generated from coulomb/repo-seed
Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 4b0f771cbd | |||
| 1e6c4eedf1 | |||
| 3ddccaf701 | |||
| d12fdb6112 |
@@ -216,21 +216,25 @@ entries:
|
||||
|
||||
- id: reuse-surface-hub-write-token
|
||||
title: reuse-surface federation hub write bearer token
|
||||
need_keywords: [reuse-surface, reuse_surface, hub, register, federation, write, token, bearer, REUSE_SURFACE_TOKEN, reuse.coulomb.social]
|
||||
owner_repo: reuse-surface
|
||||
subsystem: reuse-surface federation hub
|
||||
need_keywords: [reuse-surface, reuse_surface, hub, register, federation, write, token, bearer, REUSE_SURFACE_TOKEN, REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET, reuse.coulomb.social]
|
||||
owner_repo: railiance-platform
|
||||
subsystem: OpenBao + reuse-surface
|
||||
warden_executes: false
|
||||
wiki_ref: wiki/playbooks/reuse-surface-hub-write-token.md#worker-checklist
|
||||
canon_ref: reuse-surface/specs/FederationHubAPI.md
|
||||
reviewed: "2026-07-07"
|
||||
status: active
|
||||
# Concrete, owner-confirmed lane — REUSE-WP-0011 / RAILIANCE-WP-0007 (hub live
|
||||
# 2026-06-15): token is the cluster Secret reuse-surface-env on Railiance01,
|
||||
# not OpenBao. warden access proxies kubectl as the caller and never holds the value.
|
||||
auth_method: "kubectl with Railiance01 kubeconfig (~/.kube/config-hosteurope)"
|
||||
path_template: "reuse/reuse-surface-env"
|
||||
fetch_command: "kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse -o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d"
|
||||
# Concrete, owner-confirmed lane — railiance-platform CCR-2026-0005 / RAILIANCE-WP-0011
|
||||
# (promoted 2026-07-07): policy workload-kv-read-reuse-surface-runtime; ExternalSecret
|
||||
# reuse/reuse-surface-runtime SecretSynced to reuse-surface-env on Railiance01;
|
||||
# positive + negative access verified. Production consumer is ESO; warden access
|
||||
# proxies reads as the caller and never holds the value.
|
||||
auth_method: "caller's own OpenBao token (operator OIDC via key-cape, or a token carrying workload-kv-read-reuse-surface-runtime)"
|
||||
path_template: "platform/workloads/reuse/reuse-surface/runtime-secrets"
|
||||
fetch_command: "bao kv get -field=REUSE_SURFACE_TOKEN platform/workloads/reuse/reuse-surface/runtime-secrets"
|
||||
policy_ref: "flex-auth check secret.read:reuse"
|
||||
exec_capable: true
|
||||
resolvable: true
|
||||
lane: secret
|
||||
|
||||
- id: openrouter-llm-connect
|
||||
@@ -257,6 +261,24 @@ entries:
|
||||
exec_capable: true
|
||||
lane: secret
|
||||
|
||||
- id: railiance-backup-offsite-lane
|
||||
title: Railiance offsite backup Nextcloud WebDAV credentials
|
||||
need_keywords: [railiance, backup, nextcloud, webdav, offsite, age, forgejo-backup, NC_WEBDAV_TOKEN, file drop]
|
||||
owner_repo: railiance-platform
|
||||
subsystem: OpenBao + Nextcloud
|
||||
warden_executes: false
|
||||
wiki_ref: wiki/playbooks/railiance-backup-offsite-lane.md#worker-checklist
|
||||
canon_ref: railiance-platform/docs/workload-kv-access-lanes.md
|
||||
reviewed: "2026-07-07"
|
||||
status: draft
|
||||
# CCR-2026-0004: policy + OIDC role applied; values provisioned 2026-07-07.
|
||||
# Promote to active after positive/negative caller verification.
|
||||
auth_method: "caller's own OpenBao token (OIDC netkingdom role railiance-backup-workload-kv-read)"
|
||||
path_template: "platform/workloads/railiance/backup/offsite-lane"
|
||||
fetch_command: "bao kv get -field=<FIELD> platform/workloads/railiance/backup/offsite-lane"
|
||||
exec_capable: true
|
||||
lane: secret
|
||||
|
||||
# --- draft: owner path not yet shipped; hidden from default lookup ---
|
||||
|
||||
- id: object-storage-sts
|
||||
|
||||
@@ -64,16 +64,16 @@ def test_resolve_refuses_non_exec_capable():
|
||||
resolve_fetch_command(_entry(exec_capable=False, fetch_command=None))
|
||||
|
||||
|
||||
def test_resolve_piped_fetch_uses_shell_cmd():
|
||||
def test_resolve_bao_fetch_uses_argv():
|
||||
from warden.routing import load_catalog
|
||||
|
||||
catalog = load_catalog(Path(__file__).resolve().parents[1] / "registry" / "routing" / "catalog.yaml")
|
||||
entry = catalog.get("reuse-surface-hub-write-token")
|
||||
resolved = resolve_fetch_command(entry)
|
||||
assert resolved.argv is None
|
||||
assert resolved.shell_cmd is not None
|
||||
assert "| base64 -d" in resolved.shell_cmd
|
||||
assert "reuse-surface-env" in resolved.shell_cmd
|
||||
assert resolved.argv is not None
|
||||
assert resolved.shell_cmd is None
|
||||
assert resolved.argv[0] == "bao"
|
||||
assert "platform/workloads/reuse/reuse-surface/runtime-secrets" in resolved.argv
|
||||
|
||||
|
||||
# --- G2: transit-only fetch (inherited stdout) -----------------------------
|
||||
|
||||
@@ -288,8 +288,8 @@ def test_reuse_surface_hub_write_token_lane_is_resolvable():
|
||||
e = catalog.get("reuse-surface-hub-write-token")
|
||||
assert e is not None and e.is_active and e.exec_capable
|
||||
assert e.resolvable is True
|
||||
assert e.owner_repo == "reuse-surface"
|
||||
assert "reuse-surface-env" in e.fetch_command
|
||||
assert e.owner_repo == "railiance-platform"
|
||||
assert "platform/workloads/reuse/reuse-surface/runtime-secrets" in e.fetch_command
|
||||
|
||||
|
||||
def test_find_object_storage_sts():
|
||||
|
||||
@@ -96,7 +96,7 @@ run the owner's tool as the caller and preserve owner custody.
|
||||
| `inter-hub-bootstrap-ssh` | "Inter-Hub bootstrap SSH envelope — attended vs unattended branches" | See `wiki/InterHubBootstrapAccessLane.md` |
|
||||
| `issue-core-ingestion-api-key` | "railiance-platform OpenBao KV + ESO deliver `ISSUE_CORE_API_KEY` — here is the path" | ESO consumes in-cluster; `warden access issue-core-ingestion-api-key --fetch ISSUE_CORE_API_KEY` as yourself |
|
||||
| `openrouter-llm-connect` | "railiance-platform OpenBao KV + ESO deliver `OPENROUTER_API_KEY` to activity-core" | ESO consumes in-cluster; `warden access openrouter-llm-connect --fetch OPENROUTER_API_KEY` as yourself |
|
||||
| `reuse-surface-hub-write-token` | "reuse-surface hub write bearer — K8s secret `reuse-surface-env` on Railiance01" | `kubectl` from `~/.kube/config-hosteurope`, or `warden access reuse-surface-hub-write-token --fetch` as yourself |
|
||||
| `reuse-surface-hub-write-token` | "railiance-platform OpenBao KV + ESO deliver `REUSE_SURFACE_TOKEN` to reuse-surface" | ESO consumes in-cluster; `warden access reuse-surface-hub-write-token --fetch` as yourself |
|
||||
|
||||
Promotion criteria: `wiki/playbooks/catalog-lane-promotion.md`.
|
||||
|
||||
|
||||
59
wiki/playbooks/railiance-backup-offsite-lane.md
Normal file
59
wiki/playbooks/railiance-backup-offsite-lane.md
Normal file
@@ -0,0 +1,59 @@
|
||||
# Railiance Offsite Backup Lane
|
||||
|
||||
Date: 2026-07-07
|
||||
Catalog: `railiance-backup-offsite-lane` (status `draft`, `resolvable: false` until verified)
|
||||
Owner: `railiance-platform` (CCR-2026-0004)
|
||||
|
||||
Nextcloud WebDAV upload token and URL for age-encrypted offsite backups (Option A).
|
||||
Used by `railiance-backup` (workstation) and `forgejo-backup` (platform).
|
||||
|
||||
---
|
||||
|
||||
## OpenBao pointers
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Mount | `platform` |
|
||||
| Path | `platform/workloads/railiance/backup/offsite-lane` |
|
||||
| Fields | `NC_WEBDAV_TOKEN`, `NC_WEBDAV_URL`, `AGE_PRIVATE_KEY` |
|
||||
| Policy | `workload-kv-read-railiance-backup-offsite-lane` |
|
||||
| OIDC role | `railiance-backup-workload-kv-read` (`groups=net-kingdom-admins`) |
|
||||
|
||||
---
|
||||
|
||||
## Worker checklist
|
||||
|
||||
1. **Login** (caller identity — ops-warden adds no credential):
|
||||
|
||||
```bash
|
||||
bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read
|
||||
```
|
||||
|
||||
2. **Export for a backup run** (value streams to your shell — never paste into chat):
|
||||
|
||||
```bash
|
||||
export RAILIANCE_BACKUP_NC_TOKEN=$(
|
||||
bao kv get -field=NC_WEBDAV_TOKEN platform/workloads/railiance/backup/offsite-lane
|
||||
)
|
||||
export RAILIANCE_BACKUP_NC_WEBDAV_URL=$(
|
||||
bao kv get -field=NC_WEBDAV_URL platform/workloads/railiance/backup/offsite-lane
|
||||
)
|
||||
```
|
||||
|
||||
3. **Or proxy via warden access** (after catalog promotion):
|
||||
|
||||
```bash
|
||||
warden access railiance-backup-offsite-lane --no-policy --fetch --field NC_WEBDAV_TOKEN
|
||||
```
|
||||
|
||||
4. **Run backup**:
|
||||
|
||||
```bash
|
||||
# workstation custodian DB + config
|
||||
bin/railiance backup
|
||||
|
||||
# Forgejo production (from railiance-platform checkout)
|
||||
tools/cmd/forgejo-backup
|
||||
```
|
||||
|
||||
`AGE_PRIVATE_KEY` in the same path is recovery escrow — fetch only for restore drills.
|
||||
@@ -1,13 +1,13 @@
|
||||
# reuse-surface Hub Write Token
|
||||
# reuse-surface Hub Write Token — OpenBao Custody
|
||||
|
||||
Date: 2026-07-07
|
||||
Catalog: `reuse-surface-hub-write-token` (status `active`, `resolvable: true`)
|
||||
Owner: `reuse-surface` (service) · deploy custody `railiance-apps` (K8s secret)
|
||||
Date: 2026-07-07 (promoted active 2026-07-07)
|
||||
Workplan: RAILIANCE-WP-0011-T03 · CCR-2026-0005
|
||||
Catalog: `reuse-surface-hub-write-token` (**active** — path live, ESO delivering)
|
||||
|
||||
Bearer token for authenticated writes to the production federation hub at
|
||||
`https://reuse.coulomb.social` (`POST /v1/repos`, `reuse-surface hub register`).
|
||||
ops-warden **does not hold this token** — it is a pointer lane to the cluster
|
||||
secret that backs the hub Deployment.
|
||||
ops-warden does not vend this token — custody belongs to `railiance-platform`
|
||||
(OpenBao) and the `reuse-surface` workload via External Secrets.
|
||||
|
||||
---
|
||||
|
||||
@@ -15,54 +15,76 @@ secret that backs the hub Deployment.
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Cluster | Railiance01 (`92.205.62.239`) |
|
||||
| Namespace | `reuse` |
|
||||
| Secret | `reuse-surface-env` |
|
||||
| Field | `REUSE_SURFACE_TOKEN` |
|
||||
| Kubeconfig | `~/.kube/config-hosteurope` |
|
||||
| OpenBao server | `https://bao.coulomb.social` (coulombcore) |
|
||||
| KV path | `platform/workloads/reuse/reuse-surface/runtime-secrets` |
|
||||
| Hub write field | `REUSE_SURFACE_TOKEN` |
|
||||
| Webhook HMAC field | `REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` |
|
||||
| Read policy | `workload-kv-read-reuse-surface-runtime` |
|
||||
| ESO delivery | `ExternalSecret reuse/reuse-surface-runtime` → `reuse-surface-env` (Railiance01) |
|
||||
| Deploy runbook | `railiance-apps/docs/reuse-surface-on-railiance01.md` |
|
||||
| Hub API spec | `reuse-surface/specs/FederationHubAPI.md` |
|
||||
|
||||
This is **not** an OpenBao KV path. The token is generated at deploy time and
|
||||
stored only in the Kubernetes Secret consumed by the `reuse-surface` workload.
|
||||
**Promotion gate (met 2026-07-07):** path seeded, `ExternalSecret reuse/reuse-surface-runtime`
|
||||
`SecretSynced`, positive hub + webhook verification and negative default-policy denial
|
||||
recorded in CCR-2026-0005.
|
||||
|
||||
### Break-glass (cluster read)
|
||||
|
||||
If OpenBao is unreachable, operators with Railiance01 kubeconfig may read the
|
||||
materialized Secret (ESO cache):
|
||||
|
||||
```bash
|
||||
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse \
|
||||
-o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d
|
||||
```
|
||||
|
||||
Never paste values into chat, State Hub, workplans, or Git.
|
||||
|
||||
---
|
||||
|
||||
## Worker checklist
|
||||
|
||||
1. **Confirm kubeconfig reachability** (you act as yourself; ops-warden adds no credential):
|
||||
1. **Confirm OpenBao reachability** (you act as yourself; ops-warden adds no credential):
|
||||
```bash
|
||||
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse
|
||||
bao kv metadata get platform/workloads/reuse/reuse-surface/runtime-secrets
|
||||
```
|
||||
|
||||
2. **Export for a shell session** (value streams to your terminal — never paste into chat):
|
||||
2. **Export hub write token for a shell session** (streams to your terminal):
|
||||
```bash
|
||||
export REUSE_SURFACE_URL=https://reuse.coulomb.social
|
||||
export REUSE_SURFACE_TOKEN=$(
|
||||
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse \
|
||||
-o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d
|
||||
bao kv get -field=REUSE_SURFACE_TOKEN \
|
||||
platform/workloads/reuse/reuse-surface/runtime-secrets
|
||||
)
|
||||
```
|
||||
|
||||
3. **Or proxy via warden access** (same kubectl command, audited metadata only):
|
||||
3. **Or proxy via warden access** (same `bao kv get`, audited metadata only):
|
||||
```bash
|
||||
warden route show reuse-surface-hub-write-token --json
|
||||
warden access reuse-surface-hub-write-token --no-policy --fetch
|
||||
```
|
||||
|
||||
4. **Register a repo** after publish-check passes:
|
||||
4. **Webhook HMAC** (same path, second field — must match Forgejo org webhook):
|
||||
```bash
|
||||
bao kv get -field=REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET \
|
||||
platform/workloads/reuse/reuse-surface/runtime-secrets
|
||||
```
|
||||
After rotation: `railiance-apps` `make reuse-forgejo-webhook`.
|
||||
|
||||
5. **Register a repo** after publish-check passes:
|
||||
```bash
|
||||
reuse-surface hub status
|
||||
reuse-surface hub register --repo <slug> \
|
||||
--url <gitea-raw-capabilities-yaml-url> \
|
||||
--url <forgejo-raw-capabilities-yaml-url> \
|
||||
--domain <domain>
|
||||
```
|
||||
|
||||
5. **Verify federated index** picked up the new source:
|
||||
6. **Verify federated index** picked up the new source:
|
||||
```bash
|
||||
curl -fsS "$REUSE_SURFACE_URL/v1/federated" | jq '.sources | map(.repo) | index("<slug>")'
|
||||
```
|
||||
|
||||
Never commit the token, paste it into State Hub or agent chat, or store it in a
|
||||
workplan. Rotation: regenerate the secret on-cluster and roll the Deployment
|
||||
(`reuse-surface/docs/deploy/reuse-kubernetes.md`).
|
||||
Rotation: `railiance-platform/docs/reuse-surface-runtime-secrets-rotation-runbook.md`
|
||||
(OpenBao patch → ESO `force-sync` → hub rollout → `make reuse-forgejo-webhook` when
|
||||
the webhook HMAC changes → `make reuse-webhook-smoke`). Lifecycle:
|
||||
`railiance-platform/docs/credential-lane-lifecycle-runbook.md` (CCR-2026-0005).
|
||||
Reference in New Issue
Block a user