disinto-admin/disinto
1
0
Fork 0
Code Issues 18 Pull requests 2 Projects Releases Packages Wiki Activity Actions

Merge pull request 'fix: [nomad-step-2] S2-fix-G — strip trailing /* from all vault policy paths (systemic 403) (#951)' (#952) from fix/issue-951 into main
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline was successful
Details

Browse source
This commit is contained in:
dev-qwen2 2026-04-17 09:17:08 +00:00
commit c20b0a8bd2
11 changed files with 31 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

6
vault/policies/bot-architect.hcl
View file

@ -3,14 +3,14 @@
# Architect agent: reads its own bot KV namespace + the shared forge URL.
# Attached to the architect-agent Nomad job via workload identity (S2.4).
path "kv/data/disinto/bots/architect/*" {
path "kv/data/disinto/bots/architect" {
capabilities = ["read"]
}
path "kv/metadata/disinto/bots/architect/*" {
path "kv/metadata/disinto/bots/architect" {
capabilities = ["list", "read"]
}
path "kv/data/disinto/shared/forge/*" {
path "kv/data/disinto/shared/forge" {
capabilities = ["read"]
}

6
vault/policies/bot-dev-qwen.hcl
View file

@ -5,14 +5,14 @@
# via workload identity (S2.4). KV path mirrors the bot basename:
# kv/disinto/bots/dev-qwen/*.
path "kv/data/disinto/bots/dev-qwen/*" {
path "kv/data/disinto/bots/dev-qwen" {
capabilities = ["read"]
}
path "kv/metadata/disinto/bots/dev-qwen/*" {
path "kv/metadata/disinto/bots/dev-qwen" {
capabilities = ["list", "read"]
}
path "kv/data/disinto/shared/forge/*" {
path "kv/data/disinto/shared/forge" {
capabilities = ["read"]
}

6
vault/policies/bot-dev.hcl
View file

@ -3,14 +3,14 @@
# Dev agent: reads its own bot KV namespace + the shared forge URL.
# Attached to the dev-agent Nomad job via workload identity (S2.4).
path "kv/data/disinto/bots/dev/*" {
path "kv/data/disinto/bots/dev" {
capabilities = ["read"]
}
path "kv/metadata/disinto/bots/dev/*" {
path "kv/metadata/disinto/bots/dev" {
capabilities = ["list", "read"]
}
path "kv/data/disinto/shared/forge/*" {
path "kv/data/disinto/shared/forge" {
capabilities = ["read"]
}

6
vault/policies/bot-gardener.hcl
View file

@ -3,14 +3,14 @@
# Gardener agent: reads its own bot KV namespace + the shared forge URL.
# Attached to the gardener-agent Nomad job via workload identity (S2.4).
path "kv/data/disinto/bots/gardener/*" {
path "kv/data/disinto/bots/gardener" {
capabilities = ["read"]
}
path "kv/metadata/disinto/bots/gardener/*" {
path "kv/metadata/disinto/bots/gardener" {
capabilities = ["list", "read"]
}
path "kv/data/disinto/shared/forge/*" {
path "kv/data/disinto/shared/forge" {
capabilities = ["read"]
}

6
vault/policies/bot-planner.hcl
View file

@ -3,14 +3,14 @@
# Planner agent: reads its own bot KV namespace + the shared forge URL.
# Attached to the planner-agent Nomad job via workload identity (S2.4).
path "kv/data/disinto/bots/planner/*" {
path "kv/data/disinto/bots/planner" {
capabilities = ["read"]
}
path "kv/metadata/disinto/bots/planner/*" {
path "kv/metadata/disinto/bots/planner" {
capabilities = ["list", "read"]
}
path "kv/data/disinto/shared/forge/*" {
path "kv/data/disinto/shared/forge" {
capabilities = ["read"]
}

6
vault/policies/bot-predictor.hcl
View file

@ -3,14 +3,14 @@
# Predictor agent: reads its own bot KV namespace + the shared forge URL.
# Attached to the predictor-agent Nomad job via workload identity (S2.4).
path "kv/data/disinto/bots/predictor/*" {
path "kv/data/disinto/bots/predictor" {
capabilities = ["read"]
}
path "kv/metadata/disinto/bots/predictor/*" {
path "kv/metadata/disinto/bots/predictor" {
capabilities = ["list", "read"]
}
path "kv/data/disinto/shared/forge/*" {
path "kv/data/disinto/shared/forge" {
capabilities = ["read"]
}

6
vault/policies/bot-review.hcl
View file

@ -3,14 +3,14 @@
# Review agent: reads its own bot KV namespace + the shared forge URL.
# Attached to the review-agent Nomad job via workload identity (S2.4).
path "kv/data/disinto/bots/review/*" {
path "kv/data/disinto/bots/review" {
capabilities = ["read"]
}
path "kv/metadata/disinto/bots/review/*" {
path "kv/metadata/disinto/bots/review" {
capabilities = ["list", "read"]
}
path "kv/data/disinto/shared/forge/*" {
path "kv/data/disinto/shared/forge" {
capabilities = ["read"]
}

6
vault/policies/bot-supervisor.hcl
View file

@ -3,14 +3,14 @@
# Supervisor agent: reads its own bot KV namespace + the shared forge URL.
# Attached to the supervisor-agent Nomad job via workload identity (S2.4).
path "kv/data/disinto/bots/supervisor/*" {
path "kv/data/disinto/bots/supervisor" {
capabilities = ["read"]
}
path "kv/metadata/disinto/bots/supervisor/*" {
path "kv/metadata/disinto/bots/supervisor" {
capabilities = ["list", "read"]
}
path "kv/data/disinto/shared/forge/*" {
path "kv/data/disinto/shared/forge" {
capabilities = ["read"]
}

6
vault/policies/bot-vault.hcl
View file

@ -7,14 +7,14 @@
# NOTE: distinct from the runner-* policies, which gate per-secret access
# for vault-runner ephemeral dispatches (Step 5).
path "kv/data/disinto/bots/vault/*" {
path "kv/data/disinto/bots/vault" {
capabilities = ["read"]
}
path "kv/metadata/disinto/bots/vault/*" {
path "kv/metadata/disinto/bots/vault" {
capabilities = ["list", "read"]
}
path "kv/data/disinto/shared/forge/*" {
path "kv/data/disinto/shared/forge" {
capabilities = ["read"]
}

4
vault/policies/dispatcher.hcl
View file

@ -20,10 +20,10 @@ path "kv/metadata/disinto/runner/*" {
capabilities = ["list", "read"]
}
path "kv/data/disinto/shared/ops-repo/*" {
path "kv/data/disinto/shared/ops-repo" {
capabilities = ["read"]
}
path "kv/metadata/disinto/shared/ops-repo/*" {
path "kv/metadata/disinto/shared/ops-repo" {
capabilities = ["list", "read"]
}

4
vault/policies/service-woodpecker.hcl
View file

@ -6,10 +6,10 @@
# Scope: kv/disinto/shared/woodpecker/* entries owned by the operator
# and consumed by woodpecker-server + woodpecker-agent.
path "kv/data/disinto/shared/woodpecker/*" {
path "kv/data/disinto/shared/woodpecker" {
capabilities = ["read"]
}
path "kv/metadata/disinto/shared/woodpecker/*" {
path "kv/metadata/disinto/shared/woodpecker" {
capabilities = ["list", "read"]
}