feat(ops): align inventory probe activity source

This commit is contained in:
2026-06-16 23:41:37 +02:00
parent 6a9886d652
commit 5a36ea5423
3 changed files with 83 additions and 31 deletions

View File

@@ -52,6 +52,15 @@ Current active runner:
- Prompt source: - Prompt source:
`/home/worsch/the-custodian/runtime/prompts/daily_statehub_wsgi_triage.md` `/home/worsch/the-custodian/runtime/prompts/daily_statehub_wsgi_triage.md`
Railiance projection note:
- This Custodian file remains the canonical prompt, schedule, and governance
contract.
- The Railiance activity-core projection may rewrite runtime-only paths, such
as `output_schema` to `/etc/activity-core/schemas/daily-triage-report.json`,
and mounts working-memory storage for the worker. Those container-local paths
are deployment wiring, not the source contract.
Deprecated fallback runner: Deprecated fallback runner:
- Codex app automation: `daily-state-hub-wsjf-triage` - Codex app automation: `daily-state-hub-wsjf-triage`

View File

@@ -14,38 +14,50 @@ trigger:
timezone: Europe/Berlin timezone: Europe/Berlin
misfire_policy: skip misfire_policy: skip
context_sources: context_sources:
- type: static - type: ops-inventory
bind_to: context.inventory_path query: probe_services
config: required: false
value: /home/worsch/the-custodian/ops/service-inventory.yml params:
- type: static inventory_path: /etc/activity-core/ops/service-inventory.yml
bind_to: context.catalog_path timeout_seconds: 10
config: include_kinds:
value: /home/worsch/the-custodian/docs/ops-hub-service-catalog.md - http
- https
allow_network: true
evidence_sinks:
- type: state-hub-progress
event_type: ops_inventory_probe
author: activity-core
bind_to: context.ops_inventory_probe
--- ---
# ActivityDefinition: Ops Service Inventory Probes # ActivityDefinition: Ops Service Inventory Probes
## Purpose ## Purpose
This disabled draft is the activity-core handoff point for This disabled source definition is the activity-core handoff point for
`CUST-WP-0047 - Ops Hub Service Inventory Now View`. `CUST-WP-0047 - Ops Hub Service Inventory Now View`.
The future enabled routine should read the non-secret inventory, run repeatable When enabled by the activity-core runtime, it reads the non-secret service
probes for declared endpoints and access paths, render the catalog view, and inventory through the `ops-inventory` context resolver, runs bounded HTTP/HTTPS
submit non-secret ops evidence events against stable inventory ids. endpoint probes, and submits compact non-secret evidence to State Hub progress.
## Runner Status ## Runner Status
This definition is intentionally `enabled: false`. This source definition remains intentionally `enabled: false`.
Do not enable it until both of these are true: Do not enable it until live Railiance verification confirms both of these are
true:
- activity-core has an inventory probe runner or State Hub resolver that can - activity-core has projected this definition with the container-local
execute the checks without embedding secrets in ActivityRun context inventory snapshot at `/etc/activity-core/ops/service-inventory.yml`
- the ops-hub Inter-Hub widget/event sink can accept `ops-service-observed`, - the State Hub `ops_inventory_probe` evidence sink is reachable from the
`ops-endpoint-verified`, `ops-access-path-checked`, `ops-backup-verified`, worker without embedding secrets in ActivityRun context
and `ops-inventory-drift` events
The Inter-Hub ops-hub widget/event sink remains the promotion target for
`ops-service-observed`, `ops-endpoint-verified`, `ops-access-path-checked`,
`ops-backup-verified`, and `ops-inventory-drift` events. It is not required for
the current State Hub progress evidence path.
## Trigger ## Trigger
@@ -53,26 +65,41 @@ Hourly at minute 15 in `Europe/Berlin`, with `misfire_policy: skip`.
This offset avoids colliding with the hourly RecentlyOnScope run at minute 0. This offset avoids colliding with the hourly RecentlyOnScope run at minute 0.
## Context Source
The source contract matches the activity-core `ops-inventory` resolver:
- `query: probe_services`
- `bind_to: context.ops_inventory_probe`
- `params.inventory_path: /etc/activity-core/ops/service-inventory.yml`
- `params.include_kinds: [http, https]`
- `params.evidence_sinks`: State Hub progress event
`ops_inventory_probe` by `activity-core`
The `/etc/activity-core/...` path is intentional. Custodian owns the source
definition and inventory file; the Railiance activity-core projection supplies
the container-local ConfigMap path at runtime.
## Probe Candidates ## Probe Candidates
Initial deterministic probes: Initial deterministic HTTP/HTTPS probes:
- State Hub local health endpoint:
`http://127.0.0.1:8000/state/health`
- Inter-Hub OpenAPI endpoint: - Inter-Hub OpenAPI endpoint:
`https://hub.coulomb.social/api/v2/openapi.json` `https://hub.coulomb.social/api/v2/openapi.json`
- Gitea OCI registry auth challenge: - Gitea OCI registry auth challenge:
`https://gitea.coulomb.social/v2/` `https://gitea.coulomb.social/v2/`
- activity-core API health and Temporal schedule availability
- ops-bridge tunnel reachability The Railiance projection rewrites the State Hub inventory endpoint to the
- Haskell build-agent State Hub registration and tunnel state in-cluster bridge URL before probing. Non-HTTP access paths, cluster-local
checks, SSH, tunnel, backup, and authenticated checks are skipped by this first
safe slice rather than treated as failures.
## Output Contract ## Output Contract
Each successful run should produce: Each successful run should produce:
- an updated `docs/ops-hub-service-catalog.md` - a compact `context.ops_inventory_probe` summary
- one evidence event per checked service/endpoint/access path - one State Hub progress event with `event_type: ops_inventory_probe`
- one ActivityRun with compact non-secret summary metadata - one ActivityRun with compact non-secret summary metadata
- no credentials, tokens, cookies, private key material, or sensitive command - no credentials, tokens, cookies, private key material, or sensitive command
output in context snapshots, event metadata, reports, or logs output in context snapshots, event metadata, reports, or logs

View File

@@ -10,7 +10,7 @@ topic_slug: custodian
planning_priority: high planning_priority: high
planning_order: 47 planning_order: 47
created: "2026-06-05" created: "2026-06-05"
updated: "2026-06-05" updated: "2026-06-16"
state_hub_workstream_id: "656e435d-3a00-4f5e-a38e-114467f9062e" state_hub_workstream_id: "656e435d-3a00-4f5e-a38e-114467f9062e"
--- ---
@@ -190,7 +190,7 @@ activated.
```task ```task
id: CUST-WP-0047-T07 id: CUST-WP-0047-T07
status: progress status: done
priority: medium priority: medium
state_hub_task_id: "5a972670-934f-458c-8274-acabc290992f" state_hub_task_id: "5a972670-934f-458c-8274-acabc290992f"
``` ```
@@ -216,8 +216,24 @@ Progress 2026-06-05:
- The definition names the inventory/catalog paths, hourly trigger, first probe - The definition names the inventory/catalog paths, hourly trigger, first probe
candidates, and evidence event mapping. candidates, and evidence event mapping.
Remaining work: implement the activity-core probe runner/resolver and enable the At this point the Custodian source definition still needed to be aligned with
definition only after the ops-hub Inter-Hub widget/event sink is active. the activity-core probe runner/resolver before the disabled handoff could be
projected cleanly into Railiance.
Completed 2026-06-16:
- Updated `activity-definitions/ops-service-inventory-probes.md` from static
path handoff to the implemented activity-core `ops-inventory` resolver:
`query: probe_services`, `bind_to: context.ops_inventory_probe`, projected
inventory path `/etc/activity-core/ops/service-inventory.yml`, and first safe
`http`/`https` endpoint probes.
- Added the explicit State Hub progress evidence sink:
`type: state-hub-progress`, `event_type: ops_inventory_probe`,
`author: activity-core`.
- Kept the source definition disabled for live Railiance verification. The
source-owned probe contract is now ready; the remaining open work in this
workplan is the human/operator-gated Inter-Hub ops-hub widget activation in
T05.
## Acceptance Criteria ## Acceptance Criteria