coulomb/railiance-forge
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
40a638ea374b744633a4cd276db0ca0a5ff7789e
railiance-forge/AGENTS.md
tegwick 2b95c1dd59 Add credential routing guidance for agent runtimes 
Inline ops-warden credential routing in AGENTS.md and mirror it for
Claude Code under .claude/rules so agents route secret requests to the
correct subsystem before asking ops-warden or State Hub.
2026-06-19 20:51:13 +02:00

244 lines
7.1 KiB
Markdown
Raw Blame History

# railiance-forge - Agent Instructions
## Repo Identity
**Purpose:** Railiance forge and artifact infrastructure - source forge runtime,
container/package registries, forge-backed runner substrate, artifact lifecycle,
and future Forgejo migration.
**Domain:** railiance
**Repo slug:** railiance-forge
**Topic ID:** `ca369340-a64e-442e-98f1-a4fa7dc74a38`
**Workplan prefix:** `FORGE-WP-`
---
## State Hub Integration
The Custodian State Hub tracks work across all domains. Interact via HTTP REST -
there is no MCP server for Codex agents.
| Context | URL |
|---------|-----|
| Local workstation | `http://127.0.0.1:8000` |
| Remote via tunnel | `http://127.0.0.1:18000` |
### Orient at session start
```bash
cat .custodian-brief.md
curl -s "http://127.0.0.1:8000/workstreams/?topic_id=ca369340-a64e-442e-98f1-a4fa7dc74a38&status=active" \
| python3 -m json.tool
curl -s "http://127.0.0.1:8000/messages/?to_agent=railiance-forge&unread_only=true" \
| python3 -m json.tool
```
Mark a message read:
```bash
curl -s -X PATCH "http://127.0.0.1:8000/messages/<id>/read" \
-H "Content-Type: application/json" -d '{}'
```
### Log progress at session close
```bash
curl -s -X POST http://127.0.0.1:8000/progress/ \
-H "Content-Type: application/json" \
-d '{
"summary": "what was done",
"event_type": "note",
"author": "codex",
"workstream_id": "<uuid>",
"task_id": "<uuid>"
}'
```
Omit `workstream_id` / `task_id` when not applicable.
### Update task status
```bash
curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
-H "Content-Type: application/json" \
-d '{"status": "progress"}'
```
Canonical task values: `wait | todo | progress | done | cancel`.
### Flag a task for human review
```bash
curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
-H "Content-Type: application/json" \
-d '{"needs_human": true, "intervention_note": "reason"}'
```
---
## Session Protocol
**Start:**
1. `cat .custodian-brief.md` - domain goal and open workstreams.
2. Check inbox:
`GET /messages/?to_agent=railiance-forge&unread_only=true`; mark read.
3. Scan workplans: `ls workplans/` and note `ready`, `active`, or `blocked`
workplans and open tasks.
4. Check blocked tasks: `GET /tasks/?needs_human=true`.
**During work:**
- Update task statuses in workplan files as tasks progress.
- Record significant decisions via `POST /decisions/`.
- Keep forge responsibilities separate from S4 templates and S5 app releases.
## Verification Commands
This repo currently contains documentation, workplans, and read-only operator
entry points. There is no app build, package install, or unit-test command yet.
Use these checks for ordinary edits:
```bash
git diff --check
make registry-docs
make check-tools
make -C /home/worsch/state-hub fix-consistency REPO=railiance-forge
```
`make gitea-status` is read-only but requires a kubeconfig pointed at a
representative Railiance cluster.
**Close:**
1. Update workplan file task statuses.
2. Log progress with `POST /progress/`.
3. After workplan file changes, run from `~/state-hub`:
```bash
make fix-consistency REPO=railiance-forge
```
---
## Credential and access routing
**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect**
for inference. Run this check **before** requesting secrets, API keys, SSH access,
login tokens, or database passwords — in any repo, not only `ops-warden`.
ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every
other credential need belongs to another subsystem. **Do not** message
`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key.
### Lookup (do this first)
```bash
warden route find "<describe your need>" --json
warden route show <catalog-id> --json
```
Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`).
| Agent runtime | How to orient |
| --- | --- |
| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=railiance-forge` is for coordination, not secret vending |
| **Claude Code** (MCP when available) | `get_domain_summary("custodian")` for workstreams; **still** use `warden route` for credential ownership |
| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` |
### Quick routing table
| I need… | Owner | ops-warden executes? |
| --- | --- | --- |
| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes** — `warden sign` |
| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only |
| Login / OIDC / MFA | key-cape / Keycloak | No — route only |
| Authorization decision | flex-auth | No — route only |
| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` |
| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only |
### Anti-patterns (do not do these)
- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist
- Pasting secrets into Git, State Hub, workplans, logs, or chat
### Other capabilities (reuse-surface)
Non-credential capabilities are usually discovered through **reuse-surface** federation
(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in
every repo's agent instructions because it is high-frequency, high-risk, and easy to
get wrong.
**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`
---
## Workplan Convention
Work items originate as files in this repo. State Hub indexes those files as
workstreams and task blocks.
**File location:** `workplans/FORGE-WP-NNNN-<slug>.md`
**Archived location:** `workplans/archived/YYMMDD-FORGE-WP-NNNN-<slug>.md`
**Frontmatter:**
```yaml
---
id: FORGE-WP-NNNN
type: workplan
title: "..."
domain: railiance
repo: railiance-forge
status: proposed | ready | active | blocked | backlog | finished | archived
owner: codex
topic_slug: railiance
created: "YYYY-MM-DD"
updated: "YYYY-MM-DD"
state_hub_workstream_id: "<uuid>" # written by fix-consistency - do not edit
---
```
**Task block format:**
````text
## Task Title
```task
id: FORGE-WP-NNNN-T01
status: todo | progress | done | wait | cancel
priority: high | medium | low
state_hub_task_id: "<uuid>" # written by fix-consistency - do not edit
```
Task description text.
````
Status progression: `todo` -> `progress` -> `done`, or `wait` / `cancel`.
To create a new workplan:
1. Write the file following the format above.
2. Run from `~/state-hub`:
```bash
make fix-consistency REPO=railiance-forge
```
---
## Repository Boundaries
This repo owns forge runtime and artifact infrastructure. It does not own:
- OS/host provisioning (`railiance-infra`);
- Kubernetes runtime primitives (`railiance-cluster`);
- shared database/storage/secret platforms (`railiance-platform`);
- generic CI/CD templates and developer portal paths (`railiance-enablement`);
- user-facing application releases (`railiance-apps`);
- source application code.
Reference in New Issue View Git Blame Copy Permalink