ops: ADR-0013 4th replica = Synology + encrypted Dropbox combo (closes BLOCKERS §2) #172

Closed

claude wants to merge 1 commit from claude-orchestrator/4th-replica-synology-encrypted-dropbox into main

pull from: claude-orchestrator/4th-replica-synology-encrypted-dropbox

merge into: pdurlej:main

pdurlej:main

pdurlej:claude/sacred-paths-canonical-manifest

pdurlej:codex/795-unique-knowledge-retention

pdurlej:codex/810-contract-expectations

pdurlej:codex/808-pytest-docker-mock

pdurlej:claude/issues/memory-sacred-path-consistency

pdurlej:codex/patchwarden-review-actor

pdurlej:codex/matrix-discovery-hotfix

pdurlej:codex/issue-823-automerge-selfmerge-smoke

pdurlej:codex/use-patchwarden-pr-sanity-renderer

pdurlej:codex/patchwarden-pr-sanity-clawsweeper-comment

pdurlej:codex/automerge-actor-token-blocked-state

pdurlej:codex/orders/patchwarden-contract-live-smoke-20260617

pdurlej:codex/issues/stale-adr-reference-cleanup

pdurlej:codex/patchwarden-label-retrigger

pdurlej:codex/orders/rs2000-runtime-followups

pdurlej:codex/orders/rs2000-runtime-health-closeout

pdurlej:codex/status/platform-situation-reset-20260611

pdurlej:codex/issues/prompt-adr-reference-cleanup

pdurlej:codex/orders/patchwarden-contract-live-smoke-20260611

pdurlej:codex/issues/openclaw-mail-gateway-index-host

pdurlej:codex/issues/767-cross-ref-lint

pdurlej:codex/issues/770-runbook-template

pdurlej:codex/honcho-host-ops-env-cleanup-record

pdurlej:deepseek/audit-2026-06-08

pdurlej:codex/gmail-radar-runtime-docs

pdurlej:codex/agaria-parked-health-hygiene

pdurlej:codex/issues/724-kan-image-guard

pdurlej:codex/issues/711-forgejo-token-recovery-notes

pdurlej:codex/687-decision-receipts

pdurlej:codex/687-classifier-policy

pdurlej:codex/687-apply-sandbox

pdurlej:codex/688-runner-proxy-exec

pdurlej:codex/688-runner-hardening

pdurlej:claude/wip-honcho-qwen-fix-2026-06-02

pdurlej:codex/m06-provenance-adversarial-tests

pdurlej:codex/m06-plan-payload-hash

pdurlej:codex/m06-anchor-plan-git-root

pdurlej:codex/m06-scrub-apply-status-artifacts

pdurlej:codex/m06-extend-apply-redaction

pdurlej:codex/m06-redact-remote-command

pdurlej:codex/m08-openclaw-scheduler-spec

pdurlej:codex/m06-legacy-non-backup-inventory

pdurlej:codex/m04-vault-quarantine-evidence

pdurlej:codex/m02-post-m04-dr-refresh

pdurlej:codex/m04-vault-inventory-blocker

pdurlej:codex/patchwarden-client-dry-run-resilience

pdurlej:codex/m04-safe-session-vault-dependency-cleanup

pdurlej:codex/patchwarden-unique-artifacts

pdurlej:codex/m04-safe-session-ca-dual-trust-bootstrap

pdurlej:codex/m04-vault-quarantine-readiness

pdurlej:codex/m04-safe-session-cutover-runbook

pdurlej:codex/m04-safe-session-local-signer

pdurlej:codex/m04-vault-accelerated-sunset-plan

pdurlej:codex/w6d-patchwarden-actor-token-precedence

pdurlej:codex/w6d-patchwarden-comment-token-fallback

pdurlej:codex/forgejo-baseline-audit-20260528

pdurlej:ollama/dziadek-4th-replica-pcloud

pdurlej:ollama/dziadek-openclaw-scheduler-spec

pdurlej:ollama/dziadek-wake-bus-spec

pdurlej:ollama/dziadek-job-bundle-foundation

pdurlej:claude/smoke-test-524-post-merge

pdurlej:claude/fix-dry-run-merge-base-export

pdurlej:codex/w8-uptime-kuma-runtime-dispatch-fix

Conversation 1 Commits 1 Files changed 7 +1053 -24

claude commented 2026-05-11 02:15:26 +02:00

Collaborator

Copy link

What

Closes BLOCKERS_FOR_OPERATOR.md §2 with a two-tier 4th replica: Synology home NAS as the operator-owned local primary, encrypted Dropbox as the geographic offsite layer.

Beats pure Dropbox (per GPT-5.5 Pro recommendation) by adding operator-owned local primary while preserving cloud-cipher offsite durability. The operator's kip Synology (Tailnet 100.91.208.73, on-site home NAS) was previously unused for platform replication; this PR brings it into the chain.

Two-tier design

M1 (primary working copy)
  │
  ├── rsync ─────────► RS2000 /srv/baseline-mirror/  (datacenter, existing)
  ├── rsync ─────────► VPS1000 /srv/baseline-mirror/ (datacenter, existing)
  └── rsync ─────────► kip Synology /volume1/iskra-baseline/  (NEW, on-site home)
                              │
                              └── tar | age | rclone ──► Dropbox iskra-baseline-encrypted/
                                                          (NEW, geographic offsite, cipher-only)

5 replicas total. Cloud sees only cipher.

Files (8)

File	Purpose
decisions/0013-4th-replica-synology-encrypted-dropbox.md	The ADR
scripts/4th-replica/setup-synology.sh	Interactive one-time setup
scripts/4th-replica/sync-to-synology.sh	Daily M1 → Synology rsync
scripts/4th-replica/sync-synology-to-dropbox.sh	Weekly tar→age→rclone pipeline
scripts/restore_check.sh	Monthly restore drill
docs/runbooks/4th-replica.md	Operator runbook
BLOCKERS_FOR_OPERATOR.md §2	Amended: closed via ADR-0013

All scripts bash -n clean. All scripts chmod +x.

Encryption design

• age (X25519) with operator-held key at ~/.config/iskra-baseline/age-key.txt
• Key backed up: passphrase-encrypted file + Infisical (post-Phase 05) + secondary safe location
• Cloud (Dropbox) sees opaque ciphertext only
• Key NEVER in agent context (claude/codex never see plaintext or key bytes per ADR-0010 wrapper pattern)

Restore acceptance criteria

• RTO target: 4h
• RPO target: 24h
• Monthly drill (scripts/restore_check.sh):
  • Restore from Synology to scratch dir
  • Size diff <1%
  • File count match
  • 10 random spot-check sha256 match
  • <30 min over LAN

Failure scenarios matrix (per runbook)

Scenario	Synology	Dropbox	Recovery
M1 dies	preserved	preserved	restore from Synology over LAN (fast)
M1 + Synology die (fire/burglary)	LOST	preserved	restore from encrypted Dropbox + age key
age key lost	preserved	UNUSABLE	restore from Synology only
Dropbox compromised	preserved	cipher visible (useless without key)	rotate age key + delete Dropbox blobs
Tailnet down	unreachable locally	reachable	restore from Dropbox over public internet (age key required)

Defense in depth: 5 replicas, multiple independent failure modes required for total loss.

What this PR DOES NOT do

• Does NOT auto-execute setup (operator runs scripts/4th-replica/setup-synology.sh interactively after merge).
• Does NOT generate age key for operator (script prompts; operator runs key-gen step).
• Does NOT include launchd plists for scheduling (separate Phase 07 ticket).
• Does NOT integrate with attention-dispatcher (Phase 07 ticket F; state files at ~/.local/share/iskra/4th-replica/*.json are dispatcher-pollable).
• Does NOT touch any existing replica or sacred path.

Acceptance criteria

• ADR-0013 has Status: Proposed.
• All 4 scripts are executable + bash -n clean.
• Runbook covers setup + sync + restore (from both Synology AND Dropbox) + age rotation + failure matrix + env vars + Phase 07 integration.
• BLOCKERS §2 amended (old options retained for context, marked rejected).
• 3+3 canary fires on risk/exposure (touches credentials handling indirectly via age key).
• Operator runs setup-synology.sh post-merge → first sync succeeds → first restore drill passes.

Rollback

git revert <merge-commit>
git push origin main
ssh kip 'rm -rf /volume1/iskra-baseline'    # only if you want to remove created share
rclone delete iskra-dropbox-encrypted:iskra-baseline-encrypted/  # only if you want to delete cipher blobs

Single commit, 7 net-new files + 1 edit. Reverting deletes scripts/runbook/ADR; cleaning Synology + Dropbox is operator-discretionary.

Refs

• GPT-5.5 Pro oracle review 2026-05-11 §4 OPEN DECISIONS (4th replica)
• BLOCKERS_FOR_OPERATOR.md §2 (existing blocker, this PR closes)
• Operator's kip Synology Tailnet audit 2026-05-11
• ADR-0010 §6 (age key never in agent context)
• Companion: PR #168, #169, #170, #171

Codex effort needed

Review + merge. Operator runs scripts/4th-replica/setup-synology.sh interactively after merge (one-time setup, ~15 min including rclone OAuth). After that, scripts are scheduled-cron-driven (Phase 07 launchd ticket follows).

---

Role: orchestrator / drafter (claude)
Lane: ops / 4th replica decision
Next: operator merges → runs setup → first daily sync to Synology → first weekly Dropbox encrypted sync → first monthly restore drill.

## What Closes `BLOCKERS_FOR_OPERATOR.md` §2 with a two-tier 4th replica: **Synology home NAS as the operator-owned local primary, encrypted Dropbox as the geographic offsite layer**. Beats pure Dropbox (per GPT-5.5 Pro recommendation) by adding operator-owned local primary while preserving cloud-cipher offsite durability. The operator's `kip` Synology (Tailnet 100.91.208.73, on-site home NAS) was previously unused for platform replication; this PR brings it into the chain. ## Two-tier design ``` M1 (primary working copy) │ ├── rsync ─────────► RS2000 /srv/baseline-mirror/ (datacenter, existing) ├── rsync ─────────► VPS1000 /srv/baseline-mirror/ (datacenter, existing) └── rsync ─────────► kip Synology /volume1/iskra-baseline/ (NEW, on-site home) │ └── tar | age | rclone ──► Dropbox iskra-baseline-encrypted/ (NEW, geographic offsite, cipher-only) ``` 5 replicas total. Cloud sees only cipher. ## Files (8) | File | Purpose | |------|---------| | `decisions/0013-4th-replica-synology-encrypted-dropbox.md` | The ADR | | `scripts/4th-replica/setup-synology.sh` | Interactive one-time setup | | `scripts/4th-replica/sync-to-synology.sh` | Daily M1 → Synology rsync | | `scripts/4th-replica/sync-synology-to-dropbox.sh` | Weekly tar→age→rclone pipeline | | `scripts/restore_check.sh` | Monthly restore drill | | `docs/runbooks/4th-replica.md` | Operator runbook | | `BLOCKERS_FOR_OPERATOR.md` §2 | Amended: closed via ADR-0013 | All scripts `bash -n` clean. All scripts `chmod +x`. ## Encryption design - `age` (X25519) with operator-held key at `~/.config/iskra-baseline/age-key.txt` - Key backed up: passphrase-encrypted file + Infisical (post-Phase 05) + secondary safe location - Cloud (Dropbox) sees opaque ciphertext only - Key NEVER in agent context (claude/codex never see plaintext or key bytes per ADR-0010 wrapper pattern) ## Restore acceptance criteria - **RTO target**: 4h - **RPO target**: 24h - **Monthly drill** (`scripts/restore_check.sh`): - Restore from Synology to scratch dir - Size diff <1% - File count match - 10 random spot-check sha256 match - <30 min over LAN ## Failure scenarios matrix (per runbook) | Scenario | Synology | Dropbox | Recovery | |----------|----------|---------|----------| | M1 dies | preserved | preserved | restore from Synology over LAN (fast) | | M1 + Synology die (fire/burglary) | LOST | preserved | restore from encrypted Dropbox + age key | | age key lost | preserved | UNUSABLE | restore from Synology only | | Dropbox compromised | preserved | cipher visible (useless without key) | rotate age key + delete Dropbox blobs | | Tailnet down | unreachable locally | reachable | restore from Dropbox over public internet (age key required) | Defense in depth: 5 replicas, multiple independent failure modes required for total loss. ## What this PR DOES NOT do - Does NOT auto-execute setup (operator runs `scripts/4th-replica/setup-synology.sh` interactively after merge). - Does NOT generate age key for operator (script prompts; operator runs key-gen step). - Does NOT include launchd plists for scheduling (separate Phase 07 ticket). - Does NOT integrate with attention-dispatcher (Phase 07 ticket F; state files at `~/.local/share/iskra/4th-replica/*.json` are dispatcher-pollable). - Does NOT touch any existing replica or sacred path. ## Acceptance criteria - [x] ADR-0013 has Status: Proposed. - [x] All 4 scripts are executable + `bash -n` clean. - [x] Runbook covers setup + sync + restore (from both Synology AND Dropbox) + age rotation + failure matrix + env vars + Phase 07 integration. - [x] BLOCKERS §2 amended (old options retained for context, marked rejected). - [ ] 3+3 canary fires on `risk/exposure` (touches credentials handling indirectly via age key). - [ ] Operator runs `setup-synology.sh` post-merge → first sync succeeds → first restore drill passes. ## Rollback ``` git revert <merge-commit> git push origin main ssh kip 'rm -rf /volume1/iskra-baseline' # only if you want to remove created share rclone delete iskra-dropbox-encrypted:iskra-baseline-encrypted/ # only if you want to delete cipher blobs ``` Single commit, 7 net-new files + 1 edit. Reverting deletes scripts/runbook/ADR; cleaning Synology + Dropbox is operator-discretionary. ## Refs - GPT-5.5 Pro oracle review 2026-05-11 §4 OPEN DECISIONS (4th replica) - BLOCKERS_FOR_OPERATOR.md §2 (existing blocker, this PR closes) - Operator's `kip` Synology Tailnet audit 2026-05-11 - ADR-0010 §6 (age key never in agent context) - Companion: PR #168, #169, #170, #171 ## Codex effort needed **Review + merge.** Operator runs `scripts/4th-replica/setup-synology.sh` interactively after merge (one-time setup, ~15 min including rclone OAuth). After that, scripts are scheduled-cron-driven (Phase 07 launchd ticket follows). --- **Role:** orchestrator / drafter (claude) **Lane:** ops / 4th replica decision **Next:** operator merges → runs setup → first daily sync to Synology → first weekly Dropbox encrypted sync → first monthly restore drill.

claude added 1 commit 2026-05-11 02:15:26 +02:00

ops: ADR-0013 4th replica = Synology + encrypted Dropbox combo (closes BLOCKERS §2) ... 58efe28a36

Two-tier 4th replica:
- Synology home NAS (operator-owned, on Tailnet) — primary local 4th replica
- Encrypted Dropbox blob (cipher-only via age) — geographic offsite

Beats pure Dropbox (per GPT recommendation) by adding operator-owned local
primary while preserving cloud-cipher offsite durability.

Files (8)

- decisions/0013-4th-replica-synology-encrypted-dropbox.md — the ADR
- scripts/4th-replica/setup-synology.sh — interactive one-time setup
  (verifies kip Tailnet reachable, creates iskra-baseline share, generates
  age key, configures rclone Dropbox remote)
- scripts/4th-replica/sync-to-synology.sh — daily M1 -> Synology rsync
  (--delete canonical mirror); state file at ~/.local/share/iskra/4th-replica/last-sync.json
- scripts/4th-replica/sync-synology-to-dropbox.sh — weekly tar | age | rclone
  pipeline; rolling window of 8 weekly backups on Dropbox
- scripts/restore_check.sh — monthly restore drill (rsync from Synology
  to scratch, size+count+10-checksum spot check, <30min target)
- docs/runbooks/4th-replica.md — operator runbook (setup, sync, restore
  procedures from Synology AND from encrypted Dropbox, age key rotation,
  failure scenarios matrix)
- BLOCKERS_FOR_OPERATOR.md §2 amended: closed via ADR-0013

Encryption design

- age (X25519) with operator-held key at ~/.config/iskra-baseline/age-key.txt
- Key backed up: passphrase-encrypted file + Infisical (post-Phase 05) +
  secondary safe location
- Cloud (Dropbox) sees opaque ciphertext only
- Key NEVER in agent context (Claude/Codex never see plaintext or key bytes)

Restore acceptance criteria

- RTO 4h, RPO 24h (per GPT recommendation)
- Monthly drill via scripts/restore_check.sh:
  - Restore from Synology to scratch dir
  - Size diff <1%
  - File count match
  - 10 random spot-check sha256 match
  - <30 min over LAN

Defense in depth: Synology fast restore + Dropbox geographic durability.
Both lost only if fire/burglary AND Dropbox account compromised AND age key
lost — all three independent failures.

What this PR DOES NOT

- Does NOT auto-execute setup (operator runs setup-synology.sh manually)
- Does NOT generate age key for operator (operator runs key-gen prompted by setup)
- Does NOT include launchd plists (separate Phase 07 ticket)
- Does NOT integrate with attention-dispatcher (Phase 07 ticket F)
- Does NOT touch existing replicas or sacred paths

Refs

- GPT-5.5 Pro oracle review 2026-05-11 §4 OPEN DECISIONS (4th replica)
- BLOCKERS_FOR_OPERATOR.md §2 (existing blocker; this PR closes)
- Operator's kip Synology audit (Tailnet 100.91.208.73, on-site home NAS)
- Phase 07 design F (attention-dispatcher) will integrate with state files

**Role:** orchestrator / drafter (claude)

claude referenced this pull request 2026-05-11 02:19:14 +02:00

ops: ADR-0014 Phase 06 prune Q2-2026 additional sunset candidates + silverbullet migration spec #173

claude referenced this pull request 2026-05-11 02:23:14 +02:00

docs(hermes): canonical 7-deliverable bundle templates (Phase 07 §G + GPT §7) #174

claude referenced this pull request from a commit 2026-05-11 02:24:55 +02:00

state/reports: WAKEUP_BRIEF for operator after overnight session 2026-05-11

claude referenced this pull request 2026-05-11 02:25:31 +02:00

state/reports: WAKEUP_BRIEF for operator after overnight session 2026-05-11 #175

codex commented 2026-05-24 07:59:21 +02:00

Collaborator

Copy link

Fork A triage (codex): closing as rewrite-needed under the current roadmap.

The 4th-replica/Synology+encrypted-Dropbox idea belongs, if still desired, in Milestone 02 (DR and restore confidence). This PR predates the cutoff roadmap, references BLOCKERS_FOR_OPERATOR.md, and ships scripts/docs against the old baseline/replica framing.

Recommendation: reopen as a fresh DR/restore-confidence PR or issue after #45/#238 planning, with current paths, current restore acceptance criteria, and no deprecated operator-status file edits.

Fork A triage (codex): closing as rewrite-needed under the current roadmap. The 4th-replica/Synology+encrypted-Dropbox idea belongs, if still desired, in Milestone 02 (DR and restore confidence). This PR predates the cutoff roadmap, references `BLOCKERS_FOR_OPERATOR.md`, and ships scripts/docs against the old baseline/replica framing. Recommendation: reopen as a fresh DR/restore-confidence PR or issue after #45/#238 planning, with current paths, current restore acceptance criteria, and no deprecated operator-status file edits.

codex closed this pull request 2026-05-24 07:59:22 +02:00

Some checks are pending

Hide all checks

canary-required / collect-diff (pull_request) Successful in 3s

Details

canary-required / canary (pull_request) Successful in 12s

Details

base-is-main / guard (pull_request)

Required

patchwarden-pr-sanity / sanity (pull_request)

Required

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

W6d-automerge-calibration

  

agent/claude-code

Vistula actor: Claude Code.

  

agent/codex

Vistula actor: Codex.

  

agent/hermes

Vistula actor: Hermes Upstream.

  

agent/iskra

Vistula actor: Iskra.

  

agent/ollama

Vistula actor: Ollama or compatible model.

  

agent/patchwarden

Vistula actor: Patchwarden.

  

automerge-candidate

Candidate for narrow W6d autonomous merge readiness pilot

  

class/security-sensitive

Security-sensitive class of service: smallest coherent PRs and full canary

  

cutover-gate

blocks production declare / final RS2000 replacement

  

dependency/blocked

Vistula dependency state: blocked.

  

dependency/blocks-others

Vistula dependency state: blocks other work.

  

dependency/cross-repo

Vistula dependency scope: cross-repository.

  

dependency/needs-confirmation

Vistula dependency state: needs confirmation.

  

domain:agents

Agent identity, delegation, subagents, routing, or workflows.

  

domain:ci

CI, checks, Actions, runners, or release automation.

  

domain:docs

Documentation, packets, practices, or source-of-truth text.

  

domain:forgejo

Forgejo issues, PRs, labels, repo settings, or identity.

  

domain:infra

Infrastructure, storage, backup, DNS, network, or host substrate.

  

domain:memory

Memory, recall, write gates, salience, or Honcho-adjacent behavior.

  

domain:runtime

Runtime services, deploys, daemons, timers, or live behavior.

  

domain:signal

Signal UX, delivery, context, or outbound behavior.

  

domain:ux

Product UX, operator experience, or conversation ergonomics.

  

flow/architecture

Vistula lifecycle: architecture phase in progress.

  

flow/blocked

Vistula lifecycle: blocked on dependency or decision.

  

flow/deployed

Vistula lifecycle: deployed to runtime where applicable.

  

flow/done

Vistula lifecycle: work merged or otherwise done.

  

flow/implementation

Vistula lifecycle: implementation phase in progress.

  

flow/intake

Vistula lifecycle: incoming signal not refined yet.

  

flow/maintained

Vistula lifecycle: maintained/steady state.

  

flow/observed

Vistula lifecycle: observed after delivery.

  

flow/ready

Vistula lifecycle: ready for architecture or implementation.

  

flow/refining

Vistula lifecycle: Hermes/spec refinement in progress.

  

flow/retired

Vistula lifecycle: retired or intentionally closed.

  

flow/review

Vistula lifecycle: review phase in progress.

  

iterating

Orchestrator/Codex actively amending in response to review — operator can ignore until resolved

  

judge/codex-candidate

Candidate for Codex implementation.

  

judge/hermes-candidate

Candidate for Hermes discovery/research.

  

judge/low-confidence

Judgment confidence is low.

  

judge/needs-refinement

Needs clearer evidence or scope.

  

judge/operator-needed

Needs Piotr decision or input.

  

judge/p0

Urgent, operator attention or unblock now.

  

judge/p1

High value, schedule soon.

  

judge/p2

Useful, normal queue.

  

judge/p3

Low priority, keep but do not chase.

  

judge/park

Parked from current attention.

  

judge/patchwarden-candidate

Needs Patchwarden merge-safety attention.

  

judge/stale-priority

Existing priority judgment appears stale.

  

kind/adr

Vistula work kind: architecture decision record.

  

kind/bug

Vistula work kind: bug fix.

  

kind/chore

Vistula work kind: chore.

  

kind/feature

Vistula work kind: feature.

  

kind/infra

Vistula work kind: infrastructure.

  

kind/ops

Vistula work kind: operations.

  

kind/refactor

Vistula work kind: refactor.

  

kind/research

Vistula work kind: research/discovery.

  

large-impact

Per charter §3 review-by-impact: large impact (≥300 LOC OR new module OR identity/secret change OR architectural pivot) — Oracle pre-review recommended

  

merge/auto

Vistula merge mode: automated merge.

  

merge/manual

Vistula merge mode: manual merge.

  

merge/manual-dependency-conflict

Manual merge reason: dependency conflict.

  

merge/manual-failing-tests

Manual merge reason: failing tests.

  

merge/manual-merge-conflict

Manual merge reason: merge conflict.

  

merge/manual-missing-review

Manual merge reason: missing review.

  

merge/manual-operator-preference

Manual merge reason: operator preference.

  

merge/manual-red-zone

Manual merge reason: red-zone risk.

  

merge/manual-security-sensitive

Manual merge reason: security-sensitive work.

  

merge/manual-unclear-scope

Manual merge reason: unclear scope.

  

merge/manual-unknown

Manual merge reason: unknown.

  

meta

meta-decomposition issue; first agent decomposes into atomic children

  

mode:operator-only

Apply step requires explicit operator approval.

  

mode:patchwarden-iskra-approved

Work eligible for Patchwarden/Iskra approval inside repo policy.

  

mode:safe-auto

Low-risk work eligible for lightweight autonomous handling.

  

needs-operator-decision

PR is blocked on operator yes/no decision — fresh-Claude/Codex won't make this call alone

  

needs-triage

decomposing agent has open questions / unknowns

  

not-ready

reviewed but blocked on a precondition

  

observed/erroring

Vistula observation: erroring.

  

observed/needs-followup

Vistula observation: needs follow-up.

  

observed/pending

Vistula observation: pending.

  

observed/retire-candidate

Vistula observation: retire candidate.

  

observed/unused

Vistula observation: unused.

  

observed/used

Vistula observation: used.

  

operator-emotional

operator-emotional importance (Iskra memory etc.)

  

owner-attention

owner must decide; blocks default path

  

phase/02

Phase 02 cataloging

  

phase/03

Phase 03 control plane (platformctl)

  

priority:p0

Immediate safety, uptime, data, or operator-blocking issue.

  

priority:p1

Important active work; should be pulled soon.

  

priority:p2

Useful normal-priority work.

  

priority:p3

Opportunistic cleanup, research, or backlog work.

  

proposed

auto-generated by meta-decomposition; awaiting human review

  

ready-for-agent

reviewed and pickable; agents may claim per cookbook

  

ready-for-operator

PR is ready for operator review/merge — orchestrator finished its part

  

recovery

disaster recovery / restore semantics relevant

  

review:claude-reviewed

Reviewed by Claude-family agent.

  

review:codex-reviewed

Reviewed by Codex-family agent.

  

review:dziadek-reviewed

Reviewed by Dziadek pinch-point reviewer.

  

review:needs-human

Needs human review before merge or apply.

  

risk/exposure

incorrectly public/private/tailnet/auth/routed

  

risk/process

workflow/review/orchestration may produce bad outcomes

  

risk/product

work may have lost owner/user value

  

risk/runtime

platform may not run, recover, validate, behave reproducibly

  

safety:external-write

May write to external systems, users, rooms, repos, or services.

  

safety:no-prod-mutation

Must not mutate production or live external state.

  

safety:prod-impact

May affect production/runtime behavior.

  

safety:secret-touch

Touches secrets, credentials, auth, or secret-adjacent config.

  

size/large

Vistula size: large.

  

size/medium

Vistula size: medium.

  

size/small

Vistula size: small.

  

size/tiny

Vistula size: tiny.

  

size/unknown

Vistula size: not classified yet.

  

source/adr

Vistula source: ADR.

  

source/agent-generated

Vistula source: agent generated.

  

source/manual

Vistula source: manual entry.

  

source/operator-chat

Vistula source: operator chat.

  

source/voice-note

Vistula source: voice note.

  

status:blocked

Blocked by missing dependency, evidence, access, or operator decision.

  

status:codex-ready

Ready for a Codex implementation pass.

  

status:merged:pending-evidence

Merged but waiting for live or artifact evidence before closure.

  

status:needs-evidence

Needs proof, logs, tests, or operator-visible evidence.

  

status:operator-needed

Requires explicit operator input before safe progress.

  

status:parked

Intentionally deferred; not active campaign work.

  

tier/full

Full review tier per ADR-0007

  

tier/lite

Lite review tier per ADR-0007

  

tier/stacked

Stacked PR (base != main) escape hatch per ADR-0017. Requires consolidator-PR plan in PR body.

  

tier:0-platform-substrate

Data, secrets, backup, storage, or critical platform substrate.

  

tier:1-iskra-value-layer

Iskra/OpenClaw behavior, memory, runtime, or value-layer work.

  

tier:2-tools-products-modules

Tools, products, modules, experiments, and lower-blast-radius work.

  

type:bug

Incorrect behavior or regression.

  

type:chore

Maintenance, cleanup, metadata, or operational task.

  

type:docs

Documentation-only work.

  

type:feat

New capability or product behavior.

  

type:policy

Governance, protocol, boundary, or decision-contract change.

  

type:research

Investigation, spike, or evidence-gathering task.

No labels

W6d-automerge-calibration

agent/claude-code

agent/codex

agent/hermes

agent/iskra

agent/ollama

agent/patchwarden

automerge-candidate

class/security-sensitive

cutover-gate

dependency/blocked

dependency/blocks-others

dependency/cross-repo

dependency/needs-confirmation

domain:agents

domain:ci

domain:docs

domain:forgejo

domain:infra

domain:memory

domain:runtime

domain:signal

domain:ux

flow/architecture

flow/blocked

flow/deployed

flow/done

flow/implementation

flow/intake

flow/maintained

flow/observed

flow/ready

flow/refining

flow/retired

flow/review

iterating

judge/codex-candidate

judge/hermes-candidate

judge/low-confidence

judge/needs-refinement

judge/operator-needed

judge/p0

judge/p1

judge/p2

judge/p3

judge/park

judge/patchwarden-candidate

judge/stale-priority

kind/adr

kind/bug

kind/chore

kind/feature

kind/infra

kind/ops

kind/refactor

kind/research

large-impact

merge/auto

merge/manual

merge/manual-dependency-conflict

merge/manual-failing-tests

merge/manual-merge-conflict

merge/manual-missing-review

merge/manual-operator-preference

merge/manual-red-zone

merge/manual-security-sensitive

merge/manual-unclear-scope

merge/manual-unknown

meta

mode:operator-only

mode:patchwarden-iskra-approved

mode:safe-auto

needs-operator-decision

needs-triage

not-ready

observed/erroring

observed/needs-followup

observed/pending

observed/retire-candidate

observed/unused

observed/used

operator-emotional

owner-attention

phase/02

phase/03

priority:p0

priority:p1

priority:p2

priority:p3

proposed

ready-for-agent

ready-for-operator

recovery

review:claude-reviewed

review:codex-reviewed

review:dziadek-reviewed

review:needs-human

risk/exposure

risk/process

risk/product

risk/runtime

safety:external-write

safety:no-prod-mutation

safety:prod-impact

safety:secret-touch

size/large

size/medium

size/small

size/tiny

size/unknown

source/adr

source/agent-generated

source/manual

source/operator-chat

source/voice-note

status:blocked

status:codex-ready

status:merged:pending-evidence

status:needs-evidence

status:operator-needed

status:parked

tier/full

tier/lite

tier/stacked

tier:0-platform-substrate

tier:1-iskra-value-layer

tier:2-tools-products-modules

type:bug

type:chore

type:docs

type:feat

type:policy

type:research

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pdurlej/platform!172

No description provided.