# Ops Hub Inter-Hub Evidence Lane Status Date: 2026-06-27 Workplan: `CUST-WP-0051-T03` Related tasks: `CUST-WP-0047-T05`, `CUST-WP-0049-T06`, `IHUB-WP-0022-T03/T04/T07` ## Summary The evidence lane is partially live but not ready to close. Production Inter-Hub already exposes the public ops-hub bootstrap surface and has an `ops-hub` row plus the ops-hub seed vocabulary. The remaining blockers are: 1. authenticated bootstrap/runtime-key execution is still operator-gated; 2. protected widget and hub-registry reads cannot be verified without the ops-hub runtime key; 3. the older `IHUB-WP-0022` activity-core mapping contract does not match the currently live ops-hub seed vocabulary. No secret values were requested, read, printed, or stored during this probe. ## Public Probe Evidence Base URL: `https://hub.coulomb.social` | Probe | Result | | --- | --- | | `GET /api/v2/hubs` | HTTP `200`; contains `ops-hub` | | `GET /api/v2/openapi.json` | HTTP `200`; includes `/hubs`, `/hub-capability-manifests`, `/api-consumers`, `/policy-scopes` | | `GET /api/v2/widgets` | HTTP `401`, protected as expected | | `GET /api/v2/hub-registry` | HTTP `401`, protected as expected | | `GET /api/v2/widget-types` | HTTP `200`; 14 ops widget types visible | | `GET /api/v2/event-types` | HTTP `200`; 15 ops event types visible | | `GET /api/v2/annotation-categories` | HTTP `200`; 10 ops annotation categories visible | | `GET /api/v2/policy-scopes` | HTTP `200`; 7 ops policy scopes visible | | `GET /api/v2/hub-capability-manifests?hubId=` | HTTP `401`, protected as expected | Observed public ops-hub id: `4f6e4cf7-6a96-4ff2-8a37-08c9f9e405d2`. The existing `ops-hub/scripts/interhub-gate-probe.py` exits nonzero because it still expects unauthenticated `/api/v2/hubs` to return `401`. The live contract returns `200` for public hub discovery and `401` for protected surfaces such as `/api/v2/widgets` and `/api/v2/hub-registry`. ## Live Ops Vocabulary The live public registry matches `ops-hub/seeds/ops-hub-manifest.draft.json`: - widget types: `ops-environment`, `ops-host`, `ops-cluster`, `ops-service`, `ops-service-catalog`, `ops-endpoint`, `ops-release`, `ops-backup-set`, `ops-secret-set`, `ops-runbook`, `ops-incident`, `ops-readiness-gate`, `ops-migration-wave`, `ops-risk`; - event types: `ops-inventory-registered`, `ops-inventory-updated`, `ops-service-discovered`, `ops-health-checked`, `ops-release-observed`, `ops-endpoint-verified`, `ops-backup-verified`, `ops-restore-tested`, `ops-runbook-executed`, `ops-drift-detected`, `ops-risk-raised`, `ops-risk-accepted`, `ops-readiness-gate-updated`, `ops-migration-gate-passed`, `ops-migration-gate-failed`; - policy scopes: `ops-local`, `ops-transitional-prod`, `ops-production`, `ops-threephoenix`, `ops-registry`, `ops-secrets`, `ops-backup-retention`. ## Contract Mismatch `inter-hub/docs/contracts/ops-hub-activity-core-mapping.md` and `ops-hub-activity-core-event-payloads.md` still describe the early activity-core proposal: | Contract name | Live seed status | Recommended action | | --- | --- | --- | | `ops-service-observed` | Not in live event registry | Rename to `ops-service-discovered`, or add an explicit alias event in the ops-hub manifest. | | `ops-endpoint-verified` | Live | Keep. | | `ops-access-path-checked` | Not in live event registry; no `ops-access-path` widget type in seed | Either add access-path vocabulary/widgets, or defer access-path submissions and keep State Hub fallback. | | `ops-backup-verified` | Live | Keep, but map to `ops-backup-set` widget type. | | `ops-inventory-drift` | Not in live event registry | Rename to `ops-drift-detected`, or add an explicit alias event. | | `ops-evidence` policy scope | Not in live policy scopes | Use an existing ops scope or add `ops-evidence` to the manifest and activate it. | | aggregate refs such as `ops:service:aggregate` | Not in `ops-hub/seeds/ops-hub-widgets.seed.json` | Seed aggregate intake widgets or change mapping to the existing entity/readiness widgets. | | widget types such as `ops-service-card` | Not in live widget types | Use live widget types like `ops-service`, `ops-endpoint`, `ops-backup-set`, and `ops-readiness-gate`. | ## 2026-06-27 Contract Alignment The Inter-Hub contract docs were revised in `/home/worsch/inter-hub` to target the live ops-hub seed vocabulary: - `ops-service-observed` is now a transition alias for `ops-service-discovered`. - `ops-inventory-drift` is now a transition alias for `ops-drift-detected`. - `ops-access-path-checked` is explicitly deferred to State Hub fallback until ops-hub adds access-path vocabulary or a readiness/risk mapping decision. - The old `ops-evidence` policy scope is replaced by declared live scopes such as `ops-production`, `ops-registry`, and `ops-backup-retention`. - Payload examples now post only live manifest event types. This removes the known contract-drift blocker before the attended bootstrap. The remaining gate is authenticated widget lookup, any missing backup/risk seed widget, runtime key custody, and protected event submission smoke. ## Current Closure State `CUST-WP-0049-T06` remains `wait`: the helper and runbook are ready, but an approved authenticated execution lane is still required. `CUST-WP-0047-T05` remains `wait`: the ops-hub row and vocabulary are visible, but seeded widgets and event acceptance cannot be proven without the protected runtime path. `IHUB-WP-0022-T03/T04/T07` remain gated: before an end-to-end smoke, reconcile the activity-core mapping contract to the live ops-hub seed vocabulary or add the missing aliases/aggregate widgets to the manifest. ## Next Pick 1. Use the aligned live-vocabulary contract for the attended `CUST-WP-0049-T06` bootstrap. 2. Confirm protected widget ids and seed any missing backup/risk target widgets required by the mapping. 3. Store or confirm `OPS_HUB_KEY` through OpenBao, then run the protected widget/hub-registry/event smoke.