coulomb/railiance-forge
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2b95c1dd59eeca4865ae33e07050fff6be7e94ee
railiance-forge/AGENTS.md
tegwick 2b95c1dd59 Add credential routing guidance for agent runtimes 
Inline ops-warden credential routing in AGENTS.md and mirror it for
Claude Code under .claude/rules so agents route secret requests to the
correct subsystem before asking ops-warden or State Hub.
2026-06-19 20:51:13 +02:00

7.1 KiB
Raw Blame History

railiance-forge - Agent Instructions

Repo Identity

Purpose: Railiance forge and artifact infrastructure - source forge runtime, container/package registries, forge-backed runner substrate, artifact lifecycle, and future Forgejo migration.

Domain: railiance Repo slug: railiance-forge Topic ID: ca369340-a64e-442e-98f1-a4fa7dc74a38 Workplan prefix: FORGE-WP-

State Hub Integration

The Custodian State Hub tracks work across all domains. Interact via HTTP REST - there is no MCP server for Codex agents.

Context URL
Local workstation http://127.0.0.1:8000
Remote via tunnel http://127.0.0.1:18000

Orient at session start

cat .custodian-brief.md

curl -s "http://127.0.0.1:8000/workstreams/?topic_id=ca369340-a64e-442e-98f1-a4fa7dc74a38&status=active" \
  | python3 -m json.tool

curl -s "http://127.0.0.1:8000/messages/?to_agent=railiance-forge&unread_only=true" \
  | python3 -m json.tool

Mark a message read:

curl -s -X PATCH "http://127.0.0.1:8000/messages/<id>/read" \
  -H "Content-Type: application/json" -d '{}'

Log progress at session close

curl -s -X POST http://127.0.0.1:8000/progress/ \
  -H "Content-Type: application/json" \
  -d '{
    "summary": "what was done",
    "event_type": "note",
    "author": "codex",
    "workstream_id": "<uuid>",
    "task_id": "<uuid>"
  }'

Omit workstream_id / task_id when not applicable.

Update task status

curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
  -H "Content-Type: application/json" \
  -d '{"status": "progress"}'

Canonical task values: wait | todo | progress | done | cancel.

Flag a task for human review

curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
  -H "Content-Type: application/json" \
  -d '{"needs_human": true, "intervention_note": "reason"}'

Session Protocol

Start:

  1. cat .custodian-brief.md - domain goal and open workstreams.
  2. Check inbox: GET /messages/?to_agent=railiance-forge&unread_only=true; mark read.
  3. Scan workplans: ls workplans/ and note ready, active, or blocked workplans and open tasks.
  4. Check blocked tasks: GET /tasks/?needs_human=true.

During work:

  • Update task statuses in workplan files as tasks progress.
  • Record significant decisions via POST /decisions/.
  • Keep forge responsibilities separate from S4 templates and S5 app releases.

Verification Commands

This repo currently contains documentation, workplans, and read-only operator entry points. There is no app build, package install, or unit-test command yet.

Use these checks for ordinary edits:

git diff --check
make registry-docs
make check-tools
make -C /home/worsch/state-hub fix-consistency REPO=railiance-forge

make gitea-status is read-only but requires a kubeconfig pointed at a representative Railiance cluster.

Close:

  1. Update workplan file task statuses.

  2. Log progress with POST /progress/.

  3. After workplan file changes, run from ~/state-hub:

    make fix-consistency REPO=railiance-forge

Credential and access routing

Audience: Codex, Claude Code, Grok, and custodian agents that call llm-connect for inference. Run this check before requesting secrets, API keys, SSH access, login tokens, or database passwords — in any repo, not only ops-warden.

ops-warden issues SSH certificates only (warden sign, cert_command). Every other credential need belongs to another subsystem. Do not message ops-warden on State Hub expecting a secret value; the reply is a pointer, not a key.

Lookup (do this first)

warden route find "<describe your need>" --json
warden route show <catalog-id> --json

Requires the warden CLI from ~/ops-warden (uv tool install . or uv run warden).

Agent runtime How to orient
Codex / Grok (shell, HTTP State Hub) warden route commands above; inbox to_agent=railiance-forge is for coordination, not secret vending
Claude Code (MCP when available) get_domain_summary("custodian") for workstreams; still use warden route for credential ownership
llm-connect (inference service) Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by warden route

Quick routing table

I need… Owner ops-warden executes?
SSH cert (adm/agt/atm) ops-warden Yeswarden sign
API key, DB password, provider token OpenBao (railiance-platform) No — route only
Login / OIDC / MFA key-cape / Keycloak No — route only
Authorization decision flex-auth No — route only
activity-core → issue-core emission activity-core + issue-core No — warden route show activity-core-issue-sink
SSH tunnel ops-bridge (+ cert_command from warden) No — route only

Anti-patterns (do not do these)

  • POST /messages/ to ops-warden asking for ISSUE_CORE_API_KEY, OPENROUTER_API_KEY, etc.
  • Inventing warden secret, warden login, warden bao, warden tunnel — they do not exist
  • Pasting secrets into Git, State Hub, workplans, logs, or chat

Other capabilities (reuse-surface)

Non-credential capabilities are usually discovered through reuse-surface federation (reuse-surface registry / capability.* indexes). Credential routing is inlined in every repo's agent instructions because it is high-frequency, high-risk, and easy to get wrong.

Canon: ~/ops-warden/wiki/CredentialRouting.md · catalog ~/ops-warden/registry/routing/catalog.yaml

Workplan Convention

Work items originate as files in this repo. State Hub indexes those files as workstreams and task blocks.

File location: workplans/FORGE-WP-NNNN-<slug>.md

Archived location: workplans/archived/YYMMDD-FORGE-WP-NNNN-<slug>.md

Frontmatter:

---
id: FORGE-WP-NNNN
type: workplan
title: "..."
domain: railiance
repo: railiance-forge
status: proposed | ready | active | blocked | backlog | finished | archived
owner: codex
topic_slug: railiance
created: "YYYY-MM-DD"
updated: "YYYY-MM-DD"
state_hub_workstream_id: "<uuid>"   # written by fix-consistency - do not edit
---

Task block format:

## Task Title

```task
id: FORGE-WP-NNNN-T01
status: todo | progress | done | wait | cancel
priority: high | medium | low
state_hub_task_id: "<uuid>"         # written by fix-consistency - do not edit
```

Task description text.

Status progression: todo -> progress -> done, or wait / cancel.

To create a new workplan:

  1. Write the file following the format above.

  2. Run from ~/state-hub:

    make fix-consistency REPO=railiance-forge

Repository Boundaries

This repo owns forge runtime and artifact infrastructure. It does not own:

  • OS/host provisioning (railiance-infra);
  • Kubernetes runtime primitives (railiance-cluster);
  • shared database/storage/secret platforms (railiance-platform);
  • generic CI/CD templates and developer portal paths (railiance-enablement);
  • user-facing application releases (railiance-apps);
  • source application code.
Reference in New Issue View Git Blame Copy Permalink