generated from coulomb/repo-seed
REUSE_SURFACE_TOKEN is custody of the Railiance01 K8s secret reuse-surface-env, not OpenBao. Workers blocked on hub register can now discover the lane via warden route find and obtain it through the documented kubectl handoff.
68 lines
2.4 KiB
Markdown
68 lines
2.4 KiB
Markdown
# reuse-surface Hub Write Token
|
|
|
|
Date: 2026-07-07
|
|
Catalog: `reuse-surface-hub-write-token` (status `active`, `resolvable: true`)
|
|
Owner: `reuse-surface` (service) · deploy custody `railiance-apps` (K8s secret)
|
|
|
|
Bearer token for authenticated writes to the production federation hub at
|
|
`https://reuse.coulomb.social` (`POST /v1/repos`, `reuse-surface hub register`).
|
|
ops-warden **does not hold this token** — it is a pointer lane to the cluster
|
|
secret that backs the hub Deployment.
|
|
|
|
---
|
|
|
|
## Owner-confirmed lane (no placeholders)
|
|
|
|
| Field | Value |
|
|
| --- | --- |
|
|
| Cluster | Railiance01 (`92.205.62.239`) |
|
|
| Namespace | `reuse` |
|
|
| Secret | `reuse-surface-env` |
|
|
| Field | `REUSE_SURFACE_TOKEN` |
|
|
| Kubeconfig | `~/.kube/config-hosteurope` |
|
|
| Deploy runbook | `railiance-apps/docs/reuse-surface-on-railiance01.md` |
|
|
| Hub API spec | `reuse-surface/specs/FederationHubAPI.md` |
|
|
|
|
This is **not** an OpenBao KV path. The token is generated at deploy time and
|
|
stored only in the Kubernetes Secret consumed by the `reuse-surface` workload.
|
|
|
|
---
|
|
|
|
## Worker checklist
|
|
|
|
1. **Confirm kubeconfig reachability** (you act as yourself; ops-warden adds no credential):
|
|
```bash
|
|
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse
|
|
```
|
|
|
|
2. **Export for a shell session** (value streams to your terminal — never paste into chat):
|
|
```bash
|
|
export REUSE_SURFACE_URL=https://reuse.coulomb.social
|
|
export REUSE_SURFACE_TOKEN=$(
|
|
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse \
|
|
-o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d
|
|
)
|
|
```
|
|
|
|
3. **Or proxy via warden access** (same kubectl command, audited metadata only):
|
|
```bash
|
|
warden route show reuse-surface-hub-write-token --json
|
|
warden access reuse-surface-hub-write-token --no-policy --fetch
|
|
```
|
|
|
|
4. **Register a repo** after publish-check passes:
|
|
```bash
|
|
reuse-surface hub status
|
|
reuse-surface hub register --repo <slug> \
|
|
--url <gitea-raw-capabilities-yaml-url> \
|
|
--domain <domain>
|
|
```
|
|
|
|
5. **Verify federated index** picked up the new source:
|
|
```bash
|
|
curl -fsS "$REUSE_SURFACE_URL/v1/federated" | jq '.sources | map(.repo) | index("<slug>")'
|
|
```
|
|
|
|
Never commit the token, paste it into State Hub or agent chat, or store it in a
|
|
workplan. Rotation: regenerate the secret on-cluster and roll the Deployment
|
|
(`reuse-surface/docs/deploy/reuse-kubernetes.md`). |