bash
export ISSUE_CORE_API_KEY="$(python3 -c 'import secrets; print(secrets.token_urlsafe(32))')"
issue serve --host 127.0.0.1 --port 8765 # issue-core terminal
```
Use `default: local` in `~/.config/issue-tracker/backends.json` for local
smoke — a remote Gitea default backend will hang on ingest.
4. **Verify** — `uv run pytest tests/test_issue_sink.py` in activity-core;
one live POST should return `201` with `issue_id` (see issue-core README).
5. **Production** — inject `ISSUE_CORE_API_KEY` via OpenBao/K8s on both
deployments; coordinate with `railiance-platform` when the canonical path
ships (`issue-core-ingestion-api-key` catalog entry).
### Known contract gap
issue-core requires `triggering_event_id` as a UUID; activity-core cron paths
may send non-UUID keys (e.g. `"scheduled"`). Event-driven emission with real
event UUIDs works; align schemas before enabling cron rules against live REST.
---
## See also
- `activity-core/AGENTS.md` — Issue-core emission section
- `issue-core/AGENTS.md` — REST ingestion API key section
- `WARDEN-WP-0012` — playbook backlog and promotion gates