Add routing catalog entry for reuse-surface hub write token.

REUSE_SURFACE_TOKEN is custody of the Railiance01 K8s secret reuse-surface-env,
not OpenBao. Workers blocked on hub register can now discover the lane via
warden route find and obtain it through the documented kubectl handoff.
This commit is contained in:
2026-07-07 00:52:39 +02:00
parent 210f7eab68
commit 7d915a2eb5
4 changed files with 103 additions and 0 deletions

View File

@@ -96,6 +96,7 @@ run the owner's tool as the caller and preserve owner custody.
| `inter-hub-bootstrap-ssh` | "Inter-Hub bootstrap SSH envelope — attended vs unattended branches" | See `wiki/InterHubBootstrapAccessLane.md` |
| `issue-core-ingestion-api-key` | "railiance-platform OpenBao KV + ESO deliver `ISSUE_CORE_API_KEY` — here is the path" | ESO consumes in-cluster; `warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY` as yourself |
| `openrouter-llm-connect` | "railiance-platform OpenBao KV + ESO deliver `OPENROUTER_API_KEY` to activity-core" | ESO consumes in-cluster; `warden access openrouter-llm-connect --fetch OPENROUTER_API_KEY` as yourself |
| `reuse-surface-hub-write-token` | "reuse-surface hub write bearer — K8s secret `reuse-surface-env` on Railiance01" | `kubectl` from `~/.kube/config-hosteurope`, or `warden access reuse-surface-hub-write-token --fetch` as yourself |
Promotion criteria: `wiki/playbooks/catalog-lane-promotion.md`.

View File

@@ -0,0 +1,68 @@
# reuse-surface Hub Write Token
Date: 2026-07-07
Catalog: `reuse-surface-hub-write-token` (status `active`, `resolvable: true`)
Owner: `reuse-surface` (service) · deploy custody `railiance-apps` (K8s secret)
Bearer token for authenticated writes to the production federation hub at
`https://reuse.coulomb.social` (`POST /v1/repos`, `reuse-surface hub register`).
ops-warden **does not hold this token** — it is a pointer lane to the cluster
secret that backs the hub Deployment.
---
## Owner-confirmed lane (no placeholders)
| Field | Value |
| --- | --- |
| Cluster | Railiance01 (`92.205.62.239`) |
| Namespace | `reuse` |
| Secret | `reuse-surface-env` |
| Field | `REUSE_SURFACE_TOKEN` |
| Kubeconfig | `~/.kube/config-hosteurope` |
| Deploy runbook | `railiance-apps/docs/reuse-surface-on-railiance01.md` |
| Hub API spec | `reuse-surface/specs/FederationHubAPI.md` |
This is **not** an OpenBao KV path. The token is generated at deploy time and
stored only in the Kubernetes Secret consumed by the `reuse-surface` workload.
---
## Worker checklist
1. **Confirm kubeconfig reachability** (you act as yourself; ops-warden adds no credential):
```bash
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse
```
2. **Export for a shell session** (value streams to your terminal — never paste into chat):
```bash
export REUSE_SURFACE_URL=https://reuse.coulomb.social
export REUSE_SURFACE_TOKEN=$(
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse \
-o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d
)
```
3. **Or proxy via warden access** (same kubectl command, audited metadata only):
```bash
warden route show reuse-surface-hub-write-token --json
warden access reuse-surface-hub-write-token --no-policy --fetch
```
4. **Register a repo** after publish-check passes:
```bash
reuse-surface hub status
reuse-surface hub register --repo <slug> \
--url <gitea-raw-capabilities-yaml-url> \
--domain <domain>
```
5. **Verify federated index** picked up the new source:
```bash
curl -fsS "$REUSE_SURFACE_URL/v1/federated" | jq '.sources | map(.repo) | index("<slug>")'
```
Never commit the token, paste it into State Hub or agent chat, or store it in a
workplan. Rotation: regenerate the secret on-cluster and roll the Deployment
(`reuse-surface/docs/deploy/reuse-kubernetes.md`).