diff --git a/registry/routing/catalog.yaml b/registry/routing/catalog.yaml index 711c532..69ac651 100644 --- a/registry/routing/catalog.yaml +++ b/registry/routing/catalog.yaml @@ -103,6 +103,17 @@ entries: reviewed: "2026-06-18" status: active + - id: activity-core-issue-sink + title: activity-core IssueSink → issue-core REST emission + need_keywords: [activity-core, issue-sink, issue-core, emission, issue_core_url, issue_core_api_key, tasks, ingest, rest, issuesink] + owner_repo: activity-core + subsystem: activity-core + issue-core + warden_executes: false + wiki_ref: wiki/playbooks/activity-core-issue-sink.md#worker-checklist + canon_ref: net-kingdom/docs/platform-identity-security-architecture.md + reviewed: "2026-06-18" + status: active + # --- draft: owner path not yet shipped; hidden from default lookup --- - id: issue-core-ingestion-api-key title: issue-core ingestion API key (OpenBao path TBD) diff --git a/wiki/CredentialRouting.md b/wiki/CredentialRouting.md index ad61669..f3c6d60 100644 --- a/wiki/CredentialRouting.md +++ b/wiki/CredentialRouting.md @@ -86,6 +86,7 @@ executes. | `key-cape-oidc-login` | "key-cape / Keycloak owns identity" | Authenticate via IAM Profile | | `ops-bridge-tunnel` | "ops-bridge owns transport — supply a `cert_command`" | Open the tunnel with ops-bridge | | `railiance-infra-principals` | "railiance-infra deploys host principals" | Run the infra Ansible | +| `activity-core-issue-sink` | "activity-core + issue-core own emission — pair `ISSUE_CORE_*` env vars" | See `wiki/playbooks/activity-core-issue-sink.md` | ops-warden answers *where + who*; the worker acts on the owning system. ops-warden never performs the non-SSH step on the worker's behalf. diff --git a/wiki/playbooks/activity-core-issue-sink.md b/wiki/playbooks/activity-core-issue-sink.md new file mode 100644 index 0000000..8a0bb4b --- /dev/null +++ b/wiki/playbooks/activity-core-issue-sink.md @@ -0,0 +1,67 @@ +# activity-core IssueSink → issue-core REST emission + +Date: 2026-06-18 + +Pointer playbook for agents wiring **activity-core** task emission to the +**issue-core** REST ingestion endpoint. Authoritative contracts live in the +owner repos — this page is a checklist and index only (no-double-source rule). + +--- + +## Owners + +| Concern | Owner repo | Authoritative doc | +| --- | --- | --- | +| IssueSink consumer (`IssueCoreRestSink`) | `activity-core` | `docs/issue-core-emission-boundary.md` | +| Ingestion server (`POST /issues/`) | `issue-core` | `README.md` — REST Ingestion Server | +| Production secret injection (K8s/OpenBao) | `railiance-platform` | catalog id `issue-core-ingestion-api-key` (draft until path ships) | + +--- + +## Do not ask ops-warden + +`ISSUE_CORE_API_KEY` is a **shared ingestion key** between activity-core and +issue-core. It is not an SSH certificate and ops-warden does not vend it. + +- Generic API-key routing: `warden route show openbao-api-key --json` +- This emission lane: `warden route show activity-core-issue-sink --json` +- State Hub messages to `ops-warden` expecting a key value will not succeed. + +Never paste key values into Git, State Hub, workplans, logs, or agent chat. + +--- + +## Worker checklist + +1. **Confirm sink mode** — `ISSUE_SINK_TYPE=rest` for live emission; `null` for + dry-run (Railiance production default today). See activity-core `SCOPE.md`. +2. **Pair env vars on both sides** (same value): + - `ISSUE_CORE_URL` — e.g. `http://127.0.0.1:8765` locally + - `ISSUE_CORE_API_KEY` — shared secret; activity-core sends + `Authorization: Bearer `; issue-core validates on ingest +3. **Local dev** — generate once, export on both processes: + ```bash + export ISSUE_CORE_API_KEY="$(python3 -c 'import secrets; print(secrets.token_urlsafe(32))')" + issue serve --host 127.0.0.1 --port 8765 # issue-core terminal + ``` + Use `default: local` in `~/.config/issue-tracker/backends.json` for local + smoke — a remote Gitea default backend will hang on ingest. +4. **Verify** — `uv run pytest tests/test_issue_sink.py` in activity-core; + one live POST should return `201` with `issue_id` (see issue-core README). +5. **Production** — inject `ISSUE_CORE_API_KEY` via OpenBao/K8s on both + deployments; coordinate with `railiance-platform` when the canonical path + ships (`issue-core-ingestion-api-key` catalog entry). + +### Known contract gap + +issue-core requires `triggering_event_id` as a UUID; activity-core cron paths +may send non-UUID keys (e.g. `"scheduled"`). Event-driven emission with real +event UUIDs works; align schemas before enabling cron rules against live REST. + +--- + +## See also + +- `activity-core/AGENTS.md` — Issue-core emission section +- `issue-core/AGENTS.md` — REST ingestion API key section +- `WARDEN-WP-0012` — playbook backlog and promotion gates \ No newline at end of file