Per ADR-003: cloud-init (S1 node provisioning) and host planning tool
belong at the Infrastructure Substrate layer. Moved from railiance-cluster.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update all operational references to reflect the new repo name per
ADR-003 (OAS S1 Infrastructure Substrate). Historical text in ADRs
and state-hub-inbox files preserved as-is. Gitea remote URL updated
locally (Gitea repo rename is a manual step).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Plans the rename of railiance-hosts→infra and railiance-bootstrap→cluster,
creation of railiance-platform/enablement/apps, ADR-003 (supersedes ADR-002),
content relocations, state hub re-registration, and resolution of the
pending railiance-apps decision (7cddead6).
7 tasks; state_hub_workstream_id: 3ae0afc5-13f2-4e6c-aea7-1c1fb9f1ab81
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add `make tunnel` to Makefile: reads first host from
inventory/servers.yaml and opens a reverse SSH tunnel
forwarding local state-hub (port 8000) to the remote host
- Mark T02 done and close WP-0001 (all tasks complete)
- WP-0002 T01/T02 task IDs backfilled by consistency checker
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- docs/verification.md: explains spec/server-baseline.yaml, goss/baseline.yaml,
make verify workflow, assertion mapping table, and how to add new checks
- docs/convergence.md: replace manual spot-check snippet with make verify reference
- workplans/RAIL-HO-WP-0002: mark completed (all tasks done, workstream closed)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Include time in TAP report filename (ISO 8601: date + HHmmssZ)
- Add changed_when: false to report write task — verify play now shows
changed=0 on a clean run (all green recap)
- make verify auto-commits new reports to repo after a passing run;
exits non-zero before committing if assertions fail
- Register EP-RAIL-001: report pruning extension point for future
implementation when reports/ accumulates beyond a threshold
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fixes found by running make verify against Railiance01:
- Fix playbook_dir paths (ansible/playbooks/ is 2 levels from repo root)
- age/sops are binary installs, not apt packages — use command checks
- Admin user is tegwick, not admin; sudoers at /etc/sudoers.d/tegwick
- sudo granted via sudoers file, not group membership — remove group assert
- Ubuntu 24.04 socket-activates SSH; assert ssh.socket not ssh.service
- SSH hardening lives in sshd_config.d/10-hardening.conf, not main config
- UFW SSH rule uses app name "OpenSSH", not port 22/tcp
- Replace /regex/i patterns with plain strings (Goss file.contents)
- Update spec/server-baseline.yaml to match all findings
All 27 assertions now pass.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Missing tool discovered during offline-inbox drain — repo_goal_id on
workstream bf40b47e is null in DB but correctly set in the workplan file.
No MCP path to fix this without a direct API call.
Contribution id: 0450a858-bccc-4cbf-8052-38c1654aa005
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
State Hub was unreachable during the offline session that bootstrapped
Railiance01. Inbox event drained and T03/T04/T05 task statuses synced
to the hub (C-10 drift fixed via check_repo_consistency --fix).
Progress event id: de18d727-eea5-4dfa-913c-8fe62245cda4
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- state-hub-inbox/: convention for queuing progress events during
degraded-mode sessions (no tunnel to State Hub)
- First pending event: Railiance01 bootstrap milestone (T03-T05)
- contrib/feature-requests/: FR for automated inbox ingest in state-hub
- README documents the drain procedure until automation is in place
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Extend base role with fail2ban, UFW k3s/Flannel rules, HISTCONTROL
- Add handlers dir for fail2ban restart
- Fix inventory script to emit correct dynamic inventory JSON format
- Add roles_path to ansible.cfg so playbook finds roles
- Add Railiance01 (92.205.62.239) to inventory/servers.yaml
- Mark workplan T03/T04/T05 as done
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
