feat(modules): catalog honcho-redis v2 #140

Merged

pdurlej merged 1 commit from codex/issues/100-honcho-redis-v2 into main

2026-05-10 00:47:53 +02:00

codex commented

2026-05-10 00:29:11 +02:00

Collaborator

Canary status: missing — modules PR; fire canary 3+3 before merge

Canary Context Pack

Product story

Honcho Redis is part of the memory/runtime substrate for Iskra and Honcho. The platform catalog should describe its real runtime state after the RS 2000 redeploy: authenticated Redis, persistent AOF/RDB enabled, and no raw Redis password value in Config.Cmd.

What changed

Upgraded modules/honcho-redis/module.yaml with Phase 02 v2 intent and runtime audit fields.
Set spec.runtime.statefulness: stateful based on --appendonly yes and --save 60 1.
Recorded observed image digest redis:7.4.7-alpine@sha256:02f2cc4882f8bf87c79a220ac958f58c700bdec0dfb9b9ea61b62fb0e8f1bfcf.
Added Redis data store metadata and REDIS_PASSWORD secret ref.
Added acknowledged risks for Redis persistence/restore expectations and the accepted interim env-var secret delivery state.

Why it changed

Issue #100 was previously deferred because honcho-redis exposed the raw Redis password in container argv. The operator manually redeployed the RS 2000 compose hotfix at 00:24 CEST; Packet O can now proceed with the updated statefulness decision.

Files touched

modules/honcho-redis/module.yaml

Relevant context

#100 — honcho-redis v2 cataloging
Packet O in prompts/codex-cleanup-122-124-2026-05-09.md
Operator update: catalog as stateful; config-file secret delivery deferred beyond tonight
modules/honcho-postgres/module.yaml read as local acknowledged-risk pattern

Runtime evidence

Sanitized RS 2000 checks after redeploy:

cmd_contains_redis_password_var=true
cmd_contains_secret_env_value=false
requirepass_arg_is_var_ref=true
redacted command shape: redis-server --appendonly yes --save 60 1 --requirepass <requirepass-arg-redacted>
secret_env_keys=REDIS_PASSWORD
unauth_ping=NOAUTH
auth_ping=PONG
appendonly=yes
save_config=60 1
dbsize=0
image repo digest: redis@sha256:02f2cc4882f8bf87c79a220ac958f58c700bdec0dfb9b9ea61b62fb0e8f1bfcf

Known constraints

The Redis password is now delivered through an environment variable, not a raw argv value. That is an accepted interim state, not the final hardening design. A mounted config-file approach is deferred and intentionally out of scope for this PR.

Explicit out-of-scope

Editing RS 2000 compose or the legacy /opt/vps-home-platform-infra worktree
Config-file based Redis secret delivery
Runbook changes
Honcho API or Honcho Deriver manifest changes
Canary execution and merge

Requested decision

Approve this as the #100 cataloging PR if the manifest accurately reflects runtime and the interim secret delivery risk is visible enough.

Merge blockers

Evidence that Config.Cmd contains the raw Redis password value, not just $REDIS_PASSWORD.
Evidence that Redis persistence is disabled or should not be cataloged as stateful.
Schema/L4 validation failure.

Verification

PYTHONPATH=control-plane python3 -m platformctl.tools.validate_module modules/honcho-redis/module.yaml -> YAML parsed, schema v2 valid
PYTHONPATH=control-plane python3 -m pytest tests/test_l4_verify.py -q --tb=short -k 'honcho-redis or yaml_syntax_valid' -> 92 passed, 235 deselected in 2.25s
tests/smoke.sh honcho-redis -> 4 PASS, 0 FAIL, 3 SKIP
tests/run-verify.sh -> 312 passed, 15 skipped in 129.21s (0:02:09)
git diff --check -> passed

Spec sources read

docs/forgejo-agent-operations.md - mandatory Forgejo/identity contract
Issue #100 body - scope, allowed touched path, acceptance criteria
prompts/codex-cleanup-122-124-2026-05-09.md Packet O - retry instructions and stop conditions
prompts/codex-wave-2-v2-cataloging-2026-05-09.md Packet H - original #100 packet
modules/honcho-redis/module.yaml - edited manifest
modules/honcho-redis/runbook.md - runtime/container context only; not edited
schema/module.schema.v2.json and schema/module.schema.json - field constraints
AGENTS.md - Phase 02 v2 field requirements
modules/honcho-postgres/module.yaml - additional file read to mirror acknowledged-risk pattern per operator instruction
modules/honcho-api/module.yaml and modules/honcho-deriver/module.yaml - adjacent Honcho dependency context

Closes #100

Canary status: missing — modules PR; fire canary 3+3 before merge ## Canary Context Pack ### Product story Honcho Redis is part of the memory/runtime substrate for Iskra and Honcho. The platform catalog should describe its real runtime state after the RS 2000 redeploy: authenticated Redis, persistent AOF/RDB enabled, and no raw Redis password value in `Config.Cmd`. ### What changed - Upgraded `modules/honcho-redis/module.yaml` with Phase 02 v2 intent and runtime audit fields. - Set `spec.runtime.statefulness: stateful` based on `--appendonly yes` and `--save 60 1`. - Recorded observed image digest `redis:7.4.7-alpine@sha256:02f2cc4882f8bf87c79a220ac958f58c700bdec0dfb9b9ea61b62fb0e8f1bfcf`. - Added Redis data store metadata and `REDIS_PASSWORD` secret ref. - Added acknowledged risks for Redis persistence/restore expectations and the accepted interim env-var secret delivery state. ### Why it changed Issue #100 was previously deferred because honcho-redis exposed the raw Redis password in container argv. The operator manually redeployed the RS 2000 compose hotfix at 00:24 CEST; Packet O can now proceed with the updated statefulness decision. ### Files touched - `modules/honcho-redis/module.yaml` ### Relevant context - #100 — honcho-redis v2 cataloging - Packet O in `prompts/codex-cleanup-122-124-2026-05-09.md` - Operator update: catalog as `stateful`; config-file secret delivery deferred beyond tonight - `modules/honcho-postgres/module.yaml` read as local acknowledged-risk pattern ### Runtime evidence Sanitized RS 2000 checks after redeploy: - `cmd_contains_redis_password_var=true` - `cmd_contains_secret_env_value=false` - `requirepass_arg_is_var_ref=true` - redacted command shape: `redis-server --appendonly yes --save 60 1 --requirepass <requirepass-arg-redacted>` - `secret_env_keys=REDIS_PASSWORD` - `unauth_ping=NOAUTH` - `auth_ping=PONG` - `appendonly=yes` - `save_config=60 1` - `dbsize=0` - image repo digest: `redis@sha256:02f2cc4882f8bf87c79a220ac958f58c700bdec0dfb9b9ea61b62fb0e8f1bfcf` ### Known constraints The Redis password is now delivered through an environment variable, not a raw argv value. That is an accepted interim state, not the final hardening design. A mounted config-file approach is deferred and intentionally out of scope for this PR. ### Explicit out-of-scope - Editing RS 2000 compose or the legacy `/opt/vps-home-platform-infra` worktree - Config-file based Redis secret delivery - Runbook changes - Honcho API or Honcho Deriver manifest changes - Canary execution and merge ### Requested decision Approve this as the #100 cataloging PR if the manifest accurately reflects runtime and the interim secret delivery risk is visible enough. ### Merge blockers - Evidence that `Config.Cmd` contains the raw Redis password value, not just `$REDIS_PASSWORD`. - Evidence that Redis persistence is disabled or should not be cataloged as `stateful`. - Schema/L4 validation failure. ## Verification - `PYTHONPATH=control-plane python3 -m platformctl.tools.validate_module modules/honcho-redis/module.yaml` -> YAML parsed, schema v2 valid - `PYTHONPATH=control-plane python3 -m pytest tests/test_l4_verify.py -q --tb=short -k 'honcho-redis or yaml_syntax_valid'` -> `92 passed, 235 deselected in 2.25s` - `tests/smoke.sh honcho-redis` -> `4 PASS, 0 FAIL, 3 SKIP` - `tests/run-verify.sh` -> `312 passed, 15 skipped in 129.21s (0:02:09)` - `git diff --check` -> passed ## Spec sources read - `docs/forgejo-agent-operations.md` - mandatory Forgejo/identity contract - Issue #100 body - scope, allowed touched path, acceptance criteria - `prompts/codex-cleanup-122-124-2026-05-09.md` Packet O - retry instructions and stop conditions - `prompts/codex-wave-2-v2-cataloging-2026-05-09.md` Packet H - original #100 packet - `modules/honcho-redis/module.yaml` - edited manifest - `modules/honcho-redis/runbook.md` - runtime/container context only; not edited - `schema/module.schema.v2.json` and `schema/module.schema.json` - field constraints - `AGENTS.md` - Phase 02 v2 field requirements - `modules/honcho-postgres/module.yaml` - additional file read to mirror acknowledged-risk pattern per operator instruction - `modules/honcho-api/module.yaml` and `modules/honcho-deriver/module.yaml` - adjacent Honcho dependency context Closes #100

codex added 1 commit

2026-05-10 00:29:11 +02:00

feat(modules): catalog honcho-redis v2

canary-required / collect-diff (pull_request) Successful in 4s

Details

canary-required / canary (pull_request) Successful in 12s

Details

27ae5b2ea6