From 15b37b675617fcfd3a73fe17174ad5ba116e8fe8 Mon Sep 17 00:00:00 2001 From: architect-bot Date: Thu, 16 Apr 2026 02:15:24 +0000 Subject: [PATCH 1/3] sprint: add edge-subpath-chat.md --- sprints/edge-subpath-chat.md | 106 +++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 sprints/edge-subpath-chat.md diff --git a/sprints/edge-subpath-chat.md b/sprints/edge-subpath-chat.md new file mode 100644 index 0000000..c6e22fc --- /dev/null +++ b/sprints/edge-subpath-chat.md @@ -0,0 +1,106 @@ +# Sprint: edge-subpath-chat + +## Vision issues +- #623 — vision: subpath routing + Forgejo-OAuth-gated Claude chat inside the edge container + +## What this enables +After this sprint, an operator running `disinto edge register` gets a single URL — `.disinto.ai` — with Forgejo at `/forge/`, Woodpecker CI at `/ci/`, a staging preview at `/staging/`, and an OAuth-gated Claude Code chat at `/chat/`, all under one wildcard cert and one bootstrap password. The factory talks back to its operator through a chat window that sits next to the forge, CI, and live preview it is driving. + +## What exists today +The majority of this vision is already implemented across issues #704–#711: + +- **Subpath routing**: Caddyfile generator produces `/forge/*`, `/ci/*`, `/staging/*`, `/chat/*` handlers (`lib/generators.sh:780–822`). Forgejo `ROOT_URL` and Woodpecker `WOODPECKER_HOST` are set to subpath values when `EDGE_TUNNEL_FQDN` is present (`bin/disinto:842–847`). +- **Chat container**: Full OAuth flow via Forgejo, HttpOnly session cookies, forward_auth defense-in-depth with `FORWARD_AUTH_SECRET`, per-user rate limiting (hourly/daily/token caps), conversation history in NDJSON (`docker/chat/server.py`). +- **Sandbox hardening**: Read-only rootfs, `cap_drop: ALL`, `no-new-privileges`, `pids_limit: 128`, `mem_limit: 512m`, no Docker socket. Verification script at `tools/edge-control/verify-chat-sandbox.sh`. +- **Edge control plane**: Tunnel registration, port allocation, Caddy admin API routing, wildcard `*.disinto.ai` cert via DNS-01 (`tools/edge-control/`). +- **Dependencies #620/#621/#622**: Admin password prompt, edge control plane, and reverse tunnel — all implemented and merged. +- **Subdomain fallback plan**: Fully documented at `docs/edge-routing-fallback.md` with pivot criteria. + +## Complexity +- ~6 files touched across 3 subsystems (Caddy routing, chat backend, compose generation) +- Estimated 4 sub-issues +- ~90% gluecode (wiring existing pieces), ~10% greenfield (WebSocket streaming, end-to-end smoke test) + +## Risks +- **Forgejo/Woodpecker subpath breakage**: Neither service is battle-tested under subpaths in this stack. Redirect loops, OAuth callback mismatches, or asset 404s are plausible. Mitigation: the fallback plan (`docs/edge-routing-fallback.md`) is already documented and estimated at under one day to pivot. +- **Cookie/CSRF collision**: Forgejo and chat share the same origin — cookie names or CSRF tokens could collide. Mitigation: chat uses a namespaced cookie (`disinto_chat_session`) and a separate OAuth app. +- **Streaming latency**: One-shot `claude --print` blocks until completion. Long responses leave the operator staring at a spinner. Not a correctness risk, but a UX risk that WebSocket streaming would fix. + +## Cost — new infra to maintain +- **No new services** — all containers already exist in the compose stack +- **No new scheduled tasks or formulas** — chat is a passive request handler +- **One new smoke test** (CI) — end-to-end subpath routing verification +- **Ongoing**: monitoring Forgejo/Woodpecker upstream for subpath regressions on upgrades + +## Recommendation +Worth it. The vision is ~80% implemented. The remaining work is integration hardening (confirming subpath routing works end-to-end with real Forgejo/Woodpecker) and one UX improvement (WebSocket streaming). The risk is low because a documented fallback to per-service subdomains exists. Ship this sprint to close the loop on the edge experience. + +## Sub-issues + + +- id: subpath-routing-smoke-test + title: "vision(#623): end-to-end subpath routing smoke test for Forgejo + Woodpecker + chat" + labels: [backlog] + depends_on: [] + body: | + ## Goal + Verify that Forgejo, Woodpecker, and chat all function correctly when served + under /forge/, /ci/, and /chat/ subpaths on a single domain. Catch redirect + loops, OAuth callback failures, and asset 404s before they hit production. + ## Acceptance criteria + - [ ] Forgejo login at /forge/ completes without redirect loops + - [ ] Forgejo OAuth callback for Woodpecker succeeds under subpath + - [ ] Woodpecker dashboard loads all assets at /ci/ (no 404s on JS/CSS) + - [ ] Chat OAuth login flow works at /chat/login + - [ ] Forward_auth on /chat/* rejects unauthenticated requests with 401 + - [ ] Staging content loads at /staging/ + - [ ] Root / redirects to /forge/ + - [ ] CI pipeline added to .woodpecker/ to run this test on edge-related changes + +- id: websocket-streaming-chat + title: "vision(#623): WebSocket streaming for chat UI to replace one-shot claude --print" + labels: [backlog] + depends_on: [subpath-routing-smoke-test] + body: | + ## Goal + Replace the blocking one-shot claude --print invocation in the chat backend with + a WebSocket connection that streams tokens to the UI as they arrive. + ## Acceptance criteria + - [ ] /chat/ws endpoint accepts WebSocket upgrade with valid session cookie + - [ ] /chat/ws rejects upgrade if session cookie is missing or expired + - [ ] Chat backend streams claude output over WebSocket as text frames + - [ ] UI renders tokens incrementally as they arrive + - [ ] Rate limiting still enforced on WebSocket messages + - [ ] Caddy proxies WebSocket upgrade correctly through /chat/ws with forward_auth + +- id: chat-working-dir-scoping + title: "vision(#623): scope Claude chat working directory to project staging checkout" + labels: [backlog] + depends_on: [subpath-routing-smoke-test] + body: | + ## Goal + Give the chat container Claude session read-write access to the project working + tree so the operator can inspect, explain, or modify code — scoped to that tree + only, with no access to factory internals, secrets, or Docker socket. + ## Acceptance criteria + - [ ] Chat container bind-mounts the project working tree as a named volume + - [ ] Claude invocation in server.py sets cwd to the workspace directory + - [ ] Claude permission mode is acceptEdits (not bypassPermissions) + - [ ] verify-chat-sandbox.sh updated to assert workspace mount exists + - [ ] Compose generator adds the workspace volume conditionally + +- id: subpath-fallback-automation + title: "vision(#623): automate subdomain fallback pivot if subpath routing fails" + labels: [backlog] + depends_on: [subpath-routing-smoke-test] + body: | + ## Goal + If the smoke test reveals unfixable subpath issues, automate the pivot to + per-service subdomains so the switch is a single config change. + ## Acceptance criteria + - [ ] generators.sh _generate_caddyfile_impl accepts EDGE_ROUTING_MODE env var + - [ ] In subdomain mode, Caddyfile emits four host blocks per edge-routing-fallback.md + - [ ] register.sh registers additional subdomain routes when EDGE_ROUTING_MODE=subdomain + - [ ] OAuth redirect URIs in ci-setup.sh respect routing mode + - [ ] .env template documents EDGE_ROUTING_MODE with a comment referencing the fallback doc + From 20abab0633b1e9d0690915ff1cdaa1e1292a2643 Mon Sep 17 00:00:00 2001 From: planner-bot Date: Fri, 17 Apr 2026 01:00:42 +0000 Subject: [PATCH 2/3] chore: migrate ops repo structure to canonical layout --- RESOURCES.md | 5 +++++ evidence/engagement/.gitkeep | 0 evidence/evolution/.gitkeep | 0 evidence/holdout/.gitkeep | 0 evidence/red-team/.gitkeep | 0 evidence/user-test/.gitkeep | 0 knowledge/.gitkeep | 0 portfolio.md | 5 +++++ sprints/.gitkeep | 0 vault/approved/.gitkeep | 0 vault/fired/.gitkeep | 0 vault/pending/.gitkeep | 0 vault/rejected/.gitkeep | 0 13 files changed, 10 insertions(+) create mode 100644 RESOURCES.md create mode 100644 evidence/engagement/.gitkeep create mode 100644 evidence/evolution/.gitkeep create mode 100644 evidence/holdout/.gitkeep create mode 100644 evidence/red-team/.gitkeep create mode 100644 evidence/user-test/.gitkeep create mode 100644 knowledge/.gitkeep create mode 100644 portfolio.md create mode 100644 sprints/.gitkeep create mode 100644 vault/approved/.gitkeep create mode 100644 vault/fired/.gitkeep create mode 100644 vault/pending/.gitkeep create mode 100644 vault/rejected/.gitkeep diff --git a/RESOURCES.md b/RESOURCES.md new file mode 100644 index 0000000..aae9292 --- /dev/null +++ b/RESOURCES.md @@ -0,0 +1,5 @@ +# RESOURCES + +## Overview + + diff --git a/evidence/engagement/.gitkeep b/evidence/engagement/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/evidence/evolution/.gitkeep b/evidence/evolution/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/evidence/holdout/.gitkeep b/evidence/holdout/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/evidence/red-team/.gitkeep b/evidence/red-team/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/evidence/user-test/.gitkeep b/evidence/user-test/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/knowledge/.gitkeep b/knowledge/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/portfolio.md b/portfolio.md new file mode 100644 index 0000000..7158d78 --- /dev/null +++ b/portfolio.md @@ -0,0 +1,5 @@ +# Portfolio + +## Overview + + diff --git a/sprints/.gitkeep b/sprints/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/vault/approved/.gitkeep b/vault/approved/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/vault/fired/.gitkeep b/vault/fired/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/vault/pending/.gitkeep b/vault/pending/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/vault/rejected/.gitkeep b/vault/rejected/.gitkeep new file mode 100644 index 0000000..e69de29 From fd940352fd77e27c348d10c7870d4cf78c30ee30 Mon Sep 17 00:00:00 2001 From: planner-bot Date: Fri, 17 Apr 2026 14:44:24 +0000 Subject: [PATCH 3/3] chore: planner run 2026-04-17 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Updated prerequisite tree: Nomad+Vault orchestration (Steps 0–4) DONE - #425 closed, #758 HUMAN_BLOCKED (ops repo branch protection) - Created vault/pending/disinto-ops-branch-protection.md - Created vault lifecycle directories (pending/, approved/, fired/, rejected/) - Closed #947 (already fixed by #948) - Graph: 224 nodes, 251 edges, healthy --- prerequisites.md | 32 +++++++++++++------ .../pending/disinto-ops-branch-protection.md | 24 ++++++++++++++ 2 files changed, 47 insertions(+), 9 deletions(-) create mode 100644 vault/pending/disinto-ops-branch-protection.md diff --git a/prerequisites.md b/prerequisites.md index d61ecf6..f133e13 100644 --- a/prerequisites.md +++ b/prerequisites.md @@ -1,5 +1,5 @@ # Prerequisite Tree - + ## Objective: Foundation — Core agent loop (dev → CI → review → merge) - [x] dev-agent picks up backlog issues (dev/dev-agent.sh exists) @@ -18,7 +18,7 @@ Status: DONE ## Objective: Foundation — Planner gap analysis against vision - [x] Planner formula exists (run-planner.toml v4) - [x] planner-run.sh cron wrapper exists -- [x] Planning runs established and maintaining prerequisite tree (run 1: 2026-04-05, run 2: 2026-04-08) +- [x] Planning runs established and maintaining prerequisite tree (runs 1–3) Status: DONE ## Objective: Foundation — Multi-project support @@ -29,7 +29,7 @@ Status: DONE ## Objective: Foundation — Knowledge graph for structural defect detection - [x] networkx package installed in agents container (#220 — closed) - [x] build-graph.py exists in lib/ -- [x] Graph report generating successfully (165 nodes, 137 edges as of 2026-04-08) +- [x] Graph report generating successfully (224 nodes, 251 edges as of 2026-04-17) Status: DONE ## Objective: Foundation — Predictor-planner adversarial feedback loop @@ -45,8 +45,10 @@ Status: DONE - [x] disinto init re-run stability (#158 — closed) - [x] disinto init repo creation API endpoint (#164 — closed) - [x] Prediction labels created during init (#225 — closed) -- [ ] Ops repo migration for existing deployments (#425 — backlog+priority) -Status: BLOCKED — #425 ops repo missing dirs on existing deployments +- [x] Ops repo migration issue filed (#425 — closed) +- [ ] Ops repo branch protection blocks remote writes (#758 — blocked, HUMAN_BLOCKED, blocked-on-vault vault/pending/disinto-ops-branch-protection.md) +- [ ] Re-seed ops repo directories (#820 — backlog+priority, blocked on #758) +Status: BLOCKED — #758 ops repo branch protection needs human admin action ## Objective: Adoption — Built-in Forgejo + Woodpecker CI - [x] Docker compose with Forgejo + Woodpecker @@ -54,26 +56,38 @@ Status: BLOCKED — #425 ops repo missing dirs on existing deployments - [x] WOODPECKER_HOST override fix (#178 — closed) Status: DONE +## Objective: Adoption — Nomad+Vault orchestration +- [x] Step 0: Nomad+Vault installers (cluster-up.sh, install.sh, vault-init.sh, lib-systemd.sh) +- [x] Step 1: Forgejo on Nomad (nomad/jobs/forgejo.hcl, deploy.sh, S1.3 wiring, S1.4 CI validation) +- [x] Step 2: Vault policies + secret import (S2.1–S2.6, plus fixes S2-A through S2-G) +- [x] Step 3: Woodpecker on Nomad (S3.1–S3.4 jobspecs + OAuth + wiring, plus fixes S3-1 through S3-5) +- [x] Step 4: Agents on Nomad (S4.1 agents.hcl with 7 roles + llama + vault-templated tokens, S4.2 --with agents wiring) +Status: DONE + ## Objective: Adoption — Landing page communicating value proposition - [x] Website addressable exists (disinto.ai) - [ ] Website observability — no engagement measurement (#426 — vision) Status: BLOCKED — no evidence process connected to website ## Objective: Adoption — Example project demonstrating full lifecycle -- [ ] No example project exists -- [ ] Requires verified bootstrap (#425) +- [ ] No example project exists (#697 — vision+priority) +- [ ] Requires verified bootstrap (blocked on #758/#820) Status: BLOCKED — depends on bootstrap completion and ops repo migration +## --- ADOPTION MILESTONE: IN PROGRESS --- + ## Objective: Ship (Fold 2) — Deploy profiles per artifact type - [ ] No deploy profiles defined - [x] CI pipeline working (Woodpecker OAuth fixed) +- [x] Nomad jobspec infrastructure available (Steps 1–4 complete) Status: BLOCKED — not started, needs design (vision-level) ## Objective: Ship (Fold 2) — Vault-gated fold transitions - [x] Vault redesign complete (#73-#77 — all closed) - [x] Vault PR workflow documented (docs/VAULT.md) -- [ ] Vault directories complete in ops repo (#425 — approved/fired/rejected missing) -Status: BLOCKED — #425 ops repo dirs needed for vault workflow +- [x] Vault + Nomad integration (template stanzas, JWT auth, policies) +- [ ] Vault lifecycle directories on remote ops repo (blocked on #758/#820) +Status: BLOCKED — #758/#820 ops repo dirs needed for vault workflow ## Objective: Ship (Fold 2) — Engagement measurement baked into deploy pipelines - [ ] No engagement measurement exists diff --git a/vault/pending/disinto-ops-branch-protection.md b/vault/pending/disinto-ops-branch-protection.md new file mode 100644 index 0000000..0f1dfb0 --- /dev/null +++ b/vault/pending/disinto-ops-branch-protection.md @@ -0,0 +1,24 @@ +# Request: Remove or relax ops repo branch protection + +## What +The `disinto-ops` repo has branch protection on `main` that requires approvals, but no bot account has merge permissions. All agent writes (prerequisites.md, planner-memory.md, vault items, evidence) have been accumulating locally only since planner run 2 (2026-04-08). + +## Why +Blocks #758, which blocks #820 (re-seed ops dirs), which blocks the vault lifecycle workflow, evidence collection, and planner remote persistence. The ops repo remote `main` has been frozen for 9 days. + +## Human action +1. Go to Forgejo admin: disinto-ops repo → Settings → Branches → Branch protection for `main` +2. Either: + a. Add `planner-bot` to the push/merge allowlist, OR + b. Remove branch protection from `disinto-ops` entirely (ops repo is internal, not public-facing) +3. Verify: `planner-bot` can push to `origin/main` on `disinto-ops` + +## Factory will then +- Close #758 (ops repo branch protection) +- Execute #820 (re-seed ops dirs: vault/pending, vault/approved, vault/fired, vault/rejected, evidence/*, portfolio.md, RESOURCES.md) +- Resume remote persistence of prerequisites.md and planner-memory.md +- Unblock vault lifecycle workflow (pending → approved → fired) + +## Unblocks +- #758 — bug: ops repo branch protection blocks all agent writes +- #820 — fix: re-seed ops repo directories after branch protection resolved