Link to state-hub and hosteurope integration
This commit is contained in:
parent
03f1d35ff4
commit
5187e63504
2 changed files with 425 additions and 0 deletions
214
CLAUDE.md
Normal file
214
CLAUDE.md
Normal file
|
|
@ -0,0 +1,214 @@
|
|||
# RailianceHosts — Claude Code Instructions
|
||||
|
||||
## Custodian State Hub Integration
|
||||
|
||||
This project is tracked as the **railiance** domain in the Custodian State Hub.
|
||||
Hub topic ID: `ca369340-a64e-442e-98f1-a4fa7dc74a38`
|
||||
|
||||
The State Hub runs locally at http://127.0.0.1:8000. The MCP server (`state-hub`)
|
||||
exposes tools for reading and writing state without touching the API directly.
|
||||
|
||||
---
|
||||
|
||||
### Session Protocol
|
||||
|
||||
**On receiving your first message — before writing any response text — execute
|
||||
this orientation sequence. Do not greet, do not ask what to do first.**
|
||||
|
||||
**Step 1 — Call the State Hub**
|
||||
```
|
||||
get_domain_summary("railiance") # workstreams, blocking decisions, recent progress, SBOM status
|
||||
```
|
||||
If the call fails, the API is offline: `cd ~/the-custodian/state-hub && make api`
|
||||
|
||||
**Step 2 — Scan local workplans**
|
||||
|
||||
Read every `.md` file under `workplans/`. Use `Glob(pattern="**/*.md", path="workplans/")`
|
||||
or Bash `ls workplans/` to discover them. For each file with `status: active`,
|
||||
extract and note:
|
||||
- The workplan title and ID
|
||||
- All tasks whose `status` is `todo` or `in_progress`
|
||||
|
||||
**Step 3 — Present orientation to the user**
|
||||
|
||||
Output a concise brief covering:
|
||||
1. **Active workstreams** (from state hub) for the `railiance` domain — title,
|
||||
task counts, any blocking decisions
|
||||
2. **Pending tasks for this repo** — from local `workplans/` files (Step 2)
|
||||
plus any state hub tasks with `[repo:railiance-hosts]` in their title
|
||||
3. **Goal guidance** — if the summary contains a `goal_guidance` key, act on it:
|
||||
- **`needs_workplan`** entries: for each active repo goal with no linked workstream,
|
||||
surface it as the top suggested action — *"Repo goal '{title}' has no workplan yet.
|
||||
Suggest: create workplans/RAIL-HO-WP-NNNN-<slug>.md and register a workstream
|
||||
with repo_goal_id='{goal_id}'"*. Treat this as higher priority than continuing
|
||||
existing work unless Bernd says otherwise.
|
||||
- **`alignment_warnings`** entries: if active workstreams exist but are not linked
|
||||
to the current repo goal, name the most recently active one and note:
|
||||
*"Current work on '{recent_workstream_title}' may not be aligned with the active
|
||||
goal '{active_goal_title}'. Continue unless you hear otherwise — but flag it."*
|
||||
4. **Suggested next action** — the highest-priority open item across all sources,
|
||||
with goal alignment taken into account
|
||||
5. **SBOM status** — is `last_sbom_at` set for this repo? If not, note it as a gap
|
||||
|
||||
If there are no workstreams at all: follow the First Session Protocol below.
|
||||
|
||||
**During work:**
|
||||
- Use `record_decision()` for any decision that affects direction or dependencies.
|
||||
- Use `add_progress_event()` for notable events (milestones, blockers, insights).
|
||||
- Use `resolve_decision()` to close a decision once the choice is made.
|
||||
|
||||
> **Design boundary:** The State Hub is a *read model*. Two write operations are
|
||||
> permanently sanctioned: **Resolving Decisions** and **Suggesting Next Steps**.
|
||||
> The bootstrap tools (`create_workstream`, `create_task`, `update_task_status`)
|
||||
> are only for First Session Protocol. Formal work structure — workplans, tasks —
|
||||
> belongs in the domain repo as files (ADR-001), not managed through the hub alone.
|
||||
|
||||
**At the end of every session:**
|
||||
- Call `add_progress_event()` with a summary of what was accomplished or decided.
|
||||
Include `topic_id: ca369340-a64e-442e-98f1-a4fa7dc74a38` and the relevant `workstream_id`.
|
||||
|
||||
---
|
||||
|
||||
### Repo Boundary Rule
|
||||
|
||||
This agent is responsible for files **in this repo only**.
|
||||
|
||||
- **Do not** write files or make commits in any other repository
|
||||
- **Do not** create workplan files in other repos on their behalf
|
||||
- When you identify work for another registered repo (**ecosystem todo**):
|
||||
create a state hub task with `[repo:<slug>]` in the title — the other repo's
|
||||
agent will see it at session start and create its own workplan
|
||||
- When you identify work for an upstream repo (**third-party todo**):
|
||||
create a contribution artifact in `contrib/` and register it
|
||||
|
||||
Terminology and workflows: `http://localhost:3000/docs/inter-repo-communication`
|
||||
|
||||
---
|
||||
|
||||
### First Session Protocol
|
||||
|
||||
Triggered when `get_domain_summary("railiance")` shows **no workstreams** for the `railiance`
|
||||
topic. The project is registered but work has not yet been structured.
|
||||
|
||||
**Step 1 — Understand the project (read, don't write)**
|
||||
- `~/the-custodian/canon/projects/railiance/project_charter_v0.1.md` — purpose, scope
|
||||
- `~/the-custodian/canon/projects/railiance/roadmap_v0.1.md` — planned phases
|
||||
- Scan the repo root: README, directory structure, existing code or docs
|
||||
|
||||
**Step 2 — Survey in-progress work**
|
||||
- Look for TODOs, open branches, half-finished files, notes
|
||||
- Note what is already done vs. what is clearly started but incomplete
|
||||
|
||||
**Step 3 — Propose workstreams to Bernd**
|
||||
Propose 1–3 workstreams — each a coherent strand of work lasting weeks to months,
|
||||
named clearly, anchored to a roadmap phase. **Wait for approval before creating.**
|
||||
|
||||
**Step 4 — Create workplan file first, then DB record**
|
||||
Per ADR-001, work items originate as files in the repo:
|
||||
```
|
||||
workplans/RAIL-HO-WP-NNNN-<slug>.md ← write this first
|
||||
```
|
||||
Then register in the hub:
|
||||
```
|
||||
create_workstream(topic_id="ca369340-a64e-442e-98f1-a4fa7dc74a38", title="...", owner="...", description="...")
|
||||
create_task(workstream_id="<id>", title="...", priority="high|medium|low")
|
||||
```
|
||||
|
||||
**Step 5 — Record the setup**
|
||||
```
|
||||
add_progress_event(
|
||||
summary="First session: structured railiance work into N workstreams, M tasks",
|
||||
event_type="milestone",
|
||||
topic_id="ca369340-a64e-442e-98f1-a4fa7dc74a38",
|
||||
detail={"workstreams": [...], "tasks_created": M}
|
||||
)
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### Workplan Convention (ADR-001)
|
||||
|
||||
Work items MUST originate as files in this repo before being registered in the hub.
|
||||
|
||||
**File location:** `workplans/<ID>-<slug>.md`
|
||||
**Frontmatter required:** `id`, `type: workplan`, `domain`, `repo`, `status`,
|
||||
`state_hub_workstream_id`, `state_hub_task_id` (per task)
|
||||
|
||||
When another domain's agent identifies work for this repo, it creates a state hub
|
||||
task with `[repo:railiance-hosts]` in the title (an **ecosystem todo**). You will
|
||||
see it at session start via `get_domain_summary("railiance")`. When you pick it up, create
|
||||
the corresponding workplan file in `workplans/` (ADR-001) and begin work.
|
||||
|
||||
---
|
||||
|
||||
### Contribution Tracking
|
||||
|
||||
Track upstream contributions in `contrib/` — bug reports (BR), feature requests
|
||||
(FR), extension-point proposals (EP), upstream PRs (UPR).
|
||||
|
||||
```
|
||||
contrib/
|
||||
bug-reports/ # br-YYYY-MM-DD--org--repo--slug.md
|
||||
feature-requests/ # fr-YYYY-MM-DD--org--repo--slug.md
|
||||
extension-points/ # EP-RAIL-NNN--org--repo--slug.md
|
||||
upstream-prs/ # upr-YYYY-MM-DD--org--repo--slug.md
|
||||
```
|
||||
|
||||
Templates: `~/the-custodian/canon/standards/contrib-templates/`
|
||||
Convention: `~/the-custodian/canon/standards/contribution-convention_v0.1.md`
|
||||
|
||||
```
|
||||
register_contribution(type="br|fr|ep|upr", title="...", target_org="...",
|
||||
target_repo="...", body_path="contrib/...", related_workstream_id="<uuid>")
|
||||
update_contribution_status(contribution_id="<uuid>", status="submitted")
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### SBOM
|
||||
|
||||
After updating dependencies, re-ingest the SBOM:
|
||||
```bash
|
||||
cd ~/the-custodian/state-hub
|
||||
make ingest-sbom REPO=railiance-hosts SCAN=1 REPO_PATH=$(pwd)
|
||||
```
|
||||
|
||||
Check compliance: `http://localhost:3000/repos`
|
||||
Standard: `~/the-custodian/canon/standards/sbom-convention_v0.1.md`
|
||||
|
||||
---
|
||||
|
||||
### Remote Execution & State Hub Tunnel
|
||||
|
||||
This repo is designed to be worked on **from the HostEurope server** (or any
|
||||
remote Linux box with access to the managed hosts). The State Hub runs locally
|
||||
on Bernd's workstation at `127.0.0.1:8000` and is not publicly reachable.
|
||||
|
||||
**Before SSHing to the remote server, start a reverse tunnel on your local machine:**
|
||||
|
||||
```bash
|
||||
ssh -R 8000:127.0.0.1:8000 <user>@<remote-host>
|
||||
```
|
||||
|
||||
This forwards the remote's `localhost:8000` back to your local State Hub.
|
||||
Claude on the remote host then reaches the MCP server and `get_domain_summary`
|
||||
work as normal.
|
||||
|
||||
**Verify the tunnel is live from the remote:**
|
||||
|
||||
```bash
|
||||
curl http://127.0.0.1:8000/state/health
|
||||
# expected: {"status":"ok"}
|
||||
```
|
||||
|
||||
**If the tunnel is not up (degraded mode):**
|
||||
The State Hub call in Step 1 will fail. In that case:
|
||||
- Skip Step 1 — proceed from local workplans only (Step 2)
|
||||
- Note that goal guidance and progress logging will be unavailable
|
||||
- Log any progress events manually from your local machine after the session
|
||||
|
||||
---
|
||||
|
||||
### Quick Reference
|
||||
|
||||
`~/the-custodian/state-hub/mcp_server/TOOLS.md` — compact MCP tool reference
|
||||
211
workplans/RAIL-HO-WP-0001-hosteurope-bootstrap.md
Normal file
211
workplans/RAIL-HO-WP-0001-hosteurope-bootstrap.md
Normal file
|
|
@ -0,0 +1,211 @@
|
|||
---
|
||||
id: RAIL-HO-WP-0001
|
||||
type: workplan
|
||||
title: "Secure Single-Server Bootstrap at HostEurope"
|
||||
domain: railiance
|
||||
repo: railiance-hosts
|
||||
status: active
|
||||
owner: railiance
|
||||
topic_slug: railiance
|
||||
repo_goal_id: 9e835b82-acca-493a-943f-2553ffe0bf54
|
||||
state_hub_workstream_id: "bf40b47e-be5b-4930-a7d2-362e76b943bb"
|
||||
created: "2026-03-08"
|
||||
updated: "2026-03-08"
|
||||
handoff_note: >
|
||||
T01 and T02 (inventory entry and SSH tunnel setup) are prerequisites to run
|
||||
T03 onwards from the HostEurope server itself. The ansible work previously
|
||||
done in railiance-bootstrap (harden.yml, bootstrap.yml) is superseded by
|
||||
the roles/base and roles/sops_agent structure in this repo. The HostEurope
|
||||
server IP is 92.205.62.239 (hosts.ini is gitignored — recreate from
|
||||
inventory/servers.yaml when working on the host).
|
||||
---
|
||||
|
||||
# Secure Single-Server Bootstrap at HostEurope
|
||||
|
||||
## Goal
|
||||
|
||||
Provision and converge the HostEurope server so that it becomes a secure,
|
||||
hardened node ready to join the ThreePhoenix Kubernetes cluster. This workplan
|
||||
covers everything from establishing SSH access and tunnel connectivity through a
|
||||
fully converged, verified server — all secrets managed via SOPS/age, all
|
||||
services secured from the start.
|
||||
|
||||
Scope is deliberately narrow: one server, secure from day one. Automated
|
||||
provisioning of additional server resources and the full three-node setup
|
||||
are deferred.
|
||||
|
||||
## Boundary conditions
|
||||
|
||||
- Ubuntu 24.04 LTS at HostEurope (92.205.62.239), manually provisioned
|
||||
- All remote access key-based only (no password auth)
|
||||
- Firewall active before k3s is installed
|
||||
- Secrets managed via SOPS/age — nothing committed in plaintext
|
||||
- This workplan is **run from the HostEurope server** via SSH, not from WSL
|
||||
|
||||
## Remote execution setup
|
||||
|
||||
This repo is intended to run from the HostEurope server itself. To retain
|
||||
State Hub connectivity during Claude sessions on that server, set up an SSH
|
||||
reverse tunnel from your local machine before connecting:
|
||||
|
||||
```bash
|
||||
# On your local machine — forward local state-hub to the remote
|
||||
ssh -R 8000:127.0.0.1:8000 <user>@92.205.62.239
|
||||
```
|
||||
|
||||
Then Claude on the remote host can reach `http://127.0.0.1:8000` as normal.
|
||||
See also: the tunnel setup note in `CLAUDE.md`.
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T01 — Add HostEurope host to inventory
|
||||
|
||||
```task
|
||||
id: T01
|
||||
status: done
|
||||
completed: "2026-03-08"
|
||||
priority: high
|
||||
state_hub_task_id: "9b2222a3-0f9f-4543-9321-e4cd5f87a457"
|
||||
```
|
||||
|
||||
Add the HostEurope host to `inventory/servers.yaml` under a `hosteurope` group.
|
||||
Create `ansible/hosts.ini` from the inventory (gitignored — recreate on each
|
||||
new working machine):
|
||||
|
||||
```bash
|
||||
python3 ansible/inventory_from_yaml.py > ansible/hosts.ini
|
||||
# or add manually: [hosteurope]\n92.205.62.239 ansible_user=...
|
||||
```
|
||||
|
||||
Verify connectivity:
|
||||
|
||||
```bash
|
||||
ansible -i ansible/hosts.ini hosteurope -m ping
|
||||
```
|
||||
|
||||
**Done when:** ping succeeds from a control node with network access to the host.
|
||||
|
||||
---
|
||||
|
||||
### T02 — Set up SSH tunnel for State Hub access
|
||||
|
||||
```task
|
||||
id: T02
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "e4dda416-19bc-4672-b9ba-8ddb1b9e9659"
|
||||
```
|
||||
|
||||
On your local machine, establish a reverse tunnel before SSH-ing to the
|
||||
HostEurope server so the State Hub MCP server is reachable from Claude
|
||||
sessions on that host:
|
||||
|
||||
```bash
|
||||
ssh -R 8000:127.0.0.1:8000 <user>@92.205.62.239
|
||||
```
|
||||
|
||||
Verify the tunnel is working from the remote:
|
||||
|
||||
```bash
|
||||
curl http://127.0.0.1:8000/state/health
|
||||
```
|
||||
|
||||
**Done when:** health check returns `{"status":"ok"}` from the HostEurope server.
|
||||
|
||||
---
|
||||
|
||||
### T03 — Extend base role with security hardening
|
||||
|
||||
```task
|
||||
id: T03
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "6eda6875-1301-4794-a07e-3e13ff1d92bf"
|
||||
```
|
||||
|
||||
Extend `ansible/roles/base/tasks/main.yml` to cover security hardening that
|
||||
must run before any service installation:
|
||||
|
||||
- Disable root SSH login (`PermitRootLogin no`)
|
||||
- Disable password authentication (`PasswordAuthentication no`)
|
||||
- Enable and configure UFW: deny all inbound, allow SSH (22), k3s API (6443),
|
||||
Flannel VXLAN (8472/UDP)
|
||||
- Install and enable `fail2ban` with SSH jail
|
||||
- Set `HISTCONTROL=ignorespace` in `/etc/profile.d/`
|
||||
|
||||
Verify with:
|
||||
```bash
|
||||
ansible-playbook -i ansible/hosts.ini -l hosteurope ansible/playbooks/bootstrap.yaml --check
|
||||
```
|
||||
|
||||
**Done when:** dry-run produces no errors and hardening tasks are visible in
|
||||
the play recap.
|
||||
|
||||
---
|
||||
|
||||
### T04 — Run bootstrap on the HostEurope host
|
||||
|
||||
```task
|
||||
id: T04
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "77921431-3a45-45b2-a0b0-cf0c43262205"
|
||||
```
|
||||
|
||||
Execute the full bootstrap playbook from the HostEurope server (tunnel must
|
||||
be active per T02):
|
||||
|
||||
```bash
|
||||
ansible-playbook -i ansible/hosts.ini -l hosteurope ansible/playbooks/bootstrap.yaml
|
||||
```
|
||||
|
||||
**Done when:**
|
||||
- Playbook completes with no failed tasks
|
||||
- UFW is active and SSH still works after the run
|
||||
- SOPS agent role applied successfully
|
||||
|
||||
---
|
||||
|
||||
### T05 — Smoke test and record
|
||||
|
||||
```task
|
||||
id: T05
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "c573c200-bf22-49d1-86f9-dca1fc71743c"
|
||||
```
|
||||
|
||||
Verify the converged state:
|
||||
|
||||
```bash
|
||||
# Confirm UFW active
|
||||
ansible -i ansible/hosts.ini hosteurope -m shell -a "ufw status"
|
||||
# Confirm fail2ban running
|
||||
ansible -i ansible/hosts.ini hosteurope -m shell -a "systemctl is-active fail2ban"
|
||||
# Confirm SSH hardening applied
|
||||
ansible -i ansible/hosts.ini hosteurope -m shell -a "sshd -T | grep -E 'permitrootlogin|passwordauthentication'"
|
||||
```
|
||||
|
||||
Add `docs/hosteurope-bootstrap.md` recording:
|
||||
- Server specs (vCPU, RAM, disk)
|
||||
- Public IP (no credentials)
|
||||
- Date bootstrapped
|
||||
- Roles applied
|
||||
|
||||
Log completion to the State Hub:
|
||||
```
|
||||
add_progress_event(summary="HostEurope server bootstrapped and hardened",
|
||||
event_type="milestone", workstream_id="bf40b47e-be5b-4930-a7d2-362e76b943bb")
|
||||
```
|
||||
|
||||
**Done when:** all checks pass and the progress event is logged.
|
||||
|
||||
---
|
||||
|
||||
## References
|
||||
|
||||
- Repo goal: `9e835b82-acca-493a-943f-2553ffe0bf54`
|
||||
- Domain goal: `6f96c712-60e6-4ea9-ab06-168878eafbce` (Three-Phoenix Secure Kubernetes Infrastructure)
|
||||
- Previous ansible work: `railiance-bootstrap/ansible/` (harden.yml, bootstrap.yml — superseded by this repo's role structure)
|
||||
Loading…
Add table
Add a link
Reference in a new issue