disinto/vault/policies/service-agents.hcl

# vault/policies/service-agents.hcl
#
# Composite policy for the `agents` Nomad job (S4.1, issue #955).
# Grants read access to all 7 bot KV namespaces + shared forge config,
# so a single job running all agent roles can pull per-bot tokens from
# Vault via workload identity.

# ── Per-bot KV paths (token + pass per role) ─────────────────────────────────
path "kv/data/disinto/bots/dev" {
  capabilities = ["read"]
}

path "kv/metadata/disinto/bots/dev" {
  capabilities = ["list", "read"]
}

path "kv/data/disinto/bots/review" {
  capabilities = ["read"]
}

path "kv/metadata/disinto/bots/review" {
  capabilities = ["list", "read"]
}

path "kv/data/disinto/bots/gardener" {
  capabilities = ["read"]
}

path "kv/metadata/disinto/bots/gardener" {
  capabilities = ["list", "read"]
}

path "kv/data/disinto/bots/architect" {
  capabilities = ["read"]
}

path "kv/metadata/disinto/bots/architect" {
  capabilities = ["list", "read"]
}

path "kv/data/disinto/bots/planner" {
  capabilities = ["read"]
}

path "kv/metadata/disinto/bots/planner" {
  capabilities = ["list", "read"]
}

path "kv/data/disinto/bots/predictor" {
  capabilities = ["read"]
}

path "kv/metadata/disinto/bots/predictor" {
  capabilities = ["list", "read"]
}

path "kv/data/disinto/bots/supervisor" {
  capabilities = ["read"]
}

path "kv/metadata/disinto/bots/supervisor" {
  capabilities = ["list", "read"]
}

path "kv/data/disinto/bots/vault" {
  capabilities = ["read"]
}

path "kv/metadata/disinto/bots/vault" {
  capabilities = ["list", "read"]
}

# ── Shared forge config (URL, bot usernames) ─────────────────────────────────
path "kv/data/disinto/shared/forge" {
  capabilities = ["read"]
}
fix: [nomad-step-4] S4.1 — nomad/jobs/agents.hcl (7 roles, llama, vault-templated bot tokens) (#955) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-17 09:57:12 +00:00			`# vault/policies/service-agents.hcl`
			`#`
			# Composite policy for the `agents` Nomad job (S4.1, issue #955).
			`# Grants read access to all 7 bot KV namespaces + shared forge config,`
			`# so a single job running all agent roles can pull per-bot tokens from`
			`# Vault via workload identity.`

			`# ── Per-bot KV paths (token + pass per role) ─────────────────────────────────`
			`path "kv/data/disinto/bots/dev" {`
			`capabilities = ["read"]`
			`}`

			`path "kv/metadata/disinto/bots/dev" {`
			`capabilities = ["list", "read"]`
			`}`

			`path "kv/data/disinto/bots/review" {`
			`capabilities = ["read"]`
			`}`

			`path "kv/metadata/disinto/bots/review" {`
			`capabilities = ["list", "read"]`
			`}`

			`path "kv/data/disinto/bots/gardener" {`
			`capabilities = ["read"]`
			`}`

			`path "kv/metadata/disinto/bots/gardener" {`
			`capabilities = ["list", "read"]`
			`}`

			`path "kv/data/disinto/bots/architect" {`
			`capabilities = ["read"]`
			`}`

			`path "kv/metadata/disinto/bots/architect" {`
			`capabilities = ["list", "read"]`
			`}`

			`path "kv/data/disinto/bots/planner" {`
			`capabilities = ["read"]`
			`}`

			`path "kv/metadata/disinto/bots/planner" {`
			`capabilities = ["list", "read"]`
			`}`

			`path "kv/data/disinto/bots/predictor" {`
			`capabilities = ["read"]`
			`}`

			`path "kv/metadata/disinto/bots/predictor" {`
			`capabilities = ["list", "read"]`
			`}`

			`path "kv/data/disinto/bots/supervisor" {`
			`capabilities = ["read"]`
			`}`

			`path "kv/metadata/disinto/bots/supervisor" {`
			`capabilities = ["list", "read"]`
			`}`

			`path "kv/data/disinto/bots/vault" {`
			`capabilities = ["read"]`
			`}`

			`path "kv/metadata/disinto/bots/vault" {`
			`capabilities = ["list", "read"]`
			`}`

			`# ── Shared forge config (URL, bot usernames) ─────────────────────────────────`
			`path "kv/data/disinto/shared/forge" {`
			`capabilities = ["read"]`
			`}`