forge: mirror applied config repos to a private agent-configs org
on startup (and after every applied-repo ref mutation) core pushes each agent's hive-c0re-owned applied repo — main plus every proposal/approved/building/deployed/failed/denied tag — to agent-configs/<name> on the local forge. the org is private and agents are not members, so core is the only principal that can read it. the tokenised push url is passed inline, never stored as a named remote: the applied repo is bind-mounted read-only into the manager, so a token in .git/config would leak the core admin credential to an agent. push_config is best-effort at every site (ensure_all, spawn, approve, deny, submit) — a missing or down forge never blocks a deploy.
This commit is contained in:
müde
parent
1529c2d777
commit
5aad2d67e1
4 changed files with 185 additions and 27 deletions
28
CLAUDE.md
28
CLAUDE.md
|
|
@ -183,6 +183,34 @@ read them à la carte.
|
|||
In-flight or recent context that hasn't earned a section yet.
|
||||
Prune freely.
|
||||
|
||||
- **Just landed:** applied config repos mirrored to the
|
||||
forge. New private `agent-configs` Forgejo org (renamed
|
||||
from the unused `agents` org in `SEEDED_ORGS`); core is the
|
||||
only principal with access (site admin + private repos +
|
||||
agents not members). `forge::push_config(name)` mirrors an
|
||||
agent's hive-c0re-owned applied repo — `main` + every tag
|
||||
(proposal/approved/building/deployed/failed/denied) — to
|
||||
`agent-configs/<name>.git` via `git push --force`. The
|
||||
tokenised URL is passed inline per push, never stored as a
|
||||
named remote: the applied repo is RO-bind-mounted into the
|
||||
manager at `/applied`, so a token in `.git/config` would
|
||||
leak core's admin credential to an agent. Call sites:
|
||||
`forge::ensure_all` (startup, per agent — catches migrate +
|
||||
offline-forge drift), the spawn task in `actions::approve`
|
||||
(+ `ensure_config_repo`), `actions::approve` ApplyCommit
|
||||
branch, `actions::deny` ApplyCommit branch, and
|
||||
`manager_server::submit_apply_commit`. All best-effort
|
||||
(warn + continue). `ensure_repo` refactored to share a
|
||||
`create_repo` helper with the new `ensure_org_repo`.
|
||||
- **Just landed:** answer questions inline from the per-agent
|
||||
web page. Question rows in the loose-ends section grew a
|
||||
textarea + send button; the operator answers as operator by
|
||||
POSTing cross-origin to the core dashboard's
|
||||
`/answer-question/{id}` (CORS shim `with_cors` on that
|
||||
route), never the per-agent socket — keeps the
|
||||
operator-authority path off the agent's own socket. See
|
||||
`TODO-ops.md` for the boundary rationale + the deployment/
|
||||
gateway/privsep cluster.
|
||||
- **Just landed:** sub-agents get a read-only view of their own
|
||||
config repo. `set_nspawn_flags` now adds
|
||||
`--bind-ro={proposed_dir}:/agents/<name>/config` for every
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue