feat(phase02): uptime-kuma — wave 2 audit + drift fix to tailnet-only #32

Merged

pdurlej merged 1 commit from claude/orders/phase-02-uptime-kuma into main

2026-05-03 01:29:09 +02:00

pdurlej commented

2026-05-03 01:20:19 +02:00

Owner

Summary

Phase 02 wave 2 manifest for uptime-kuma. Surfaced PR #27 drift: manifest claimed public + internet_exposed: true + auth: none + public_reason, but RS2000 runtime has Traefik ts-allowlist@file middleware (Tailscale CGNAT 100.64.0.0/10 + IPv6 ULA + Docker bridges only) — service is tailnet-only, not public.

Operator decision (2026-05-03, audit findings option a): fix manifest to match runtime. Future pdurlej.pl blog status page integration is acknowledged_risk, not silently configured.

Changes

modules/uptime-kuma/module.yaml — schema-validated, 888 tokens (under 1500 budget):

Drift fix: classification: public → tailnet-only, auth: none → tailscale, internet_exposed: true → false, removed public_reason, added middlewares: [ts-allowlist@file, security-headers@file]
Phase 02 v2 audit fields: image_observed: louislam/uptime-kuma:2.1.3@sha256:dac5b4ac…, image_digest_pinned_in_compose: false, image_audit_ts: 2026-05-03T07:30:00Z, image_build: registry, statefulness: stateful
intent.user_facing_outcome + intent.acceptance_criteria
dependencies.data_stores: home-platform_uptime_kuma_data
risk.acknowledged_risks × 2:
- experimental-not-configured — operator (2026-05-03): "to były eksperymenty, pewnie w przyszłości dodam je do swojego bloga pdurlej.pl". Closure/activation review per next_review.
- container-runs-as-root — louislam image runs as root (no USER directive); mitigated by tailnet-only; must re-review before any future public exposure

modules/uptime-kuma/runbook.md — follows canary-validated n8n-worker pattern:

yq '.spec.runtime.image_observed' digest source (no copy-paste truncation)
cd /opt/vps-home-platform-infra/compose/apps/ (matches compose_file)
platformctl apply <plan_file> --approved <sha> (CLI signature, plan_file positional+required)
Live state audit table + Import phase plan + Release readiness checklist + Acknowledged risks section

Verification

jsonschema.validate passes against module.schema.json
module.yaml token count: 888 / 1500 budget
image_observed digest matches docker inspect home-platform-uptime-kuma-1 on RS2000 (2026-05-03)
ts-allowlist@file middleware definition verified in /opt/vps-home-platform-infra/config/traefik/dynamic/middlewares.yml (Tailscale CGNAT + IPv6 ULA + Docker bridges)
Recovery commands use canary-validated patterns from PR #29

Test plan

Schema validation: python3 -c "import jsonschema, yaml, json; ..." against modules/uptime-kuma/module.yaml
Token count: wc -w modules/uptime-kuma/module.yaml
Manual readback: runbook readable end-to-end, recovery commands actually copy-pasteable
Canary review (3+3 ensemble) on this PR

## Summary Phase 02 wave 2 manifest for `uptime-kuma`. Surfaced PR #27 drift: manifest claimed `public + internet_exposed: true + auth: none + public_reason`, but RS2000 runtime has Traefik `ts-allowlist@file` middleware (Tailscale CGNAT `100.64.0.0/10` + IPv6 ULA + Docker bridges only) — service is **tailnet-only**, not public. Operator decision (2026-05-03, audit findings option **a**): fix manifest to match runtime. Future pdurlej.pl blog status page integration is acknowledged_risk, not silently configured. ## Changes **`modules/uptime-kuma/module.yaml`** — schema-validated, 888 tokens (under 1500 budget): - Drift fix: `classification: public → tailnet-only`, `auth: none → tailscale`, `internet_exposed: true → false`, removed `public_reason`, added `middlewares: [ts-allowlist@file, security-headers@file]` - Phase 02 v2 audit fields: `image_observed: louislam/uptime-kuma:2.1.3@sha256:dac5b4ac…`, `image_digest_pinned_in_compose: false`, `image_audit_ts: 2026-05-03T07:30:00Z`, `image_build: registry`, `statefulness: stateful` - `intent.user_facing_outcome` + `intent.acceptance_criteria` - `dependencies.data_stores: home-platform_uptime_kuma_data` - `risk.acknowledged_risks` × 2: - `experimental-not-configured` — operator (2026-05-03): "to były eksperymenty, pewnie w przyszłości dodam je do swojego bloga pdurlej.pl". Closure/activation review per `next_review`. - `container-runs-as-root` — louislam image runs as root (no USER directive); mitigated by tailnet-only; must re-review before any future public exposure **`modules/uptime-kuma/runbook.md`** — follows canary-validated n8n-worker pattern: - `yq '.spec.runtime.image_observed'` digest source (no copy-paste truncation) - `cd /opt/vps-home-platform-infra/compose/apps/` (matches `compose_file`) - `platformctl apply <plan_file> --approved <sha>` (CLI signature, plan_file positional+required) - Live state audit table + Import phase plan + Release readiness checklist + Acknowledged risks section ## Verification - [x] `jsonschema.validate` passes against `module.schema.json` - [x] `module.yaml` token count: 888 / 1500 budget - [x] `image_observed` digest matches `docker inspect home-platform-uptime-kuma-1` on RS2000 (2026-05-03) - [x] `ts-allowlist@file` middleware definition verified in `/opt/vps-home-platform-infra/config/traefik/dynamic/middlewares.yml` (Tailscale CGNAT + IPv6 ULA + Docker bridges) - [x] Recovery commands use canary-validated patterns from PR #29 ## Test plan - [ ] Schema validation: `python3 -c "import jsonschema, yaml, json; ..."` against `modules/uptime-kuma/module.yaml` - [ ] Token count: `wc -w modules/uptime-kuma/module.yaml` - [ ] Manual readback: runbook readable end-to-end, recovery commands actually copy-pasteable - [ ] Canary review (3+3 ensemble) on this PR

pdurlej added 1 commit

2026-05-03 01:20:19 +02:00

feat(phase02): uptime-kuma — wave 2 audit + drift fix to tailnet-only 4a63663985

Phase 02 wave 2 manifest for uptime-kuma. Surfaced PR #27 drift: module.yaml
claimed `public + internet_exposed: true + auth: none` with public_reason,
but RS2000 runtime has Traefik `ts-allowlist@file` middleware (Tailscale
CGNAT 100.64.0.0/10 + IPv6 ULA + Docker bridges only) — service is
**tailnet-only**, not public. Operator decision (2026-05-03): fix manifest
to match runtime (option a in audit findings), removing aspirational
public_reason. Future public exposure (pdurlej.pl blog status page) is
acknowledged_risk, not silently configured.

Schema v2 fields added per PR #29 pattern:
- image_observed: louislam/uptime-kuma:2.1.3@sha256:dac5b4ac…
- image_digest_pinned_in_compose: false (env carries tag only)
- image_audit_ts: 2026-05-03T07:30:00Z
- image_build: registry
- statefulness: stateful (SQLite + monitor history at /app/data)

Acknowledged risks (per charter §6 cognition rule, product value first):
- experimental-not-configured: empty monitor config; OpenClaw/Iskra
  to propose closure or activation per next_review cadence
- container-runs-as-root: louislam/uptime-kuma default image runs as
  root; mitigated by tailnet-only exposure; re-review before any
  future public exposure

Exposure correctness:
- classification: public → tailnet-only
- auth: none → tailscale
- middlewares: [ts-allowlist@file, security-headers@file]
- internet_exposed: true → false
- public_reason removed (no longer required by schema)

Runbook follows n8n-worker canary-validated pattern:
- yq-from-manifest digest pattern (no copy-paste truncation)
- compose_file-relative cwd (/opt/.../compose/apps/)
- platformctl apply <plan_file> --approved <sha> CLI signature
- live state audit table + import phase plan + release readiness

Schema: validates OK. Token budget: 888/1500.

pdurlej merged commit ac79e97350 into main

2026-05-03 01:29:09 +02:00

pdurlej referenced this pull request from a commit

2026-05-03 01:29:11 +02:00

Merge pull request 'feat(phase02): uptime-kuma — wave 2 audit + drift fix to tailnet-only' (#32) from claude/orders/phase-02-uptime-kuma into main

pdurlej referenced this pull request

2026-05-03 01:35:31 +02:00

feat(phase02): karakeep family — wave 2 audit + sidecar consolidation #34

pdurlej referenced this pull request

2026-05-03 10:30:56 +02:00

docs(prompts): Phase 02 wave 3 master prompt for Codex #35

pdurlej referenced this pull request