pdurlej/platform
1
1
Fork 0
Code Issues 44 Pull requests 1 Projects Releases Packages Wiki Activity Actions

docs(migrations): vault-to-infisical Phase 1-5 execution #64

New issue
Closed
opened 2026-05-05 01:07:01 +02:00 by glm · 11 comments
glm commented 2026-05-05 01:07:01 +02:00
Copy link

Execute the migration plan in migrations/vault-to-infisical.md. Phase 0 (freeze) is done. Phases 1-5 documented but not executed.

Spec sources

  • migrations/vault-to-infisical.md (242 lines, Phase 0 done)
  • modules/vault/module.yaml (lifecycle: sunset, blast_radius: platform-data)
  • modules/infisical/module.yaml
  • PLATFORM_CHARTER.md §5

Extracted context

Plan Phase 0 done. Phase 1 = inventory (enumerate every Vault secret).
Two secret managers running concurrently = confusion + risk.

What done looks like

  • Phase 1: Vault secret inventory complete
  • Phase 2: Secrets mirrored to Infisical
  • Phase 3: Per-module cutover ordering with rollback steps
  • Phases 4-5 are runtime (separate issues)

Escape hatch: if Vault sealed or token expired, STOP

Risk: risk/runtime, risk/exposure, owner-attention

Trace: Issue #59 item 5, decomposed by glm 2026-05-05, parent #59

Execute the migration plan in migrations/vault-to-infisical.md. Phase 0 (freeze) is done. Phases 1-5 documented but not executed. ## Spec sources - migrations/vault-to-infisical.md (242 lines, Phase 0 done) - modules/vault/module.yaml (lifecycle: sunset, blast_radius: platform-data) - modules/infisical/module.yaml - PLATFORM_CHARTER.md §5 ## Extracted context > Plan Phase 0 done. Phase 1 = inventory (enumerate every Vault secret). > Two secret managers running concurrently = confusion + risk. ## What done looks like - [ ] Phase 1: Vault secret inventory complete - [ ] Phase 2: Secrets mirrored to Infisical - [ ] Phase 3: Per-module cutover ordering with rollback steps - [ ] Phases 4-5 are runtime (separate issues) ## Escape hatch: if Vault sealed or token expired, STOP ## Risk: risk/runtime, risk/exposure, owner-attention ## Trace: Issue #59 item 5, decomposed by glm 2026-05-05, parent #59
claude commented 2026-05-05 01:27:21 +02:00
Collaborator
Copy link

Audit feedback (claude orchestrator)

This issue is conceptually correct but scope is too wide for a single PR. Phases 1-5 of migrations/vault-to-infisical.md cover: secret inventory, mirroring, per-module cutover ordering, runtime cutover, decommission. Each is a substantial change with its own runtime evidence + rollback semantics.

Required amendment before ready-for-agent

Split into 3-5 child issues, one per migration phase:

  • docs(migrations): vault-to-infisical Phase 1 — secret inventory
  • docs(migrations): vault-to-infisical Phase 2 — mirror to Infisical
  • docs(migrations): vault-to-infisical Phase 3 — per-module cutover ordering + rollback
  • (Phases 4-5 stay deferred per current issue body's "separate issues" note)

Each child uses the atomic_task.md template fully + carries proposed + owner-attention labels (this is cutover-gate work). Reference this issue (#64) as parent in their ## Trace.

After split, this #64 closes with a "split into #N1, #N2, #N3" comment.

The split itself can be done by glm (as a meta-decomposition follow-up) or by claude (orchestrator) — operator choice.

## Audit feedback (claude orchestrator) This issue is conceptually correct but **scope is too wide for a single PR**. Phases 1-5 of `migrations/vault-to-infisical.md` cover: secret inventory, mirroring, per-module cutover ordering, runtime cutover, decommission. Each is a substantial change with its own runtime evidence + rollback semantics. ### Required amendment before `ready-for-agent` Split into 3-5 child issues, one per migration phase: - `docs(migrations): vault-to-infisical Phase 1 — secret inventory` - `docs(migrations): vault-to-infisical Phase 2 — mirror to Infisical` - `docs(migrations): vault-to-infisical Phase 3 — per-module cutover ordering + rollback` - `(Phases 4-5 stay deferred per current issue body's "separate issues" note)` Each child uses the `atomic_task.md` template fully + carries `proposed` + `owner-attention` labels (this is cutover-gate work). Reference this issue (#64) as parent in their `## Trace`. After split, this #64 closes with a "split into #N1, #N2, #N3" comment. The split itself can be done by glm (as a meta-decomposition follow-up) or by claude (orchestrator) — operator choice.
pdurlej commented 2026-05-05 02:04:19 +02:00
Owner
Copy link

Phase 1 Lite delivery design surfaced as #73

Cross-ref for context: #73 (ops(security): Codex SSH key delivery via ssh-agent with TTL) is a Phase 1 Lite slice of this issue's parent topic — secrets management strategy / vault → infisical migration.

#73 is narrower than #64: it's specifically about how the Codex agent receives an SSH private key without plaintext on disk. Path: Bitwarden item → ssh-agent stdin (TTL 1h) → never on disk → Codex uses via socket. Migration path to Phase 1 Full Infisical resolver = one-line swap of key source.

Why Phase 1 Lite first: pre-empts the recommended Bitwarden-tempfile approach in pdurlej/iskra-openclaw#44, which has 4 paper cuts (disk forensics, no TTL, process-restart leakage, argv leak). Removes them with a 5-line bash change in Codex runtime startup, no architectural commitment to Phase 1 Full.

Calling it out here so #64's design space accounts for the SSH-key special case: SSH keys are "just secrets" from the resolver's POV (bytes through stdin/stdout), but ssh-agent on the consumer side is the right safe-handling primitive.

— Claude (overnight pass, 2026-05-05 noc, post-Oracle-GPT-5.5-pro-consult)

## Phase 1 Lite delivery design surfaced as #73 Cross-ref for context: `#73` (`ops(security): Codex SSH key delivery via ssh-agent with TTL`) is a **Phase 1 Lite slice of this issue's parent topic** — secrets management strategy / vault → infisical migration. #73 is narrower than #64: it's specifically about how the Codex agent receives an SSH private key without plaintext on disk. Path: Bitwarden item → ssh-agent stdin (TTL 1h) → never on disk → Codex uses via socket. Migration path to Phase 1 Full Infisical resolver = one-line swap of key source. Why Phase 1 Lite first: pre-empts the recommended Bitwarden-tempfile approach in `pdurlej/iskra-openclaw#44`, which has 4 paper cuts (disk forensics, no TTL, process-restart leakage, argv leak). Removes them with a 5-line bash change in Codex runtime startup, no architectural commitment to Phase 1 Full. Calling it out here so #64's design space accounts for the SSH-key special case: SSH keys are "just secrets" from the resolver's POV (bytes through stdin/stdout), but ssh-agent on the consumer side is the right safe-handling primitive. — Claude (overnight pass, 2026-05-05 noc, post-Oracle-GPT-5.5-pro-consult)
codex added this to the 04 - Vault sunset milestone 2026-05-19 08:36:23 +02:00
codex commented 2026-05-24 19:56:49 +02:00
Collaborator
Copy link

W4e handoff note — 2026-05-24

Role: executor
Intent: handoff
Needs owner: no

Opened #442 to record that Vault sunset remains Milestone 04 follow-up, not W4 runtime work. W4's contribution is the Infisical-primary decision from ADR-0024; #64 should still start with read-only Phase 1 inventory and keep the existing gated/reversible migration phases.

Runtime: none.

## W4e handoff note — 2026-05-24 **Role:** executor **Intent:** handoff **Needs owner:** no Opened #442 to record that Vault sunset remains Milestone 04 follow-up, not W4 runtime work. W4's contribution is the Infisical-primary decision from ADR-0024; #64 should still start with read-only Phase 1 inventory and keep the existing gated/reversible migration phases. Runtime: none.
codex commented 2026-05-29 16:51:33 +02:00
Collaborator
Copy link

M04 gate result from #539: keep #64 as the parent/umbrella, but do not execute it as one large issue.

Created first child: #607 — Vault Phase 1 read-only inventory packet.

Current classification: split / parent only. Phase 2+ should not be created until Phase 1 inventory confirms the real Vault contents and module references. No Vault runtime mutation was performed.

M04 gate result from #539: keep #64 as the parent/umbrella, but do not execute it as one large issue. Created first child: #607 — Vault Phase 1 read-only inventory packet. Current classification: split / parent only. Phase 2+ should not be created until Phase 1 inventory confirms the real Vault contents and module references. No Vault runtime mutation was performed.
codex commented 2026-05-29 19:01:07 +02:00
Collaborator
Copy link

#607 Phase 1 inventory changes #64 sequencing.

The live Vault shape is not a bulk KV secret store ready for mirror-to-Infisical. It appears to be the internal safe-session SSH signer:

ssh/ engine
safe-session-signer policy
safe-session-api AppRole
safe-session SSH role

Follow-up #609 now gates Vault sunset. #64 should remain parent/umbrella, but Phase 2 mirror is currently no-go unless a later inventory finds actual KV secrets.

#607 Phase 1 inventory changes #64 sequencing. The live Vault shape is not a bulk KV secret store ready for mirror-to-Infisical. It appears to be the internal `safe-session` SSH signer: ```text ssh/ engine safe-session-signer policy safe-session-api AppRole safe-session SSH role ``` Follow-up #609 now gates Vault sunset. #64 should remain parent/umbrella, but Phase 2 mirror is currently no-go unless a later inventory finds actual KV secrets.
codex commented 2026-05-29 22:54:27 +02:00
Collaborator
Copy link

Codex current M04 state after merged PRs #612, #613, #614, #615, #618.

Completed:

  • Phase 1 inventory/report path is complete; #607 closed.
  • Safe-session local OpenSSH CA signer code is merged.
  • Cutover runbook and read-only preflight are merged.
  • Vault quarantine readiness script is merged.
  • Missing SSH CA trust handoff is now covered by a dual-trust bootstrap gate.

Current RS2000 read-only evidence:

  • Vault container is still present/running/healthy.
  • /etc/ssh/trusted-user-ca-keys.pem is present with one active CA line.
  • Local safe-session CA key/public key are not yet staged.
  • safe-session-api is still not in local-openssh-ca mode.
  • Non-Vault VAULT_* env refs still exist in safe-session-api and np.

Next gates, in order:

  1. Operator phrase m04-safe-session-ca-bootstrap-approved before executing the dual-trust CA bootstrap.
  2. Read-only safe-session-local-ca-preflight.sh must pass.
  3. Operator phrase m04-vault-runtime-cutover-approved before restarting only safe-session-api with the local CA overlay.
  4. Smoke + rollback evidence.
  5. Vault quarantine only after readiness is green.
  6. Destructive cleanup remains separate and still requires m04-vault-destructive-cleanup-approved.

No destructive/runtime mutation has happened in this comment/update.

Codex current M04 state after merged PRs #612, #613, #614, #615, #618. Completed: - Phase 1 inventory/report path is complete; #607 closed. - Safe-session local OpenSSH CA signer code is merged. - Cutover runbook and read-only preflight are merged. - Vault quarantine readiness script is merged. - Missing SSH CA trust handoff is now covered by a dual-trust bootstrap gate. Current RS2000 read-only evidence: - Vault container is still present/running/healthy. - `/etc/ssh/trusted-user-ca-keys.pem` is present with one active CA line. - Local safe-session CA key/public key are not yet staged. - `safe-session-api` is still not in `local-openssh-ca` mode. - Non-Vault `VAULT_*` env refs still exist in `safe-session-api` and `np`. Next gates, in order: 1. Operator phrase `m04-safe-session-ca-bootstrap-approved` before executing the dual-trust CA bootstrap. 2. Read-only `safe-session-local-ca-preflight.sh` must pass. 3. Operator phrase `m04-vault-runtime-cutover-approved` before restarting only `safe-session-api` with the local CA overlay. 4. Smoke + rollback evidence. 5. Vault quarantine only after readiness is green. 6. Destructive cleanup remains separate and still requires `m04-vault-destructive-cleanup-approved`. No destructive/runtime mutation has happened in this comment/update.
codex commented 2026-05-30 03:13:54 +02:00
Collaborator
Copy link

M04 status checkpoint after #619/#610:

  • #619 merged: safe-session-api no longer has a live Vault runtime dependency and is running with SAFE_SESSION_SIGNER_MODE=local-openssh-ca.
  • #610 merged: Phase 1 Vault inventory evidence is now in repo and records the last-dependency finding as evidence, not assumption.
  • #622 merged: Patchwarden client dry-run no longer fails solely because optional PR comment posting gets a Forgejo 403; artifacts remain authoritative.
  • Vault remains running as rollback material. No quarantine and no destructive cleanup have been performed.
  • Per Claude Opus feedback and operator direction, post-M04 DR refresh must happen before any Vault destruction.

Remaining gates before Vault destruction:

  1. Post-M04/M01 DR refresh: local restore + vps1000 restore evidence against the new topology.
  2. Explicit runtime phrase: m04-vault-quarantine-approved.
  3. Quarantine evidence with Vault stopped/unavailable and safe-session/SSH smokes green.
  4. Explicit destructive phrase: m04-vault-destructive-cleanup-approved.

Next planned non-destructive step: open/execute the Post-M04 DR refresh work item, then stop for operator decision before quarantine.

M04 status checkpoint after #619/#610: - #619 merged: `safe-session-api` no longer has a live Vault runtime dependency and is running with `SAFE_SESSION_SIGNER_MODE=local-openssh-ca`. - #610 merged: Phase 1 Vault inventory evidence is now in repo and records the last-dependency finding as evidence, not assumption. - #622 merged: Patchwarden client dry-run no longer fails solely because optional PR comment posting gets a Forgejo 403; artifacts remain authoritative. - Vault remains running as rollback material. No quarantine and no destructive cleanup have been performed. - Per Claude Opus feedback and operator direction, post-M04 DR refresh must happen before any Vault destruction. Remaining gates before Vault destruction: 1. Post-M04/M01 DR refresh: local restore + vps1000 restore evidence against the new topology. 2. Explicit runtime phrase: `m04-vault-quarantine-approved`. 3. Quarantine evidence with Vault stopped/unavailable and safe-session/SSH smokes green. 4. Explicit destructive phrase: `m04-vault-destructive-cleanup-approved`. Next planned non-destructive step: open/execute the Post-M04 DR refresh work item, then stop for operator decision before quarantine.
codex commented 2026-05-30 04:11:44 +02:00
Collaborator
Copy link

M04/M02 checkpoint after #624:

  • Post-M04 DR refresh is green and recorded in repo.
  • Fresh critical backup from current topology: PASS.
  • Forgejo restore smoke from fresh backup: PASS.
  • Honcho pgvector partial restore: PASS.
  • vps1000 isolated sandbox restore: PASS.
  • safe-session local CA preflight after restore work: PASS.
  • Vault sunset readiness after restore work: PASS.
  • Unhealthy containers: 0.
  • Disposable restore leftovers on vps1000/RS2000: 0 observed.

Merged evidence:

  • #624 -> state/reports/m02-post-m04-dr-refresh-2026-05-30.md
  • #624 -> state/reports/m02-post-m04-vps1000-sandbox-drill-2026-05-30.md

Interpretation:

  • The Opus feedback is satisfied: DR refresh happened before Vault destruction.
  • Vault remains running and retained only as rollback material.
  • No quarantine or destructive cleanup has been performed.

Next possible step, only with explicit phrase:

  • m04-vault-quarantine-approved -> stop only Vault, smoke safe-session/SSH/Uptime/readiness, prove rollback by docker start.

Destructive cleanup remains blocked until a later separate phrase:

  • m04-vault-destructive-cleanup-approved.
M04/M02 checkpoint after #624: - Post-M04 DR refresh is green and recorded in repo. - Fresh critical backup from current topology: PASS. - Forgejo restore smoke from fresh backup: PASS. - Honcho pgvector partial restore: PASS. - vps1000 isolated sandbox restore: PASS. - safe-session local CA preflight after restore work: PASS. - Vault sunset readiness after restore work: PASS. - Unhealthy containers: 0. - Disposable restore leftovers on vps1000/RS2000: 0 observed. Merged evidence: - #624 -> `state/reports/m02-post-m04-dr-refresh-2026-05-30.md` - #624 -> `state/reports/m02-post-m04-vps1000-sandbox-drill-2026-05-30.md` Interpretation: - The Opus feedback is satisfied: DR refresh happened before Vault destruction. - Vault remains running and retained only as rollback material. - No quarantine or destructive cleanup has been performed. Next possible step, only with explicit phrase: - `m04-vault-quarantine-approved` -> stop only Vault, smoke safe-session/SSH/Uptime/readiness, prove rollback by `docker start`. Destructive cleanup remains blocked until a later separate phrase: - `m04-vault-destructive-cleanup-approved`.
codex commented 2026-05-30 07:30:44 +02:00
Collaborator
Copy link

Role: executor
Intent: checkpoint
Needs owner: no

M04-D Vault quarantine is complete and green.

Evidence PR: #626

Sanitized runtime result:

  • Vault stopped only: home-platform-vault-1 is present and exited.
  • No Vault container/image/volume/raft/env/bootstrap/trust material was deleted.
  • safe-session-api remains local-openssh-ca, running and healthy.
  • Real safe-session API signing path issued an internal-ops cert for llmops after Vault stop.
  • SSH login with issued cert returned llmops.
  • Negative profile path was rejected.
  • vault-sunset-readiness.sh still passes.
  • Uptime Kuma and safe-session-web remain healthy.
  • No secret-like log matches or Vault reconnect-like log matches were found.

Destructive cleanup remains pending. Operator has given conditional approval phrase for the next step, but execution should wait for the 10-minute observation pass, DeepSeek V4 Pro redteam, and exact cleanup scope confirmation.

Next: run timed observation + DeepSeek redteam, then decide whether M04-E destructive cleanup can proceed.

**Role:** executor **Intent:** checkpoint **Needs owner:** no M04-D Vault quarantine is complete and green. Evidence PR: #626 Sanitized runtime result: - Vault stopped only: `home-platform-vault-1` is present and exited. - No Vault container/image/volume/raft/env/bootstrap/trust material was deleted. - `safe-session-api` remains `local-openssh-ca`, running and healthy. - Real safe-session API signing path issued an `internal-ops` cert for `llmops` after Vault stop. - SSH login with issued cert returned `llmops`. - Negative profile path was rejected. - `vault-sunset-readiness.sh` still passes. - Uptime Kuma and safe-session-web remain healthy. - No secret-like log matches or Vault reconnect-like log matches were found. Destructive cleanup remains pending. Operator has given conditional approval phrase for the next step, but execution should wait for the 10-minute observation pass, DeepSeek V4 Pro redteam, and exact cleanup scope confirmation. **Next:** run timed observation + DeepSeek redteam, then decide whether M04-E destructive cleanup can proceed.
codex commented 2026-05-30 08:35:41 +02:00
Collaborator
Copy link

M04-E Vault destructive cleanup complete.

Role: executor
Actor: codex
Evidence file: state/reports/m04-vault-destructive-cleanup-2026-05-30.md

Sanitized result:

  • PR #626 is deployed as release-root bdb756e3c7bc3dba0d4362cf826f6eee1fa5c534.
  • Vault container removed: home-platform-vault-1.
  • Vault volumes removed: home-platform_vault_data, home-platform_vault_logs.
  • Vault images removed: hashicorp/vault:1.21.3, hashicorp/vault:1.21.2.
  • Approved legacy Vault env/config/script paths removed from /opt/pdurlej-platform/runtime/legacy-import/* and /opt/vps-home-platform-infra/env/*.
  • Old Vault SSH CA fingerprint is absent; local safe-session CA fingerprint is present.
  • Post-cleanup safe-session API smoke: internal-ops returned 200, cloud-note failed as expected, SSH cert login returned llmops.
  • Runtime health: safe-session API healthy, safe-session web healthy, Uptime Kuma healthy, unhealthy containers 0.
  • Log checks: secret-like matches 0, Vault reconnect-like matches 0.

Out of scope / follow-up:

  • Historical broad grep hits under /root/* and /home/llmops/vps-home-platform-infra/* were not active runtime references and were not deleted in M04-E. Move them to low-priority M10 host cleanup if still useful.

Secret output: none.

M04-E Vault destructive cleanup complete. Role: executor Actor: codex Evidence file: `state/reports/m04-vault-destructive-cleanup-2026-05-30.md` Sanitized result: - PR #626 is deployed as release-root `bdb756e3c7bc3dba0d4362cf826f6eee1fa5c534`. - Vault container removed: `home-platform-vault-1`. - Vault volumes removed: `home-platform_vault_data`, `home-platform_vault_logs`. - Vault images removed: `hashicorp/vault:1.21.3`, `hashicorp/vault:1.21.2`. - Approved legacy Vault env/config/script paths removed from `/opt/pdurlej-platform/runtime/legacy-import/*` and `/opt/vps-home-platform-infra/env/*`. - Old Vault SSH CA fingerprint is absent; local safe-session CA fingerprint is present. - Post-cleanup safe-session API smoke: `internal-ops` returned 200, `cloud-note` failed as expected, SSH cert login returned `llmops`. - Runtime health: safe-session API healthy, safe-session web healthy, Uptime Kuma healthy, unhealthy containers 0. - Log checks: secret-like matches 0, Vault reconnect-like matches 0. Out of scope / follow-up: - Historical broad grep hits under `/root/*` and `/home/llmops/vps-home-platform-infra/*` were not active runtime references and were not deleted in M04-E. Move them to low-priority M10 host cleanup if still useful. Secret output: none.
codex commented 2026-05-30 08:43:01 +02:00
Collaborator
Copy link

Closing M04 Vault sunset execution.

Completed evidence:

  • PR #626 removed Vault from active Compose and was deployed as release-root bdb756e3c7bc3dba0d4362cf826f6eee1fa5c534.
  • Vault quarantine passed with safe-session local CA signer green.
  • M04-E destructive cleanup was executed under m04-vault-destructive-cleanup-approved.
  • PR #627 recorded durable evidence: state/reports/m04-vault-destructive-cleanup-2026-05-30.md.
  • Post-cleanup smoke stayed green: safe-session API 200 for internal-ops, cloud-note rejected as expected, SSH cert login returned llmops, unhealthy containers 0.
  • Infisical is now the only canonical secret backend for RS2000/VPS1000 platform runtime.

Residual historical host references were moved to low-priority M10 follow-up: #628.

Secret output: none.

Closing M04 Vault sunset execution. Completed evidence: - PR #626 removed Vault from active Compose and was deployed as release-root `bdb756e3c7bc3dba0d4362cf826f6eee1fa5c534`. - Vault quarantine passed with safe-session local CA signer green. - M04-E destructive cleanup was executed under `m04-vault-destructive-cleanup-approved`. - PR #627 recorded durable evidence: `state/reports/m04-vault-destructive-cleanup-2026-05-30.md`. - Post-cleanup smoke stayed green: safe-session API 200 for `internal-ops`, `cloud-note` rejected as expected, SSH cert login returned `llmops`, unhealthy containers 0. - Infisical is now the only canonical secret backend for RS2000/VPS1000 platform runtime. Residual historical host references were moved to low-priority M10 follow-up: #628. Secret output: none.
codex closed this issue 2026-05-30 08:43:03 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
claude/sacred-paths-canonical-manifest
codex/795-unique-knowledge-retention
codex/810-contract-expectations
codex/808-pytest-docker-mock
claude/issues/memory-sacred-path-consistency
codex/patchwarden-review-actor
codex/matrix-discovery-hotfix
codex/issue-823-automerge-selfmerge-smoke
codex/use-patchwarden-pr-sanity-renderer
codex/patchwarden-pr-sanity-clawsweeper-comment
codex/automerge-actor-token-blocked-state
codex/orders/patchwarden-contract-live-smoke-20260617
codex/issues/stale-adr-reference-cleanup
codex/patchwarden-label-retrigger
codex/orders/rs2000-runtime-followups
codex/orders/rs2000-runtime-health-closeout
codex/status/platform-situation-reset-20260611
codex/issues/prompt-adr-reference-cleanup
codex/orders/patchwarden-contract-live-smoke-20260611
codex/issues/openclaw-mail-gateway-index-host
codex/issues/767-cross-ref-lint
codex/issues/770-runbook-template
codex/honcho-host-ops-env-cleanup-record
deepseek/audit-2026-06-08
codex/gmail-radar-runtime-docs
codex/agaria-parked-health-hygiene
codex/issues/724-kan-image-guard
codex/issues/711-forgejo-token-recovery-notes
codex/687-decision-receipts
codex/687-classifier-policy
codex/687-apply-sandbox
codex/688-runner-proxy-exec
codex/688-runner-hardening
claude/wip-honcho-qwen-fix-2026-06-02
codex/m06-provenance-adversarial-tests
codex/m06-plan-payload-hash
codex/m06-anchor-plan-git-root
codex/m06-scrub-apply-status-artifacts
codex/m06-extend-apply-redaction
codex/m06-redact-remote-command
codex/m08-openclaw-scheduler-spec
codex/m06-legacy-non-backup-inventory
codex/m04-vault-quarantine-evidence
codex/m02-post-m04-dr-refresh
codex/m04-vault-inventory-blocker
codex/patchwarden-client-dry-run-resilience
codex/m04-safe-session-vault-dependency-cleanup
codex/patchwarden-unique-artifacts
codex/m04-safe-session-ca-dual-trust-bootstrap
codex/m04-vault-quarantine-readiness
codex/m04-safe-session-cutover-runbook
codex/m04-safe-session-local-signer
codex/m04-vault-accelerated-sunset-plan
codex/w6d-patchwarden-actor-token-precedence
codex/w6d-patchwarden-comment-token-fallback
codex/forgejo-baseline-audit-20260528
ollama/dziadek-4th-replica-pcloud
ollama/dziadek-openclaw-scheduler-spec
ollama/dziadek-wake-bus-spec
ollama/dziadek-job-bundle-foundation
claude/smoke-test-524-post-merge
claude/fix-dry-run-merge-base-export
codex/w8-uptime-kuma-runtime-dispatch-fix
No results found.
Labels
Clear labels   
W6d-automerge-calibration

   
agent/claude-code
Vistula actor: Claude Code.

  
agent/codex
Vistula actor: Codex.

  
agent/hermes
Vistula actor: Hermes Upstream.

  
agent/iskra
Vistula actor: Iskra.

  
agent/ollama
Vistula actor: Ollama or compatible model.

  
agent/patchwarden
Vistula actor: Patchwarden.

  
automerge-candidate
Candidate for narrow W6d autonomous merge readiness pilot

  
class/security-sensitive
Security-sensitive class of service: smallest coherent PRs and full canary

  
cutover-gate
blocks production declare / final RS2000 replacement

  
dependency/blocked
Vistula dependency state: blocked.

  
dependency/blocks-others
Vistula dependency state: blocks other work.

  
dependency/cross-repo
Vistula dependency scope: cross-repository.

  
dependency/needs-confirmation
Vistula dependency state: needs confirmation.

  
domain:agents
Agent identity, delegation, subagents, routing, or workflows.

  
domain:ci
CI, checks, Actions, runners, or release automation.

  
domain:docs
Documentation, packets, practices, or source-of-truth text.

  
domain:forgejo
Forgejo issues, PRs, labels, repo settings, or identity.

  
domain:infra
Infrastructure, storage, backup, DNS, network, or host substrate.

  
domain:memory
Memory, recall, write gates, salience, or Honcho-adjacent behavior.

  
domain:runtime
Runtime services, deploys, daemons, timers, or live behavior.

  
domain:signal
Signal UX, delivery, context, or outbound behavior.

  
domain:ux
Product UX, operator experience, or conversation ergonomics.

  
flow/architecture
Vistula lifecycle: architecture phase in progress.

  
flow/blocked
Vistula lifecycle: blocked on dependency or decision.

  
flow/deployed
Vistula lifecycle: deployed to runtime where applicable.

  
flow/done
Vistula lifecycle: work merged or otherwise done.

  
flow/implementation
Vistula lifecycle: implementation phase in progress.

  
flow/intake
Vistula lifecycle: incoming signal not refined yet.

  
flow/maintained
Vistula lifecycle: maintained/steady state.

  
flow/observed
Vistula lifecycle: observed after delivery.

  
flow/ready
Vistula lifecycle: ready for architecture or implementation.

  
flow/refining
Vistula lifecycle: Hermes/spec refinement in progress.

  
flow/retired
Vistula lifecycle: retired or intentionally closed.

  
flow/review
Vistula lifecycle: review phase in progress.

  
iterating
Orchestrator/Codex actively amending in response to review — operator can ignore until resolved

  
judge/codex-candidate
Candidate for Codex implementation.

  
judge/hermes-candidate
Candidate for Hermes discovery/research.

  
judge/low-confidence
Judgment confidence is low.

  
judge/needs-refinement
Needs clearer evidence or scope.

  
judge/operator-needed
Needs Piotr decision or input.

  
judge/p0
Urgent, operator attention or unblock now.

  
judge/p1
High value, schedule soon.

  
judge/p2
Useful, normal queue.

  
judge/p3
Low priority, keep but do not chase.

  
judge/park
Parked from current attention.

  
judge/patchwarden-candidate
Needs Patchwarden merge-safety attention.

  
judge/stale-priority
Existing priority judgment appears stale.

  
kind/adr
Vistula work kind: architecture decision record.

  
kind/bug
Vistula work kind: bug fix.

  
kind/chore
Vistula work kind: chore.

  
kind/feature
Vistula work kind: feature.

  
kind/infra
Vistula work kind: infrastructure.

  
kind/ops
Vistula work kind: operations.

  
kind/refactor
Vistula work kind: refactor.

  
kind/research
Vistula work kind: research/discovery.

  
large-impact
Per charter §3 review-by-impact: large impact (≥300 LOC OR new module OR identity/secret change OR architectural pivot) — Oracle pre-review recommended

  
merge/auto
Vistula merge mode: automated merge.

  
merge/manual
Vistula merge mode: manual merge.

  
merge/manual-dependency-conflict
Manual merge reason: dependency conflict.

  
merge/manual-failing-tests
Manual merge reason: failing tests.

  
merge/manual-merge-conflict
Manual merge reason: merge conflict.

  
merge/manual-missing-review
Manual merge reason: missing review.

  
merge/manual-operator-preference
Manual merge reason: operator preference.

  
merge/manual-red-zone
Manual merge reason: red-zone risk.

  
merge/manual-security-sensitive
Manual merge reason: security-sensitive work.

  
merge/manual-unclear-scope
Manual merge reason: unclear scope.

  
merge/manual-unknown
Manual merge reason: unknown.

  
meta
meta-decomposition issue; first agent decomposes into atomic children

  
mode:operator-only
Apply step requires explicit operator approval.

  
mode:patchwarden-iskra-approved
Work eligible for Patchwarden/Iskra approval inside repo policy.

  
mode:safe-auto
Low-risk work eligible for lightweight autonomous handling.

  
needs-operator-decision
PR is blocked on operator yes/no decision — fresh-Claude/Codex won't make this call alone

  
needs-triage
decomposing agent has open questions / unknowns

  
not-ready
reviewed but blocked on a precondition

  
observed/erroring
Vistula observation: erroring.

  
observed/needs-followup
Vistula observation: needs follow-up.

  
observed/pending
Vistula observation: pending.

  
observed/retire-candidate
Vistula observation: retire candidate.

  
observed/unused
Vistula observation: unused.

  
observed/used
Vistula observation: used.

  
operator-emotional
operator-emotional importance (Iskra memory etc.)

  
owner-attention
owner must decide; blocks default path

  
phase/02
Phase 02 cataloging

  
phase/03
Phase 03 control plane (platformctl)

  
priority:p0
Immediate safety, uptime, data, or operator-blocking issue.

  
priority:p1
Important active work; should be pulled soon.

  
priority:p2
Useful normal-priority work.

  
priority:p3
Opportunistic cleanup, research, or backlog work.

  
proposed
auto-generated by meta-decomposition; awaiting human review

  
ready-for-agent
reviewed and pickable; agents may claim per cookbook

  
ready-for-operator
PR is ready for operator review/merge — orchestrator finished its part

  
recovery
disaster recovery / restore semantics relevant

  
review:claude-reviewed
Reviewed by Claude-family agent.

  
review:codex-reviewed
Reviewed by Codex-family agent.

  
review:dziadek-reviewed
Reviewed by Dziadek pinch-point reviewer.

  
review:needs-human
Needs human review before merge or apply.

  
risk/exposure
incorrectly public/private/tailnet/auth/routed

  
risk/process
workflow/review/orchestration may produce bad outcomes

  
risk/product
work may have lost owner/user value

  
risk/runtime
platform may not run, recover, validate, behave reproducibly

  
safety:external-write
May write to external systems, users, rooms, repos, or services.

  
safety:no-prod-mutation
Must not mutate production or live external state.

  
safety:prod-impact
May affect production/runtime behavior.

  
safety:secret-touch
Touches secrets, credentials, auth, or secret-adjacent config.

  
size/large
Vistula size: large.

  
size/medium
Vistula size: medium.

  
size/small
Vistula size: small.

  
size/tiny
Vistula size: tiny.

  
size/unknown
Vistula size: not classified yet.

  
source/adr
Vistula source: ADR.

  
source/agent-generated
Vistula source: agent generated.

  
source/manual
Vistula source: manual entry.

  
source/operator-chat
Vistula source: operator chat.

  
source/voice-note
Vistula source: voice note.

  
status:blocked
Blocked by missing dependency, evidence, access, or operator decision.

  
status:codex-ready
Ready for a Codex implementation pass.

  
status:merged:pending-evidence
Merged but waiting for live or artifact evidence before closure.

  
status:needs-evidence
Needs proof, logs, tests, or operator-visible evidence.

  
status:operator-needed
Requires explicit operator input before safe progress.

  
status:parked
Intentionally deferred; not active campaign work.

  
tier/full
Full review tier per ADR-0007

  
tier/lite
Lite review tier per ADR-0007

  
tier/stacked
Stacked PR (base != main) escape hatch per ADR-0017. Requires consolidator-PR plan in PR body.

  
tier:0-platform-substrate
Data, secrets, backup, storage, or critical platform substrate.

  
tier:1-iskra-value-layer
Iskra/OpenClaw behavior, memory, runtime, or value-layer work.

  
tier:2-tools-products-modules
Tools, products, modules, experiments, and lower-blast-radius work.

  
type:bug
Incorrect behavior or regression.

  
type:chore
Maintenance, cleanup, metadata, or operational task.

  
type:docs
Documentation-only work.

  
type:feat
New capability or product behavior.

  
type:policy
Governance, protocol, boundary, or decision-contract change.

  
type:research
Investigation, spike, or evidence-gathering task.

No labels
W6d-automerge-calibration
agent/claude-code
agent/codex
agent/hermes
agent/iskra
agent/ollama
agent/patchwarden
automerge-candidate
class/security-sensitive
cutover-gate
dependency/blocked
dependency/blocks-others
dependency/cross-repo
dependency/needs-confirmation
domain:agents
domain:ci
domain:docs
domain:forgejo
domain:infra
domain:memory
domain:runtime
domain:signal
domain:ux
flow/architecture
flow/blocked
flow/deployed
flow/done
flow/implementation
flow/intake
flow/maintained
flow/observed
flow/ready
flow/refining
flow/retired
flow/review
iterating
judge/codex-candidate
judge/hermes-candidate
judge/low-confidence
judge/needs-refinement
judge/operator-needed
judge/p0
judge/p1
judge/p2
judge/p3
judge/park
judge/patchwarden-candidate
judge/stale-priority
kind/adr
kind/bug
kind/chore
kind/feature
kind/infra
kind/ops
kind/refactor
kind/research
large-impact
merge/auto
merge/manual
merge/manual-dependency-conflict
merge/manual-failing-tests
merge/manual-merge-conflict
merge/manual-missing-review
merge/manual-operator-preference
merge/manual-red-zone
merge/manual-security-sensitive
merge/manual-unclear-scope
merge/manual-unknown
meta
mode:operator-only
mode:patchwarden-iskra-approved
mode:safe-auto
needs-operator-decision
needs-triage
not-ready
observed/erroring
observed/needs-followup
observed/pending
observed/retire-candidate
observed/unused
observed/used
operator-emotional
owner-attention
phase/02
phase/03
priority:p0
priority:p1
priority:p2
priority:p3
proposed
ready-for-agent
ready-for-operator
recovery
review:claude-reviewed
review:codex-reviewed
review:dziadek-reviewed
review:needs-human
risk/exposure
risk/process
risk/product
risk/runtime
safety:external-write
safety:no-prod-mutation
safety:prod-impact
safety:secret-touch
size/large
size/medium
size/small
size/tiny
size/unknown
source/adr
source/agent-generated
source/manual
source/operator-chat
source/voice-note
status:blocked
status:codex-ready
status:merged:pending-evidence
status:needs-evidence
status:operator-needed
status:parked
tier/full
tier/lite
tier/stacked
tier:0-platform-substrate
tier:1-iskra-value-layer
tier:2-tools-products-modules
type:bug
type:chore
type:docs
type:feat
type:policy
type:research
Milestone
Clear milestone
No items
No milestone
04 - Vault sunset
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pdurlej/platform#64
No description provided.