tegwick
19661ca0c6
- workplans/RAIL-BS-WP-0002-hosteurope-bootstrap.md: new workplan for Secure Single-Server Bootstrap at HostEurope (repo goal d7092599). T01-T03 done; T04+T05 require ansible on a box with network access to 92.205.62.239 (hosts.ini is gitignored — recreate on new box). - ansible/harden.yml: new playbook — disables root/password SSH auth, enables UFW (allow 22/tcp 6443/tcp 8472/udp, deny-all default), installs fail2ban with SSH jail, sets HISTCONTROL=ignorespace. - ansible/bootstrap.yml: import_playbook harden.yml runs before k3s. - ansible/hosts.ini.example: add [hosteurope] group template. - QUICKSTART.md: document two-stage bootstrap (harden → k3s). - CLAUDE.md: add goal_guidance handling to session protocol (needs_workplan + alignment_warnings). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
5.6 KiB
railiance-bootstrap — Claude Code Instructions
Custodian State Hub Integration
This project is tracked as the railiance domain in the Custodian State Hub.
Hub topic ID: ca369340-a64e-442e-98f1-a4fa7dc74a38
The State Hub runs locally at http://127.0.0.1:8000. The MCP server (state-hub)
exposes tools for reading and writing state without touching the API directly.
Session Protocol
On receiving your first message — before writing any response text — execute this orientation sequence. Do not greet, do not ask what to do first.
Step 1 — Call the State Hub
get_state_summary() # orientation: workstreams, decisions, recent progress
get_next_steps() # contextual suggestions from resolved decisions
If the call fails, the API is offline: cd ~/the-custodian/state-hub && make api
Step 2 — Scan local workplans
Read every .md file under workplans/. Use Glob(pattern="**/*.md", path="workplans/")
or Bash ls workplans/ to discover them. For each file with status: active,
extract and note:
- The workplan title and ID
- All tasks whose
statusistodoorin_progress
Step 3 — Present orientation to the user
Output a concise brief covering:
- Active workstreams for the
railiancedomain — title, task counts, any blocking decisions - Pending tasks for this repo — from local
workplans/files (Step 2) plus any state hub tasks with[repo:railiance-bootstrap]in their title - Goal guidance — if the summary contains a
goal_guidancekey, act on it:needs_workplanentries: for each active repo goal with no linked workstream, surface it as the top suggested action — "Repo goal '{title}' has no workplan yet. Suggest: create workplans/RAIL-BS-WP-NNNN-.md and register a workstream with repo_goal_id='{goal_id}'". Treat this as higher priority than continuing existing work unless Bernd says otherwise.alignment_warningsentries: if active workstreams exist but are not linked to the current repo goal, name the most recently active one and note: "Current work on '{recent_workstream_title}' may not be aligned with the active goal '{active_goal_title}'. Continue unless you hear otherwise — but flag it."
- Suggested next action — the highest-priority open item across all sources, with goal alignment taken into account
- SBOM status —
last_sbom_atforrailiance-bootstrapis currently null (gap: no lockfile yet — seeworkplans/RAIL-BS-WP-0001-dependency-management.md)
During work:
- Use
record_decision()for any decision that affects direction or dependencies. - Use
add_progress_event()for notable events (milestones, blockers, insights). - Use
resolve_decision()to close a decision once the choice is made.
Design boundary: The State Hub is a read model. Two write operations are permanently sanctioned: Resolving Decisions and Suggesting Next Steps. Bootstrap tools are only for First Session Protocol. Work structure belongs in the domain repo as files (ADR-001).
At the end of every session:
- Call
add_progress_event()with a summary of what was accomplished. Includetopic_id: ca369340-a64e-442e-98f1-a4fa7dc74a38andworkstream_id.
Known Pending Tasks (as of 2026-03-01)
RAIL-BS-WP-0001 — Dependency Management (workplans/RAIL-BS-WP-0001-dependency-management.md)
The SBOM scanner finds nothing to ingest because Ansible and control-node pip dependencies are not declared in any lockfile. This is the top-priority open task for this repo.
| Task | Priority | Status |
|---|---|---|
| T01: Audit control-node pip deps | medium | todo |
| T02: Create pyproject.toml + uv.lock | medium | todo |
| T03: Ingest SBOM into State Hub | medium | todo |
| T04: Create ansible/requirements.yml | low | todo |
State Hub task ID: 5f8cade5-119c-42e8-ba93-e9d0478650e4
First Session Protocol
Triggered when get_state_summary() shows no workstreams for railiance.
Step 1 — Read ~/the-custodian/canon/projects/railiance/project_charter_v0.1.md
and roadmap_v0.1.md, then scan this repo root.
Step 2 — Survey in-progress work (TODOs, open branches, half-finished files).
Step 3 — Propose 1–3 workstreams. Wait for approval before creating anything.
Step 4 — Create workplan file first (workplans/RAIL-WP-NNNN-<slug>.md),
then register in hub:
create_workstream(topic_id="ca369340-a64e-442e-98f1-a4fa7dc74a38", ...)
create_task(workstream_id="<id>", ...)
Step 5 — Record setup with add_progress_event().
Workplan Convention (ADR-001)
Work items originate as files in workplans/ before being registered in the hub.
When the custodian creates a task for this repo, it places a workplan file here
AND creates a state hub task with [repo:railiance-bootstrap] in the title.
Both appear at session start via the orientation above.
Contribution Tracking
contrib/
bug-reports/ # br-YYYY-MM-DD--org--repo--slug.md
feature-requests/ # fr-YYYY-MM-DD--org--repo--slug.md
extension-points/ # EP-RAIL-NNN--org--repo--slug.md
upstream-prs/ # upr-YYYY-MM-DD--org--repo--slug.md
Templates: ~/the-custodian/canon/standards/contrib-templates/
SBOM
After creating and committing the lockfile (see RAIL-BS-WP-0001), ingest:
cd ~/the-custodian/state-hub
make ingest-sbom REPO=railiance-bootstrap SCAN=1 REPO_PATH=/home/worsch/railiance-bootstrap
Quick Reference
~/the-custodian/state-hub/mcp_server/TOOLS.md — compact MCP tool reference