coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
87 Commits 1 Branch 0 Tags
eb24e04b71a30449ffc3c21de5728a96760d719a
Commit Graph

87 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
tegwick
eb24e04b71 Correct whynot credential tenant path 2026-06-28 01:00:12 +02:00
tegwick
ad47a136f7 chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-28:
  - update .custodian-brief.md for railiance-platform
 2026-06-28 00:45:16 +02:00
tegwick
82d15cfea2 chore(consistency): renormalize lifecycle state [auto] 
Updated by fix-consistency on 2026-06-28:
  - workplan status: proposed → active
 2026-06-28 00:45:12 +02:00
tegwick
0e3ea30c75 Propose OpenBao automation delegation 2026-06-28 00:44:23 +02:00
tegwick
f92d07d5a1 Record whynot CCR apply blocker 2026-06-28 00:24:23 +02:00
tegwick
248bc58b6a Add credential CCR operator handoff 2026-06-28 00:21:02 +02:00
tegwick
a27a114491 Approve whynot credential CCR 2026-06-28 00:13:37 +02:00
tegwick
3706ff703e Link CCR approval to State Hub decision 2026-06-28 00:00:02 +02:00
tegwick
52687d8b3e Confirm whynot credential binding 2026-06-27 23:45:31 +02:00
tegwick
aee0dcefad Add credential lane readiness proposals 2026-06-27 23:30:29 +02:00
tegwick
815b124ab1 Implement credential change request review flow 2026-06-27 22:57:21 +02:00
tegwick
8c1e64d5e0 chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-27:
  - update .custodian-brief.md for railiance-platform
 2026-06-27 22:55:36 +02:00
tegwick
85a4278a55 Add credential approval workflow plan 2026-06-27 22:48:24 +02:00
tegwick
9d42c73833 chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-27:
  - update .custodian-brief.md for railiance-platform
 2026-06-27 22:25:27 +02:00
tegwick
704ee99218 chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-27:
  - update .custodian-brief.md for railiance-platform
 2026-06-27 21:56:15 +02:00
tegwick
76c9661db3 chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-27:
  - update .custodian-brief.md for railiance-platform
 2026-06-27 21:35:09 +02:00
tegwick
673ec46e25 feat: complete credential broker source flow 2026-06-27 00:29:53 +02:00
tegwick
2268a9375e chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-27:
  - update .custodian-brief.md for railiance-platform
 2026-06-27 00:28:42 +02:00
tegwick
752cfd6f00 feat: add credential broker token helper 2026-06-27 00:06:03 +02:00
tegwick
6e663dfd20 chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-26:
  - update .custodian-brief.md for railiance-platform
 2026-06-26 17:52:42 +02:00
tegwick
c7393d94ab feat: add credential grant catalog foundation 2026-06-26 17:49:40 +02:00
tegwick
693dc71833 Add ESO OpenBao GitOps add-ons 2026-06-25 20:08:36 +02:00
tegwick
0f0b14001e chore: finalize ArgoCD workplan and add credential broker plan 2026-06-25 17:49:35 +02:00
tegwick
c022cb2f83 chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-24:
  - update .custodian-brief.md for railiance-platform
 2026-06-24 18:55:31 +02:00
tegwick
86eb6ea269 chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-24:
  - update .custodian-brief.md for railiance-platform
 2026-06-24 18:46:33 +02:00
tegwick
d59704deef chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-24:
  - update .custodian-brief.md for railiance-platform
 2026-06-24 18:40:26 +02:00
tegwick
f39180583a chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-24:
  - update .custodian-brief.md for railiance-platform
 2026-06-24 18:39:35 +02:00
tegwick
0b384f8485 chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-24:
  - update .custodian-brief.md for railiance-platform
 2026-06-24 15:04:32 +02:00
tegwick
8e6892f4bf Normalize agent instructions and workplan frontmatter (STATE-WP-0067) 
- Align agent files with on-disk workplan prefixes (infer from workplan ids)
- Set workplan domain to registered domain_slug; add topic_slug where applicable
- Repair frontmatter delimiter formatting; migrate legacy task status literals
- Regenerate AGENTS.md, CLAUDE.md, and .claude/rules from State Hub templates
 2026-06-22 23:16:28 +02:00
tegwick
6712eed995 Human-review .repo-classification.yaml (CUST-WP-0050 follow-up) 2026-06-22 17:56:17 +02:00
tegwick
a1dbb26842 Add .repo-classification.yaml (CUST-WP-0050 T11 agent first-pass) 2026-06-22 17:47:42 +02:00
tegwick
50799938db fix(openbao-ui): handle OIDC callback without Ember popup flow 
OpenBao's Ember UI expects OIDC to complete in a popup and postMessage to
window.opener. The standalone KeyCape login uses a full-page redirect, so the
callback now exchanges the authorization code directly, persists the UI token
in localStorage, and redirects into the vault UI. Unauthenticated /ui/ loads
also redirect to the standalone login page to avoid ?with= bounce loops.
 2026-06-19 21:18:34 +02:00
tegwick
520c7ea2c0 fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth 
Ember's auth route bounces between ?with=netkingdom/ and ?with=token when
OIDC mounts are hidden from the unauthenticated listing. Bypass Ember on the
bare auth path with a static login page that calls auth_url directly; OIDC
callbacks still proxy to the OpenBao UI.
 2026-06-19 21:13:08 +02:00
tegwick
ae4d967481 Mark ArgoCD bootstrap T05 done after live cluster apply 
Record bootstrap evidence on 92.205.130.254 and note issue-core sync is
blocked until the ExternalSecret CRD is installed.
 2026-06-19 21:09:36 +02:00
tegwick
80648a78b7 Stop OpenBao login redirect loop by removing URL rewriting 
Remove redirect-bootstrap and mount polling that fought Ember's token
fallback. Keep cosmetic overlay and direct KeyCape OIDC on sign-in only.
 2026-06-19 21:07:37 +02:00
tegwick
64d7c18c3f Add ArgoCD GitOps bootstrap contract for railiance01 
Define platform-owned AppProjects, root app-of-apps, repository registration
templates, and tenant onboarding docs so issue-core can deploy via ArgoCD.
Ignore encrypted repository secrets locally and cross-link OpenBao delivery
guidance with the new GitOps contract.
 2026-06-19 21:05:12 +02:00
tegwick
cb45f29fb2 Fix OpenBao login falling back to token auth 
Add synchronous redirect-bootstrap, direct KeyCape OIDC on sign-in, and mount
watching so the UI no longer lands on ?with=token when netkingdom is hidden
from unauthenticated mount listing. Document listing_visibility tune helper.
 2026-06-19 21:04:31 +02:00
tegwick
a6a87ae282 Fix OpenBao login overlay runaway DOM loop and slow loads 
Replace the MutationObserver feedback loop with bounded, idempotent apply
retries so Firefox no longer hangs on the auth page. Route static UI assets
and API calls around HTML sub_filter injection to keep bundles compressed.
 2026-06-19 20:58:44 +02:00
tegwick
6ddf4e56b4 Add KeyCape login overlay gateway for OpenBao browser UI 
Streamline bao.coulomb.social login as "Sign in with KeyCape" via a versioned
nginx gateway that injects overlay assets and proxies to OpenBao. Disable chart
ingress in favor of the overlay ingress, wire make openbao-deploy, and add
openbao-verify-login-overlay with upstream drift detection.
 2026-06-19 20:28:16 +02:00
tegwick
665d43386f Add credential routing instructions for all agent runtimes 
Propagate shared credential-routing section (Codex, Claude, Grok, llm-connect)
from state-hub template via scripts/propagate_credential_routing.py.
 2026-06-18 22:48:39 +02:00
tegwick
423eccc8e9 feat(openbao): enable bao.coulomb.social ingress and Traefik middlewares 
Expose OpenBao UI via TLS ingress with rate-limit and HSTS middlewares.
Track netkingdom OIDC mount in authenticated verify checks.
 2026-06-18 01:23:02 +02:00
tegwick
7838df6069 fix(openbao): complete SSH apply script for OpenBao 2.5.x issuers 
Generate default CA via ssh/config/ca, split composite KUBECTL for role writes,
read pubkey from config/ca, allow warden key_id in roles, prefer production kubeconfig.
 2026-06-18 01:18:56 +02:00
tegwick
c24956fb5a feat(openbao): add SSH engine automation for ops-warden signing 
Declarative roles, warden-sign policy, apply/verify scripts, and Makefile
targets openbao-configure-ssh and openbao-verify-ssh. Document operator flow
in docs/openbao.md for NET-WP-0020 T5 / WP-0008 T2.
 2026-06-18 01:06:43 +02:00
tegwick
108944cd3e Add capability registry scaffold (REUSE-WP-0014-T07 B05) 2026-06-16 01:58:45 +02:00
tegwick
c16fa1f81c fix(db): allow inter-hub to reach net-kingdom-pg 2026-06-14 21:43:26 +02:00
tegwick
18c1b86498 Reject placeholder OpenBao drill evidence 2026-06-02 02:02:09 +02:00
tegwick
606a5f3e1e Add OpenBao emergency drill evidence validator 2026-06-02 00:08:17 +02:00
tegwick
123b9aafce Add OpenBao restore evidence validator 2026-06-01 23:57:00 +02:00
tegwick
c0d4ec9037 Document audit-core mock sink handoff 2026-06-01 23:44:06 +02:00
tegwick
c0c6ead5dd Record OpenBao authenticated verifier proof 2026-06-01 22:52:42 +02:00