- ansible/playbooks/custodian-agent.yaml: minimal playbook with only
the custodian_agent role — avoids loading base/sops_agent/etc when
all we need is key injection
- Makefile: use custodian-agent.yaml in provision targets; remove
--tags workaround (was fragile; standalone playbook is correct)
Manual invocation (from CoulombCore):
cd ~/railiance-infra/ansible
ansible-playbook playbooks/custodian-agent.yaml -u tegwick --limit Railiance01
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Establishes a dedicated SSH keypair for the Custodian automation agent:
- ansible/roles/custodian_agent/: authorized_key task (tagged custodian_agent)
- ansible/inventory/group_vars/all.yaml: custodian_agent_user/pubkey vars
- ansible/playbooks/bootstrap.yaml: custodian_agent role added
- Makefile: provision-custodian-agent / provision-custodian-agent-host targets
Keypair generation: cd ~/the-custodian && make custodian-keygen
Then deploy: cd ~/railiance-infra && make provision-custodian-agent
The private key lives at ~/.ssh/id_custodian_agent — never committed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The reverse SSH tunnel is State Hub infrastructure, not infra-layer
tooling. Use: cd ~/the-custodian/state-hub && make tunnel HOST=user@host
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update all operational references to reflect the new repo name per
ADR-003 (OAS S1 Infrastructure Substrate). Historical text in ADRs
and state-hub-inbox files preserved as-is. Gitea remote URL updated
locally (Gitea repo rename is a manual step).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add `make tunnel` to Makefile: reads first host from
inventory/servers.yaml and opens a reverse SSH tunnel
forwarding local state-hub (port 8000) to the remote host
- Mark T02 done and close WP-0001 (all tasks complete)
- WP-0002 T01/T02 task IDs backfilled by consistency checker
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Include time in TAP report filename (ISO 8601: date + HHmmssZ)
- Add changed_when: false to report write task — verify play now shows
changed=0 on a clean run (all green recap)
- make verify auto-commits new reports to repo after a passing run;
exits non-zero before committing if assertions fail
- Register EP-RAIL-001: report pruning extension point for future
implementation when reports/ accumulates beyond a threshold
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
