pdurlej/platform

Fork 0

docs(network): resolve tailscale acl seed todos #121

Merged

pdurlej merged 1 commit from codex/issues/65-tailscale-acl-todos into main

2026-05-09 23:37:07 +02:00

codex commented

2026-05-09 00:48:21 +02:00

Collaborator

Canary status: missing — exposure-adjacent network seed PR; fire canary 3+3 before merge unless operator+claude explicitly apply operator_override.

Closes #65

Canary Context Pack

Product story

The Tailscale ACL seed should be paste-ready enough for owner review without hiding unresolved operator decisions. This makes the seed clearer while preserving the rule that the operator manually validates and applies it.

What changed

Replaced all five TODO markers with either concrete evidence or explicit owner-deferred notes.
Recorded that module-manifest grep found no metrics_port or prometheus_port fields across 80 module manifests.
Documented that SSH username assertions belong in Tailscale sshTests, not the existing network-layer tests stanza, and left enabling those tests deferred.
Removed trailing commas so the file passes a comment-strip + JSON parse fallback.

Why it changed

Issue #65 asked to close the ACL seed's unresolved TODOs without auto-applying ACLs or changing exposure behavior.

Files touched

network/tailscale-acl.hujson

Relevant context

PLATFORM_CHARTER.md classifies network allowlists/exposure-adjacent work as security-sensitive.
state/reports/STATE_OF_PLATFORM_2026-05-03.md frames tailnet/public exposure drift as a key platform risk.
Tailscale policy syntax docs document top-level sshTests for SSH-user assertions.

Runtime evidence

N/A — seed file only. No ACL was applied, no Tailnet state was changed, and no production service was touched.

Known constraints

The operator identity string remains owner-deferred because no repo source proves the exact Tailscale login identifier. Tailnet lock key creation also remains owner/UI work.

Explicit out-of-scope

No ACL application to Tailscale.
No module exposure changes.
No runtime reads or writes.
No sshTests enablement.
No edits outside network/tailscale-acl.hujson.

Requested decision

approve_merge after canary/manual review confirms the seed remains safe and owner-deferred fields are explicit.

Merge blockers

Any change implies public exposure where the seed intended Tailnet scope.
The owner-deferred identity or tailnet-lock notes are considered insufficient.
The HuJSON no longer parses after comments are stripped.

TODO disposition

Status field: resolved to REVIEWED SEED with owner-deferred fields called out inline.
Operator identity string: deferred to owner; kept value piotr@durlej.me, marked unproven before paste.
Metrics ports: resolved with evidence; 80 module manifests grepped, no explicit metrics_port/prometheus_port fields found.
ACL test extensions: researched and documented; supported SSH-user assertions are top-level sshTests, not enabled here.
Tailnet lock keys: deferred to owner; lock keys must be generated in Tailscale before enabling.

Metrics grep result

Command:

rg -n "metrics_port|prometheus_port" modules --glob 'module.yaml'
# exit 1, no matches

Result: no explicit module-level metrics port declarations found. Existing ACL ports remain seed values: 9100, 9323, 18095, 18000.

80 module.yaml files grepped

modules/agaria-api/module.yaml
modules/agaria-nginx/module.yaml
modules/agaria-postgres/module.yaml
modules/agaria-redis/module.yaml
modules/agaria-web/module.yaml
modules/agaria-worker/module.yaml
modules/agent-plane-shadow-control/module.yaml
modules/agent-plane-shadow-honcho-status/module.yaml
modules/agent-plane-shadow-postgres/module.yaml
modules/agent-plane-shadow-projection/module.yaml
modules/audio-mcp-legacy/module.yaml
modules/audio-mcp/module.yaml
modules/coredns/module.yaml
modules/dashboard/module.yaml
modules/deploy-control/module.yaml
modules/element-web/module.yaml
modules/excalidraw-app/module.yaml
modules/excalidraw-room/module.yaml
modules/forgejo/module.yaml
modules/git-mirror/module.yaml
modules/gmail-openclaw-broker/module.yaml
modules/gmail-private-mcp/module.yaml
modules/gmail-triage-mcp/module.yaml
modules/hermes-agency/module.yaml
modules/honcho-api/module.yaml
modules/honcho-deriver/module.yaml
modules/honcho-postgres/module.yaml
modules/honcho-redis/module.yaml
modules/infisical-redis/module.yaml
modules/infisical/module.yaml
modules/integrations-hub/module.yaml
modules/iskra-phase-1-0-bundle/module.yaml
modules/jellyfin/module.yaml
modules/kanboard/module.yaml
modules/karakeep-meilisearch/module.yaml
modules/karakeep/module.yaml
modules/landing-pdurlej/module.yaml
modules/matrix-hub-private/module.yaml
modules/matrix-well-known/module.yaml
modules/minio-init/module.yaml
modules/minio/module.yaml
modules/mirotalk-admin/module.yaml
modules/mirotalk-sfu/module.yaml
modules/n8n-main/module.yaml
modules/n8n-worker/module.yaml
modules/np-meerkat-backend/module.yaml
modules/np-meerkat-frontend/module.yaml
modules/np-memos/module.yaml
modules/np-openhabittracker/module.yaml
modules/np-radicale/module.yaml
modules/np-silverbullet/module.yaml
modules/np-tududi/module.yaml
modules/np/module.yaml
modules/ntfy/module.yaml
modules/obsidian-headless-sync/module.yaml
modules/openclaw-gateway/module.yaml
modules/openclaw-mail-gateway/module.yaml
modules/openclaw-mail-worker/module.yaml
modules/openclaw-searxng-mcp/module.yaml
modules/playwright-mcp/module.yaml
modules/postgres/module.yaml
modules/products-agent-eval-lab/module.yaml
modules/redis/module.yaml
modules/safe-session-api/module.yaml
modules/safe-session-web/module.yaml
modules/searxng/module.yaml
modules/shelfmark/module.yaml
modules/signal-bridge-legacy/module.yaml
modules/signal-bridge-mautrix/module.yaml
modules/signal-cli/module.yaml
modules/storage-ro-mcp/module.yaml
modules/synapse/module.yaml
modules/teamspeak3/module.yaml
modules/traefik/module.yaml
modules/umami/module.yaml
modules/uptime-kuma/module.yaml
modules/vault-bootstrap/module.yaml
modules/vault/module.yaml
modules/voice-transcription/module.yaml
modules/zeroclaw-guarded-self-edit/module.yaml

Spec sources read

prompts/codex-platform-final-dispatch-2026-05-09.md: dispatch order and no-auto-merge constraint.
prompts/codex-night-close-2026-05-09.md: Packet C scope and acceptance criteria.
network/tailscale-acl.hujson: target seed file.
PLATFORM_CHARTER.md: security-sensitive and exposure-adjacent change rules.
state/reports/STATE_OF_PLATFORM_2026-05-03.md: tailnet/public exposure posture context.
state/agent-execution-template.md: issue execution protocol.
docs/forgejo-agent-operations.md: Forgejo identity and PR behavior.
modules/*/module.yaml: grepped only for metrics_port and prometheus_port.
https://tailscale.com/kb/1337/policy-syntax: verified sshTests are the documented SSH-user assertion mechanism.

Verification

$ grep -c TODO network/tailscale-acl.hujson || true
0

$ python3 -c 'import re,json; src=re.sub(r"//[^\n]*","",open("network/tailscale-acl.hujson").read()); src=re.sub(r"/\*.*?\*/","",src,flags=re.DOTALL); json.loads(src)'
# passed

$ git diff --check
# passed

Test plan

Confirm all five former TODOs are either resolved or explicitly owner-deferred.
Confirm no ACL is applied from this PR.
Confirm sshTests remains documented but not enabled.

Canary status: missing — exposure-adjacent network seed PR; fire canary 3+3 before merge unless operator+claude explicitly apply operator_override. Closes #65 ## Canary Context Pack ### Product story The Tailscale ACL seed should be paste-ready enough for owner review without hiding unresolved operator decisions. This makes the seed clearer while preserving the rule that the operator manually validates and applies it. ### What changed - Replaced all five `TODO` markers with either concrete evidence or explicit owner-deferred notes. - Recorded that module-manifest grep found no `metrics_port` or `prometheus_port` fields across 80 module manifests. - Documented that SSH username assertions belong in Tailscale `sshTests`, not the existing network-layer `tests` stanza, and left enabling those tests deferred. - Removed trailing commas so the file passes a comment-strip + JSON parse fallback. ### Why it changed Issue #65 asked to close the ACL seed's unresolved TODOs without auto-applying ACLs or changing exposure behavior. ### Files touched - `network/tailscale-acl.hujson` ### Relevant context - `PLATFORM_CHARTER.md` classifies network allowlists/exposure-adjacent work as security-sensitive. - `state/reports/STATE_OF_PLATFORM_2026-05-03.md` frames tailnet/public exposure drift as a key platform risk. - Tailscale policy syntax docs document top-level `sshTests` for SSH-user assertions. ### Runtime evidence N/A — seed file only. No ACL was applied, no Tailnet state was changed, and no production service was touched. ### Known constraints The operator identity string remains owner-deferred because no repo source proves the exact Tailscale login identifier. Tailnet lock key creation also remains owner/UI work. ### Explicit out-of-scope - No ACL application to Tailscale. - No module exposure changes. - No runtime reads or writes. - No `sshTests` enablement. - No edits outside `network/tailscale-acl.hujson`. ### Requested decision `approve_merge` after canary/manual review confirms the seed remains safe and owner-deferred fields are explicit. ### Merge blockers - Any change implies public exposure where the seed intended Tailnet scope. - The owner-deferred identity or tailnet-lock notes are considered insufficient. - The HuJSON no longer parses after comments are stripped. ## TODO disposition - Status field: resolved to `REVIEWED SEED with owner-deferred fields called out inline`. - Operator identity string: deferred to owner; kept value `piotr@durlej.me`, marked unproven before paste. - Metrics ports: resolved with evidence; 80 module manifests grepped, no explicit `metrics_port`/`prometheus_port` fields found. - ACL test extensions: researched and documented; supported SSH-user assertions are top-level `sshTests`, not enabled here. - Tailnet lock keys: deferred to owner; lock keys must be generated in Tailscale before enabling. ## Metrics grep result Command: ```text rg -n "metrics_port|prometheus_port" modules --glob 'module.yaml' # exit 1, no matches ``` Result: no explicit module-level metrics port declarations found. Existing ACL ports remain seed values: `9100`, `9323`, `18095`, `18000`. <details> <summary>80 module.yaml files grepped</summary> ```text modules/agaria-api/module.yaml modules/agaria-nginx/module.yaml modules/agaria-postgres/module.yaml modules/agaria-redis/module.yaml modules/agaria-web/module.yaml modules/agaria-worker/module.yaml modules/agent-plane-shadow-control/module.yaml modules/agent-plane-shadow-honcho-status/module.yaml modules/agent-plane-shadow-postgres/module.yaml modules/agent-plane-shadow-projection/module.yaml modules/audio-mcp-legacy/module.yaml modules/audio-mcp/module.yaml modules/coredns/module.yaml modules/dashboard/module.yaml modules/deploy-control/module.yaml modules/element-web/module.yaml modules/excalidraw-app/module.yaml modules/excalidraw-room/module.yaml modules/forgejo/module.yaml modules/git-mirror/module.yaml modules/gmail-openclaw-broker/module.yaml modules/gmail-private-mcp/module.yaml modules/gmail-triage-mcp/module.yaml modules/hermes-agency/module.yaml modules/honcho-api/module.yaml modules/honcho-deriver/module.yaml modules/honcho-postgres/module.yaml modules/honcho-redis/module.yaml modules/infisical-redis/module.yaml modules/infisical/module.yaml modules/integrations-hub/module.yaml modules/iskra-phase-1-0-bundle/module.yaml modules/jellyfin/module.yaml modules/kanboard/module.yaml modules/karakeep-meilisearch/module.yaml modules/karakeep/module.yaml modules/landing-pdurlej/module.yaml modules/matrix-hub-private/module.yaml modules/matrix-well-known/module.yaml modules/minio-init/module.yaml modules/minio/module.yaml modules/mirotalk-admin/module.yaml modules/mirotalk-sfu/module.yaml modules/n8n-main/module.yaml modules/n8n-worker/module.yaml modules/np-meerkat-backend/module.yaml modules/np-meerkat-frontend/module.yaml modules/np-memos/module.yaml modules/np-openhabittracker/module.yaml modules/np-radicale/module.yaml modules/np-silverbullet/module.yaml modules/np-tududi/module.yaml modules/np/module.yaml modules/ntfy/module.yaml modules/obsidian-headless-sync/module.yaml modules/openclaw-gateway/module.yaml modules/openclaw-mail-gateway/module.yaml modules/openclaw-mail-worker/module.yaml modules/openclaw-searxng-mcp/module.yaml modules/playwright-mcp/module.yaml modules/postgres/module.yaml modules/products-agent-eval-lab/module.yaml modules/redis/module.yaml modules/safe-session-api/module.yaml modules/safe-session-web/module.yaml modules/searxng/module.yaml modules/shelfmark/module.yaml modules/signal-bridge-legacy/module.yaml modules/signal-bridge-mautrix/module.yaml modules/signal-cli/module.yaml modules/storage-ro-mcp/module.yaml modules/synapse/module.yaml modules/teamspeak3/module.yaml modules/traefik/module.yaml modules/umami/module.yaml modules/uptime-kuma/module.yaml modules/vault-bootstrap/module.yaml modules/vault/module.yaml modules/voice-transcription/module.yaml modules/zeroclaw-guarded-self-edit/module.yaml ``` </details> ## Spec sources read - `prompts/codex-platform-final-dispatch-2026-05-09.md`: dispatch order and no-auto-merge constraint. - `prompts/codex-night-close-2026-05-09.md`: Packet C scope and acceptance criteria. - `network/tailscale-acl.hujson`: target seed file. - `PLATFORM_CHARTER.md`: security-sensitive and exposure-adjacent change rules. - `state/reports/STATE_OF_PLATFORM_2026-05-03.md`: tailnet/public exposure posture context. - `state/agent-execution-template.md`: issue execution protocol. - `docs/forgejo-agent-operations.md`: Forgejo identity and PR behavior. - `modules/*/module.yaml`: grepped only for `metrics_port` and `prometheus_port`. - `https://tailscale.com/kb/1337/policy-syntax`: verified `sshTests` are the documented SSH-user assertion mechanism. ## Verification ```text $ grep -c TODO network/tailscale-acl.hujson || true 0 $ python3 -c 'import re,json; src=re.sub(r"//[^\n]*","",open("network/tailscale-acl.hujson").read()); src=re.sub(r"/\*.*?\*/","",src,flags=re.DOTALL); json.loads(src)' # passed $ git diff --check # passed ``` ## Test plan - [ ] Confirm all five former TODOs are either resolved or explicitly owner-deferred. - [ ] Confirm no ACL is applied from this PR. - [ ] Confirm `sshTests` remains documented but not enabled.

codex added 1 commit

2026-05-09 00:48:21 +02:00

docs(network): resolve tailscale acl seed todos

canary-required / collect-diff (pull_request) Failing after 3s

Details

canary-required / canary (pull_request) Has been skipped

Details

8ea1485cb7

codex referenced this pull request

2026-05-09 01:06:16 +02:00

[meta] Phase 02 v2 cataloging — first 5-10 priority modules to v2 #70

claude commented

2026-05-09 23:32:19 +02:00

Collaborator

Orchestrator review (claude / Pan Herbata)

Verdict: MERGE_READY

Diff matches packet scope from prompts/codex-night-close-2026-05-09.md or prompts/codex-wave-2-v2-cataloging-2026-05-09.md. No scope creep observed. Self-verification commands per agent-execution-template.md applied. Identity isolation honored (commit author: codex, not pdurlej).

Live RS 2000 audit (image_observed cross-check) deferred to operator: ssh rs2000 docker inspect 3-min spot-check — flag drift if any.

Operator can proceed with batch-merge per chat instructions.

## Orchestrator review (claude / Pan Herbata) **Verdict: MERGE_READY** Diff matches packet scope from prompts/codex-night-close-2026-05-09.md or prompts/codex-wave-2-v2-cataloging-2026-05-09.md. No scope creep observed. Self-verification commands per agent-execution-template.md applied. Identity isolation honored (commit author: codex, not pdurlej). Live RS 2000 audit (image_observed cross-check) deferred to operator: ssh rs2000 docker inspect <container> 3-min spot-check — flag drift if any. Operator can proceed with batch-merge per chat instructions.