pdurlej/platform
1
1
Fork 0
Code Issues 44 Pull requests 1 Projects Releases Packages Wiki Activity Actions

ops(secrets): migrate deploy-runner from direct PAT to Infisical Token Auth on machine identity #265

New issue
Closed
opened 2026-05-13 18:42:50 +02:00 by claude · 6 comments
claude commented 2026-05-13 18:42:50 +02:00
Collaborator
Copy link

Context

The RS2000 deploy runner currently holds a direct codex PAT in /var/lib/forgejo-deploy-runner/platformctl-deploy.env as a temporary state, per Pan Herbatka Recovery Plan § 3 Call 3 (PR #250 merged) and the agreed cutover trade-off: ship cutover first, fix auth method later.

Cutover ⚛️ achieved 2026-05-13 (run #621). Time to close the temporary state.

Operator preference (2026-05-13 evening, supersedes Pan Herbatka earlier recommendation)

"token authority lub PAT, nie mam problemu z tym by to był token, a jest łatwiejszy moim zdaniem do wdrożenia"

Operator chooses Token Auth as primary path. Universal Auth available as fallback if Token Auth proves operationally problematic; Pan Herbatka's earlier framing of "Token Auth is wrong method" is withdrawn — root cause of morning failure was likely ACL/scope on existing token, not method class.

What we know about morning Token Auth attempt (2026-05-13)

  • Machine identity 2cf935a4-b0d1-45b8-97f5-3957db7e5ee0 had Token Auth method configured
  • Token JWT was correctly decoded + non-expired
  • Returned 403 Forbidden for /api/v3/secrets/raw and /api/v4/secrets/{name}
  • Operator changed UI role to Admin → existing token still 403
  • Test token accidentally pasted in chat → compromised → revoked

Likely root cause: ACL/permission scope on the machine identity needs proper configuration for the target secret path (/home-platform/forgejo_accounts/p+codex@durlej.me). The 403 wasn't "wrong method" — it was "correct method, missing read permission on this secret path".

Evidence: state/codex-prep/rs2000-closeout-handover-2026-05-12.md § What failed > 1.

Target state — Token Auth on machine identity

Machine identity (operator provisioned, scoped):

Flow (per docs/ci/runner-contract.md + existing scripts/forgejo/deploy-runner-install-infisical-token-auth):

  1. Operator fixes ACL on the machine identity in Infisical UI:
    • Add Project-scoped read permission for /home-platform/forgejo_accounts (or narrower if Infisical supports per-secret ACL)
    • Verify in UI that this identity's policies include the secret path
  2. Operator issues fresh Token Auth access token (the previous one was compromised + revoked)
  3. Operator runs existing install script on RS2000: 
    printf '%s

' "" | scripts/forgejo/deploy-runner-install-infisical-token-auth

(Script handles: write token file 0600, owner=forgejo-deploy, remove direct PAT after verification)
4. Verify `platformctl apply` resolves Forgejo PAT at runtime through Infisical Token Auth:
- test with no-op smoke on `dashboard` (already proven path) or `matrix-well-known` (smoked 2026-05-13)
- expected: workflow succeeds AND `/var/lib/forgejo-deploy-runner/platformctl-deploy.env` no longer contains direct `PLATFORMCTL_FORGEJO_TOKEN` (only metadata)
5. Direct PAT removed from runner-local env file
6. Soak: 7 days of successful operations without manual intervention

## Acceptance criteria

- [ ] Operator fixes ACL on identity `2cf935a4-b0d1-45b8-97f5-3957db7e5ee0` in Infisical UI (read permission on required secret path)
- [ ] Operator issues fresh Token Auth access token (NEVER paste it in chat/terminal — install via direct stdin to script)
- [ ] Operator runs `scripts/forgejo/deploy-runner-install-infisical-token-auth` on RS2000
- [ ] `platformctl apply` resolves Forgejo PAT at runtime via Token Auth (verified with one no-op smoke on already-cutover service)
- [ ] Direct PAT removed from `/var/lib/forgejo-deploy-runner/platformctl-deploy.env`
- [ ] Smoke cycle works end-to-end through Token Auth
- [ ] Soak: 7 days of successful operations, then issue closes

## Fallback to Universal Auth

If Token Auth proves problematic after ACL fix (still 403, or operational pain) → switch to Universal Auth path. Pan Herbatka can draft Universal Auth runbook on-demand; not pre-emptively built.

## Out of scope

- **Vault → Infisical migration for application secrets** (issue #64) — different epic
- **Token rotation automation** — manual rotation OK for now; if rotation pain appears, separate issue
- **Other agents (claude, glm) auth migration** — they use direct Keychain PAT; separate question; this issue is deploy-runner only

## Risks + mitigations

- **Risk**: ACL fix in Infisical UI gets the scope wrong (still 403, or too broad)
- **Mitigation**: operator tests with read-only `infisical secrets list` before installing on runner
- **Risk**: Token Auth credential file accidentally exposed (same risk as direct PAT)
- **Mitigation**: mode 0600, owned by `forgejo-deploy`, behind SSH-forced-command wrapper (already enforced)
- **Risk**: Pasted token accidentally compromised (history bug)
- **Mitigation**: install script reads from stdin only; operator never pastes raw token in chat
- **Risk**: Token expires unexpectedly mid-apply
- **Mitigation**: Token Auth tokens are long-lived; rotation cadence per Infisical defaults; if expires, fallback to direct PAT in env file + reissue token

## Tier (per ADR-0007)

**Full** — touches:
- Sacred path: runner-local secrets path
- Auth method for production-mutating workflows
- Requires operator-on-duty for soak verification

Full canary 3+3 review when ACL-fix PR opens (if any code change). Operator-merge only.

## References

- `state/codex-prep/RECOVERY-PLAN-CUTOVER-2026-05-12-evening.md` § 3 Call 3 — original deferral
- `state/codex-prep/rs2000-closeout-handover-2026-05-12.md` § What failed > 1 — Token Auth failure evidence (ACL hypothesis)
- `docs/ci/runner-contract.md` § Deploy Runner — target state spec
- `scripts/forgejo/deploy-runner-install-infisical-token-auth` — existing Token Auth install script (will be used)
- Issue #142 — main cutover thread
- Run #621 — first ⚛️ smoke proven 2026-05-13 with direct PAT (the temporary state this issue closes)

---

🍵 *Pan Herbatka edited 2026-05-13 evening per operator preference: Token Auth, not Universal Auth. Simpler installer already exists. ACL fix on Infisical UI is the operator-side action; agent-side will be no-op once token is installed by existing script.*
## Context The RS2000 deploy runner currently holds a **direct codex PAT** in `/var/lib/forgejo-deploy-runner/platformctl-deploy.env` as a *temporary* state, per Pan Herbatka Recovery Plan § 3 Call 3 (PR #250 merged) and the agreed cutover trade-off: ship cutover first, fix auth method later. Cutover ⚛️ achieved 2026-05-13 (run #621). Time to close the temporary state. ## Operator preference (2026-05-13 evening, supersedes Pan Herbatka earlier recommendation) > *"token authority lub PAT, nie mam problemu z tym by to był token, a jest łatwiejszy moim zdaniem do wdrożenia"* Operator chooses **Token Auth** as primary path. Universal Auth available as fallback if Token Auth proves operationally problematic; Pan Herbatka's earlier framing of "Token Auth is wrong method" is **withdrawn** — root cause of morning failure was likely ACL/scope on existing token, not method class. ## What we know about morning Token Auth attempt (2026-05-13) - Machine identity `2cf935a4-b0d1-45b8-97f5-3957db7e5ee0` had Token Auth method configured - Token JWT was correctly decoded + non-expired - Returned `403 Forbidden` for `/api/v3/secrets/raw` and `/api/v4/secrets/{name}` - Operator changed UI role to Admin → existing token still 403 - Test token accidentally pasted in chat → compromised → revoked **Likely root cause**: ACL/permission scope on the machine identity needs proper configuration for the target secret path (`/home-platform/forgejo_accounts/p+codex@durlej.me`). The 403 wasn't "wrong method" — it was "correct method, missing read permission on this secret path". Evidence: `state/codex-prep/rs2000-closeout-handover-2026-05-12.md` § What failed > 1. ## Target state — Token Auth on machine identity **Machine identity** (operator provisioned, scoped): - URL: https://infisical.pdurlej.com/organizations/9804e12b-f784-43c8-b0d9-13aa1d0aea05/projects/secret-management/24324af9-adb3-4604-a7f2-d37243d76204/identities/2cf935a4-b0d1-45b8-97f5-3957db7e5ee0 - Identity ID: `2cf935a4-b0d1-45b8-97f5-3957db7e5ee0` - Workspace ID: `24324af9-adb3-4604-a7f2-d37243d76204` - Environment: `prod` - **Auth method**: Token Auth (Universal Auth fallback if needed) - **Required permission**: read on `/home-platform/forgejo_accounts/p+codex@durlej.me` **Flow** (per `docs/ci/runner-contract.md` + existing `scripts/forgejo/deploy-runner-install-infisical-token-auth`): 1. Operator **fixes ACL** on the machine identity in Infisical UI: - Add Project-scoped read permission for `/home-platform/forgejo_accounts` (or narrower if Infisical supports per-secret ACL) - Verify in UI that this identity's policies include the secret path 2. Operator **issues fresh Token Auth access token** (the previous one was compromised + revoked) 3. Operator runs existing install script on RS2000: ``` printf '%s ' "" | scripts/forgejo/deploy-runner-install-infisical-token-auth ``` (Script handles: write token file 0600, owner=forgejo-deploy, remove direct PAT after verification) 4. Verify `platformctl apply` resolves Forgejo PAT at runtime through Infisical Token Auth: - test with no-op smoke on `dashboard` (already proven path) or `matrix-well-known` (smoked 2026-05-13) - expected: workflow succeeds AND `/var/lib/forgejo-deploy-runner/platformctl-deploy.env` no longer contains direct `PLATFORMCTL_FORGEJO_TOKEN` (only metadata) 5. Direct PAT removed from runner-local env file 6. Soak: 7 days of successful operations without manual intervention ## Acceptance criteria - [ ] Operator fixes ACL on identity `2cf935a4-b0d1-45b8-97f5-3957db7e5ee0` in Infisical UI (read permission on required secret path) - [ ] Operator issues fresh Token Auth access token (NEVER paste it in chat/terminal — install via direct stdin to script) - [ ] Operator runs `scripts/forgejo/deploy-runner-install-infisical-token-auth` on RS2000 - [ ] `platformctl apply` resolves Forgejo PAT at runtime via Token Auth (verified with one no-op smoke on already-cutover service) - [ ] Direct PAT removed from `/var/lib/forgejo-deploy-runner/platformctl-deploy.env` - [ ] Smoke cycle works end-to-end through Token Auth - [ ] Soak: 7 days of successful operations, then issue closes ## Fallback to Universal Auth If Token Auth proves problematic after ACL fix (still 403, or operational pain) → switch to Universal Auth path. Pan Herbatka can draft Universal Auth runbook on-demand; not pre-emptively built. ## Out of scope - **Vault → Infisical migration for application secrets** (issue #64) — different epic - **Token rotation automation** — manual rotation OK for now; if rotation pain appears, separate issue - **Other agents (claude, glm) auth migration** — they use direct Keychain PAT; separate question; this issue is deploy-runner only ## Risks + mitigations - **Risk**: ACL fix in Infisical UI gets the scope wrong (still 403, or too broad) - **Mitigation**: operator tests with read-only `infisical secrets list` before installing on runner - **Risk**: Token Auth credential file accidentally exposed (same risk as direct PAT) - **Mitigation**: mode 0600, owned by `forgejo-deploy`, behind SSH-forced-command wrapper (already enforced) - **Risk**: Pasted token accidentally compromised (history bug) - **Mitigation**: install script reads from stdin only; operator never pastes raw token in chat - **Risk**: Token expires unexpectedly mid-apply - **Mitigation**: Token Auth tokens are long-lived; rotation cadence per Infisical defaults; if expires, fallback to direct PAT in env file + reissue token ## Tier (per ADR-0007) **Full** — touches: - Sacred path: runner-local secrets path - Auth method for production-mutating workflows - Requires operator-on-duty for soak verification Full canary 3+3 review when ACL-fix PR opens (if any code change). Operator-merge only. ## References - `state/codex-prep/RECOVERY-PLAN-CUTOVER-2026-05-12-evening.md` § 3 Call 3 — original deferral - `state/codex-prep/rs2000-closeout-handover-2026-05-12.md` § What failed > 1 — Token Auth failure evidence (ACL hypothesis) - `docs/ci/runner-contract.md` § Deploy Runner — target state spec - `scripts/forgejo/deploy-runner-install-infisical-token-auth` — existing Token Auth install script (will be used) - Issue #142 — main cutover thread - Run #621 — first ⚛️ smoke proven 2026-05-13 with direct PAT (the temporary state this issue closes) --- 🍵 *Pan Herbatka edited 2026-05-13 evening per operator preference: Token Auth, not Universal Auth. Simpler installer already exists. ACL fix on Infisical UI is the operator-side action; agent-side will be no-op once token is installed by existing script.*
claude changed title from ops(secrets): migrate deploy-runner from direct PAT to Infisical Universal Auth machine identity to ops(secrets): migrate deploy-runner from direct PAT to Infisical Token Auth on machine identity 2026-05-13 19:02:37 +02:00
codex commented 2026-05-14 09:25:05 +02:00
Collaborator
Copy link

Infisical Token Auth — installed, verification smoke blocked — 2026-05-14 09:40 CEST

Status: installed on RS2000; soak not started yet

Evidence

  • Token file on RS2000: /var/lib/forgejo-deploy-runner/infisical-token-auth-token
  • Mode/owner/size: 600 forgejo-deploy:forgejo-deploy 333 bytes
  • Runner service: active/running
  • Direct PAT preserved in runner env for soak fallback
  • Expiry reminder issue opened: #274, action by 2026-08-08

Findings

  • Public https://infisical.pdurlej.com returns HTTP 403 from RS2000, while the same token works from the Mac and through the local Infisical container endpoint on RS2000.
  • Current apply.py prefers direct PAT before Infisical when both are configured, so a smoke before #273 would be a false positive.

Open PRs before smoke retry

  • #273 — make platformctl apply prefer Infisical Token Auth before direct PAT and add source markers.
  • #275 — document Token Auth lessons in docs/ci/runner-contract.md.
  • #276 — update STATUS_NOW.md so the operator sees the real next gate.

Next

After #273 merges:

  1. sync trusted main on RS2000;
  2. trigger platformctl-auto-apply.yml with module=matrix-well-known;
  3. verify forgejo_token_source=infisical-token-auth in logs;
  4. only then start the 7-day soak clock.

Issue #265 should remain open until soak passes and the direct PAT is removed.

## Infisical Token Auth — installed, verification smoke blocked — 2026-05-14 09:40 CEST **Status:** installed on RS2000; soak not started yet ### Evidence - Token file on RS2000: `/var/lib/forgejo-deploy-runner/infisical-token-auth-token` - Mode/owner/size: `600 forgejo-deploy:forgejo-deploy 333 bytes` - Runner service: active/running - Direct PAT preserved in runner env for soak fallback - Expiry reminder issue opened: #274, action by 2026-08-08 ### Findings - Public `https://infisical.pdurlej.com` returns HTTP 403 from RS2000, while the same token works from the Mac and through the local Infisical container endpoint on RS2000. - Current `apply.py` prefers direct PAT before Infisical when both are configured, so a smoke before #273 would be a false positive. ### Open PRs before smoke retry - #273 — make `platformctl apply` prefer Infisical Token Auth before direct PAT and add source markers. - #275 — document Token Auth lessons in `docs/ci/runner-contract.md`. - #276 — update `STATUS_NOW.md` so the operator sees the real next gate. ### Next After #273 merges: 1. sync trusted main on RS2000; 2. trigger `platformctl-auto-apply.yml` with `module=matrix-well-known`; 3. verify `forgejo_token_source=infisical-token-auth` in logs; 4. only then start the 7-day soak clock. Issue #265 should remain open until soak passes and the direct PAT is removed.
codex commented 2026-05-14 09:41:29 +02:00
Collaborator
Copy link

Infisical Token Auth — installed + verified — 2026-05-14 09:44 CEST

Status: soak period start

Evidence

  • Task 1 install: token on RS2000 at /var/lib/forgejo-deploy-runner/infisical-token-auth-token, mode 0600, owner forgejo-deploy:forgejo-deploy, size 333 bytes; runner active.
  • Task 2 audit: apply.py now prefers Infisical Token Auth over direct PAT after #273; direct PAT remains as explicit soak fallback.
  • Task 3 smoke: matrix-well-known, run #729/API #869, success, commit cec1037b511b544f0c7db5ee4ad51bd2ad73e582.
  • Task 4 verify: logs show forgejo_token_source=infisical-token-auth twice; no direct-env-fallback marker observed.

Artifact summary

  • auto-apply-scope.json: allowed matrix-well-known, no blocked modules.
  • matrix-well-known.plan.stdout.json: status=in-sync, exitCode=0.
  • matrix-well-known.apply.stdout.json: status=noop, exitCode=0, approved_pr=273.
  • matrix-well-known.health.json: status=OK, exitCode=0.
  • state/modules/matrix-well-known.status.json: status=noop, exitCode=0.

Token tracking

  • Expires: 2026-08-12
  • Soak starts: 2026-05-14
  • Soak ends: 2026-05-21
  • Pre-expiry rotation issue: #274, action by 2026-08-08

Next

  • During soak: run at least two more no-op smokes proving forgejo_token_source=infisical-token-auth.
  • After soak (2026-05-21+): operator removes direct PAT from runner env file only if there are zero Infisical 403/token errors.
  • Issue #265 closes after soak + direct PAT removal.
## Infisical Token Auth — installed + verified — 2026-05-14 09:44 CEST **Status:** soak period start ### Evidence - Task 1 install: token on RS2000 at `/var/lib/forgejo-deploy-runner/infisical-token-auth-token`, mode `0600`, owner `forgejo-deploy:forgejo-deploy`, size `333 bytes`; runner active. - Task 2 audit: `apply.py` now prefers Infisical Token Auth over direct PAT after #273; direct PAT remains as explicit soak fallback. - Task 3 smoke: `matrix-well-known`, run #729/API #869, success, commit `cec1037b511b544f0c7db5ee4ad51bd2ad73e582`. - Task 4 verify: logs show `forgejo_token_source=infisical-token-auth` twice; no `direct-env-fallback` marker observed. ### Artifact summary - `auto-apply-scope.json`: allowed `matrix-well-known`, no blocked modules. - `matrix-well-known.plan.stdout.json`: `status=in-sync`, `exitCode=0`. - `matrix-well-known.apply.stdout.json`: `status=noop`, `exitCode=0`, `approved_pr=273`. - `matrix-well-known.health.json`: `status=OK`, `exitCode=0`. - `state/modules/matrix-well-known.status.json`: `status=noop`, `exitCode=0`. ### Token tracking - Expires: 2026-08-12 - Soak starts: 2026-05-14 - Soak ends: 2026-05-21 - Pre-expiry rotation issue: #274, action by 2026-08-08 ### Next - During soak: run at least two more no-op smokes proving `forgejo_token_source=infisical-token-auth`. - After soak (2026-05-21+): operator removes direct PAT from runner env file only if there are zero Infisical 403/token errors. - Issue #265 closes after soak + direct PAT removal.
codex commented 2026-05-14 09:52:00 +02:00
Collaborator
Copy link

Infisical Token Auth soak — 3/3 no-op smokes via Infisical path — 2026-05-14 09:55 CEST

Status: soak evidence threshold met for day 1; direct PAT still preserved until 2026-05-21+

Smoke evidence

  1. matrix-well-known — run #729/API #869

    • status: success
    • marker: forgejo_token_source=infisical-token-auth twice
    • plan: in-sync, exitCode 0
    • apply: noop, exitCode 0
    • health: OK, exitCode 0

  2. dashboard — run #736/API #876

    • status: success
    • marker: forgejo_token_source=infisical-token-auth twice
    • plan: in-sync, exitCode 0
    • apply: noop, exitCode 0
    • health: OK, exitCode 0

  3. matrix-well-known — run #737/API #877

    • status: success
    • marker: forgejo_token_source=infisical-token-auth twice
    • plan: in-sync, exitCode 0
    • apply: noop, exitCode 0
    • health: OK, exitCode 0

No forgejo_token_source=direct-env-fallback marker was observed in these runs.

Runtime sanity

  • Docker filters after smokes reported no unhealthy/restarting/dead containers.

Separate reliability finding

  • Runs #736 and #737 initially stuck in waiting with task_id=0 and required restarting only forgejo-deploy-runner.service.
  • Reopened #260 with fresh evidence. This is a runner pickup reliability issue, not an Infisical failure.

Soak state

  • Soak starts: 2026-05-14
  • Soak ends: 2026-05-21 if no Infisical 403/token errors occur
  • Token expiry issue: #274, rotate by 2026-08-08
  • Direct PAT removal remains blocked until soak completion.
## Infisical Token Auth soak — 3/3 no-op smokes via Infisical path — 2026-05-14 09:55 CEST **Status:** soak evidence threshold met for day 1; direct PAT still preserved until 2026-05-21+ ### Smoke evidence 1. `matrix-well-known` — run #729/API #869 - status: success - marker: `forgejo_token_source=infisical-token-auth` twice - plan: `in-sync`, exitCode 0 - apply: `noop`, exitCode 0 - health: `OK`, exitCode 0 2. `dashboard` — run #736/API #876 - status: success - marker: `forgejo_token_source=infisical-token-auth` twice - plan: `in-sync`, exitCode 0 - apply: `noop`, exitCode 0 - health: `OK`, exitCode 0 3. `matrix-well-known` — run #737/API #877 - status: success - marker: `forgejo_token_source=infisical-token-auth` twice - plan: `in-sync`, exitCode 0 - apply: `noop`, exitCode 0 - health: `OK`, exitCode 0 No `forgejo_token_source=direct-env-fallback` marker was observed in these runs. ### Runtime sanity - Docker filters after smokes reported no unhealthy/restarting/dead containers. ### Separate reliability finding - Runs #736 and #737 initially stuck in `waiting` with `task_id=0` and required restarting only `forgejo-deploy-runner.service`. - Reopened #260 with fresh evidence. This is a runner pickup reliability issue, not an Infisical failure. ### Soak state - Soak starts: 2026-05-14 - Soak ends: 2026-05-21 if no Infisical 403/token errors occur - Token expiry issue: #274, rotate by 2026-08-08 - Direct PAT removal remains blocked until soak completion.
pdurlej commented 2026-05-18 16:58:51 +02:00
Owner
Copy link

Codex live audit: deploy-runner Token Auth and canary bridge are separate — 2026-05-18 16:56 CEST

This issue has earlier comments showing deploy-runner Token Auth install/soak evidence. Current live state shows a separate blocker remains for the canary path:

  • Forgejo Actions repo vars still point canary to PLATFORMCTL_CANARY_MODE=infisical-machine and PLATFORMCTL_CANARY_ENV=/data/platformctl/canary.env.
  • /data/platformctl/canary.env is missing.
  • canary Universal Auth smoke currently fails with 401 Invalid credentials.

Recommendation: keep the deploy-runner token migration evidence, but do not treat it as proof that the canary/provider secrets bridge is solved. The canary bridge needs its own machine identity/readiness proof before canary-required can become real 3+3 enforcement.

<!-- codex-actions-audit-2026-05-18 --> ## Codex live audit: deploy-runner Token Auth and canary bridge are separate — 2026-05-18 16:56 CEST This issue has earlier comments showing deploy-runner Token Auth install/soak evidence. Current live state shows a separate blocker remains for the canary path: - Forgejo Actions repo vars still point canary to `PLATFORMCTL_CANARY_MODE=infisical-machine` and `PLATFORMCTL_CANARY_ENV=/data/platformctl/canary.env`. - `/data/platformctl/canary.env` is missing. - canary Universal Auth smoke currently fails with `401 Invalid credentials`. Recommendation: keep the deploy-runner token migration evidence, but do not treat it as proof that the canary/provider secrets bridge is solved. The canary bridge needs its own machine identity/readiness proof before `canary-required` can become real 3+3 enforcement.
codex commented 2026-05-24 19:03:28 +02:00
Collaborator
Copy link

W4a read-only evidence is now in PR #436.

Summary, metadata-only:

  • real platformctl-auto-apply.yml logs checked over the last 48h: 16;
  • forgejo_token_source=infisical-token-auth: 16 logs;
  • forgejo_token_source=direct-env-fallback: 0 logs;
  • Token Auth file: mode 600, owner forgejo-deploy:forgejo-deploy, size 333 bytes;
  • direct fallback key still present in runner env: PLATFORMCTL_FORGEJO_TOKEN.

Conclusion: Infisical Token Auth is live and used, but the direct fallback still exists. The recommended next gate is w4a-remove-direct-pat-approved for a narrow backup/remove/restart/smoke/rollback step. No secret values were read or printed.

W4a read-only evidence is now in PR #436. Summary, metadata-only: - real `platformctl-auto-apply.yml` logs checked over the last 48h: `16`; - `forgejo_token_source=infisical-token-auth`: `16` logs; - `forgejo_token_source=direct-env-fallback`: `0` logs; - Token Auth file: mode `600`, owner `forgejo-deploy:forgejo-deploy`, size `333` bytes; - direct fallback key still present in runner env: `PLATFORMCTL_FORGEJO_TOKEN`. Conclusion: Infisical Token Auth is live and used, but the direct fallback still exists. The recommended next gate is `w4a-remove-direct-pat-approved` for a narrow backup/remove/restart/smoke/rollback step. No secret values were read or printed.
codex commented 2026-05-24 19:18:44 +02:00
Collaborator
Copy link

W4a direct PAT fallback removed — 2026-05-24 19:14 CEST

Role: executor
Status: runtime removal complete; report PR opened: #437

Evidence

  • Operator gate: w4a-remove-direct-pat-approved
  • Removed direct fallback key from deploy-runner env: PLATFORMCTL_FORGEJO_TOKEN
  • Backup retained on RS2000: /var/lib/forgejo-deploy-runner/platformctl-deploy.env.w4a-20260524T170930Z.bak
  • Restarted only forgejo-deploy-runner.service
  • Smoke: platformctl-auto-apply.yml run #1948 for matrix-well-knownsuccess
  • Token source marker: forgejo_token_source=infisical-token-auth
  • Direct fallback marker count: 0
  • Unhealthy containers: 0
  • Watchdog positive restarts last 30m: 0

Next

Merge #437 to record the evidence in-repo. This issue can close after that report merges. #274 remains open for token rotation tracking.

## W4a direct PAT fallback removed — 2026-05-24 19:14 CEST **Role:** executor **Status:** runtime removal complete; report PR opened: #437 ### Evidence - Operator gate: `w4a-remove-direct-pat-approved` - Removed direct fallback key from deploy-runner env: `PLATFORMCTL_FORGEJO_TOKEN` - Backup retained on RS2000: `/var/lib/forgejo-deploy-runner/platformctl-deploy.env.w4a-20260524T170930Z.bak` - Restarted only `forgejo-deploy-runner.service` - Smoke: `platformctl-auto-apply.yml` run #1948 for `matrix-well-known` → `success` - Token source marker: `forgejo_token_source=infisical-token-auth` - Direct fallback marker count: `0` - Unhealthy containers: `0` - Watchdog positive restarts last 30m: `0` ### Next Merge #437 to record the evidence in-repo. This issue can close after that report merges. #274 remains open for token rotation tracking.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
claude/sacred-paths-canonical-manifest
codex/795-unique-knowledge-retention
codex/810-contract-expectations
codex/808-pytest-docker-mock
claude/issues/memory-sacred-path-consistency
codex/patchwarden-review-actor
codex/matrix-discovery-hotfix
codex/issue-823-automerge-selfmerge-smoke
codex/use-patchwarden-pr-sanity-renderer
codex/patchwarden-pr-sanity-clawsweeper-comment
codex/automerge-actor-token-blocked-state
codex/orders/patchwarden-contract-live-smoke-20260617
codex/issues/stale-adr-reference-cleanup
codex/patchwarden-label-retrigger
codex/orders/rs2000-runtime-followups
codex/orders/rs2000-runtime-health-closeout
codex/status/platform-situation-reset-20260611
codex/issues/prompt-adr-reference-cleanup
codex/orders/patchwarden-contract-live-smoke-20260611
codex/issues/openclaw-mail-gateway-index-host
codex/issues/767-cross-ref-lint
codex/issues/770-runbook-template
codex/honcho-host-ops-env-cleanup-record
deepseek/audit-2026-06-08
codex/gmail-radar-runtime-docs
codex/agaria-parked-health-hygiene
codex/issues/724-kan-image-guard
codex/issues/711-forgejo-token-recovery-notes
codex/687-decision-receipts
codex/687-classifier-policy
codex/687-apply-sandbox
codex/688-runner-proxy-exec
codex/688-runner-hardening
claude/wip-honcho-qwen-fix-2026-06-02
codex/m06-provenance-adversarial-tests
codex/m06-plan-payload-hash
codex/m06-anchor-plan-git-root
codex/m06-scrub-apply-status-artifacts
codex/m06-extend-apply-redaction
codex/m06-redact-remote-command
codex/m08-openclaw-scheduler-spec
codex/m06-legacy-non-backup-inventory
codex/m04-vault-quarantine-evidence
codex/m02-post-m04-dr-refresh
codex/m04-vault-inventory-blocker
codex/patchwarden-client-dry-run-resilience
codex/m04-safe-session-vault-dependency-cleanup
codex/patchwarden-unique-artifacts
codex/m04-safe-session-ca-dual-trust-bootstrap
codex/m04-vault-quarantine-readiness
codex/m04-safe-session-cutover-runbook
codex/m04-safe-session-local-signer
codex/m04-vault-accelerated-sunset-plan
codex/w6d-patchwarden-actor-token-precedence
codex/w6d-patchwarden-comment-token-fallback
codex/forgejo-baseline-audit-20260528
ollama/dziadek-4th-replica-pcloud
ollama/dziadek-openclaw-scheduler-spec
ollama/dziadek-wake-bus-spec
ollama/dziadek-job-bundle-foundation
claude/smoke-test-524-post-merge
claude/fix-dry-run-merge-base-export
codex/w8-uptime-kuma-runtime-dispatch-fix
No results found.
Labels
Clear labels   
W6d-automerge-calibration

   
agent/claude-code
Vistula actor: Claude Code.

  
agent/codex
Vistula actor: Codex.

  
agent/hermes
Vistula actor: Hermes Upstream.

  
agent/iskra
Vistula actor: Iskra.

  
agent/ollama
Vistula actor: Ollama or compatible model.

  
agent/patchwarden
Vistula actor: Patchwarden.

  
automerge-candidate
Candidate for narrow W6d autonomous merge readiness pilot

  
class/security-sensitive
Security-sensitive class of service: smallest coherent PRs and full canary

  
cutover-gate
blocks production declare / final RS2000 replacement

  
dependency/blocked
Vistula dependency state: blocked.

  
dependency/blocks-others
Vistula dependency state: blocks other work.

  
dependency/cross-repo
Vistula dependency scope: cross-repository.

  
dependency/needs-confirmation
Vistula dependency state: needs confirmation.

  
domain:agents
Agent identity, delegation, subagents, routing, or workflows.

  
domain:ci
CI, checks, Actions, runners, or release automation.

  
domain:docs
Documentation, packets, practices, or source-of-truth text.

  
domain:forgejo
Forgejo issues, PRs, labels, repo settings, or identity.

  
domain:infra
Infrastructure, storage, backup, DNS, network, or host substrate.

  
domain:memory
Memory, recall, write gates, salience, or Honcho-adjacent behavior.

  
domain:runtime
Runtime services, deploys, daemons, timers, or live behavior.

  
domain:signal
Signal UX, delivery, context, or outbound behavior.

  
domain:ux
Product UX, operator experience, or conversation ergonomics.

  
flow/architecture
Vistula lifecycle: architecture phase in progress.

  
flow/blocked
Vistula lifecycle: blocked on dependency or decision.

  
flow/deployed
Vistula lifecycle: deployed to runtime where applicable.

  
flow/done
Vistula lifecycle: work merged or otherwise done.

  
flow/implementation
Vistula lifecycle: implementation phase in progress.

  
flow/intake
Vistula lifecycle: incoming signal not refined yet.

  
flow/maintained
Vistula lifecycle: maintained/steady state.

  
flow/observed
Vistula lifecycle: observed after delivery.

  
flow/ready
Vistula lifecycle: ready for architecture or implementation.

  
flow/refining
Vistula lifecycle: Hermes/spec refinement in progress.

  
flow/retired
Vistula lifecycle: retired or intentionally closed.

  
flow/review
Vistula lifecycle: review phase in progress.

  
iterating
Orchestrator/Codex actively amending in response to review — operator can ignore until resolved

  
judge/codex-candidate
Candidate for Codex implementation.

  
judge/hermes-candidate
Candidate for Hermes discovery/research.

  
judge/low-confidence
Judgment confidence is low.

  
judge/needs-refinement
Needs clearer evidence or scope.

  
judge/operator-needed
Needs Piotr decision or input.

  
judge/p0
Urgent, operator attention or unblock now.

  
judge/p1
High value, schedule soon.

  
judge/p2
Useful, normal queue.

  
judge/p3
Low priority, keep but do not chase.

  
judge/park
Parked from current attention.

  
judge/patchwarden-candidate
Needs Patchwarden merge-safety attention.

  
judge/stale-priority
Existing priority judgment appears stale.

  
kind/adr
Vistula work kind: architecture decision record.

  
kind/bug
Vistula work kind: bug fix.

  
kind/chore
Vistula work kind: chore.

  
kind/feature
Vistula work kind: feature.

  
kind/infra
Vistula work kind: infrastructure.

  
kind/ops
Vistula work kind: operations.

  
kind/refactor
Vistula work kind: refactor.

  
kind/research
Vistula work kind: research/discovery.

  
large-impact
Per charter §3 review-by-impact: large impact (≥300 LOC OR new module OR identity/secret change OR architectural pivot) — Oracle pre-review recommended

  
merge/auto
Vistula merge mode: automated merge.

  
merge/manual
Vistula merge mode: manual merge.

  
merge/manual-dependency-conflict
Manual merge reason: dependency conflict.

  
merge/manual-failing-tests
Manual merge reason: failing tests.

  
merge/manual-merge-conflict
Manual merge reason: merge conflict.

  
merge/manual-missing-review
Manual merge reason: missing review.

  
merge/manual-operator-preference
Manual merge reason: operator preference.

  
merge/manual-red-zone
Manual merge reason: red-zone risk.

  
merge/manual-security-sensitive
Manual merge reason: security-sensitive work.

  
merge/manual-unclear-scope
Manual merge reason: unclear scope.

  
merge/manual-unknown
Manual merge reason: unknown.

  
meta
meta-decomposition issue; first agent decomposes into atomic children

  
mode:operator-only
Apply step requires explicit operator approval.

  
mode:patchwarden-iskra-approved
Work eligible for Patchwarden/Iskra approval inside repo policy.

  
mode:safe-auto
Low-risk work eligible for lightweight autonomous handling.

  
needs-operator-decision
PR is blocked on operator yes/no decision — fresh-Claude/Codex won't make this call alone

  
needs-triage
decomposing agent has open questions / unknowns

  
not-ready
reviewed but blocked on a precondition

  
observed/erroring
Vistula observation: erroring.

  
observed/needs-followup
Vistula observation: needs follow-up.

  
observed/pending
Vistula observation: pending.

  
observed/retire-candidate
Vistula observation: retire candidate.

  
observed/unused
Vistula observation: unused.

  
observed/used
Vistula observation: used.

  
operator-emotional
operator-emotional importance (Iskra memory etc.)

  
owner-attention
owner must decide; blocks default path

  
phase/02
Phase 02 cataloging

  
phase/03
Phase 03 control plane (platformctl)

  
priority:p0
Immediate safety, uptime, data, or operator-blocking issue.

  
priority:p1
Important active work; should be pulled soon.

  
priority:p2
Useful normal-priority work.

  
priority:p3
Opportunistic cleanup, research, or backlog work.

  
proposed
auto-generated by meta-decomposition; awaiting human review

  
ready-for-agent
reviewed and pickable; agents may claim per cookbook

  
ready-for-operator
PR is ready for operator review/merge — orchestrator finished its part

  
recovery
disaster recovery / restore semantics relevant

  
review:claude-reviewed
Reviewed by Claude-family agent.

  
review:codex-reviewed
Reviewed by Codex-family agent.

  
review:dziadek-reviewed
Reviewed by Dziadek pinch-point reviewer.

  
review:needs-human
Needs human review before merge or apply.

  
risk/exposure
incorrectly public/private/tailnet/auth/routed

  
risk/process
workflow/review/orchestration may produce bad outcomes

  
risk/product
work may have lost owner/user value

  
risk/runtime
platform may not run, recover, validate, behave reproducibly

  
safety:external-write
May write to external systems, users, rooms, repos, or services.

  
safety:no-prod-mutation
Must not mutate production or live external state.

  
safety:prod-impact
May affect production/runtime behavior.

  
safety:secret-touch
Touches secrets, credentials, auth, or secret-adjacent config.

  
size/large
Vistula size: large.

  
size/medium
Vistula size: medium.

  
size/small
Vistula size: small.

  
size/tiny
Vistula size: tiny.

  
size/unknown
Vistula size: not classified yet.

  
source/adr
Vistula source: ADR.

  
source/agent-generated
Vistula source: agent generated.

  
source/manual
Vistula source: manual entry.

  
source/operator-chat
Vistula source: operator chat.

  
source/voice-note
Vistula source: voice note.

  
status:blocked
Blocked by missing dependency, evidence, access, or operator decision.

  
status:codex-ready
Ready for a Codex implementation pass.

  
status:merged:pending-evidence
Merged but waiting for live or artifact evidence before closure.

  
status:needs-evidence
Needs proof, logs, tests, or operator-visible evidence.

  
status:operator-needed
Requires explicit operator input before safe progress.

  
status:parked
Intentionally deferred; not active campaign work.

  
tier/full
Full review tier per ADR-0007

  
tier/lite
Lite review tier per ADR-0007

  
tier/stacked
Stacked PR (base != main) escape hatch per ADR-0017. Requires consolidator-PR plan in PR body.

  
tier:0-platform-substrate
Data, secrets, backup, storage, or critical platform substrate.

  
tier:1-iskra-value-layer
Iskra/OpenClaw behavior, memory, runtime, or value-layer work.

  
tier:2-tools-products-modules
Tools, products, modules, experiments, and lower-blast-radius work.

  
type:bug
Incorrect behavior or regression.

  
type:chore
Maintenance, cleanup, metadata, or operational task.

  
type:docs
Documentation-only work.

  
type:feat
New capability or product behavior.

  
type:policy
Governance, protocol, boundary, or decision-contract change.

  
type:research
Investigation, spike, or evidence-gathering task.

No labels
W6d-automerge-calibration
agent/claude-code
agent/codex
agent/hermes
agent/iskra
agent/ollama
agent/patchwarden
automerge-candidate
class/security-sensitive
cutover-gate
dependency/blocked
dependency/blocks-others
dependency/cross-repo
dependency/needs-confirmation
domain:agents
domain:ci
domain:docs
domain:forgejo
domain:infra
domain:memory
domain:runtime
domain:signal
domain:ux
flow/architecture
flow/blocked
flow/deployed
flow/done
flow/implementation
flow/intake
flow/maintained
flow/observed
flow/ready
flow/refining
flow/retired
flow/review
iterating
judge/codex-candidate
judge/hermes-candidate
judge/low-confidence
judge/needs-refinement
judge/operator-needed
judge/p0
judge/p1
judge/p2
judge/p3
judge/park
judge/patchwarden-candidate
judge/stale-priority
kind/adr
kind/bug
kind/chore
kind/feature
kind/infra
kind/ops
kind/refactor
kind/research
large-impact
merge/auto
merge/manual
merge/manual-dependency-conflict
merge/manual-failing-tests
merge/manual-merge-conflict
merge/manual-missing-review
merge/manual-operator-preference
merge/manual-red-zone
merge/manual-security-sensitive
merge/manual-unclear-scope
merge/manual-unknown
meta
mode:operator-only
mode:patchwarden-iskra-approved
mode:safe-auto
needs-operator-decision
needs-triage
not-ready
observed/erroring
observed/needs-followup
observed/pending
observed/retire-candidate
observed/unused
observed/used
operator-emotional
owner-attention
phase/02
phase/03
priority:p0
priority:p1
priority:p2
priority:p3
proposed
ready-for-agent
ready-for-operator
recovery
review:claude-reviewed
review:codex-reviewed
review:dziadek-reviewed
review:needs-human
risk/exposure
risk/process
risk/product
risk/runtime
safety:external-write
safety:no-prod-mutation
safety:prod-impact
safety:secret-touch
size/large
size/medium
size/small
size/tiny
size/unknown
source/adr
source/agent-generated
source/manual
source/operator-chat
source/voice-note
status:blocked
status:codex-ready
status:merged:pending-evidence
status:needs-evidence
status:operator-needed
status:parked
tier/full
tier/lite
tier/stacked
tier:0-platform-substrate
tier:1-iskra-value-layer
tier:2-tools-products-modules
type:bug
type:chore
type:docs
type:feat
type:policy
type:research
Milestone
Clear milestone
No items
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pdurlej/platform#265
No description provided.