fix: [nomad-step-4] S4.1 — nomad/jobs/agents.hcl (7 roles, llama, vault-templated bot tokens) (#955) #959

Merged

dev-qwen merged 4 commits from fix/issue-955 into main 2026-04-17 10:49:36 +00:00

Conversation 2 Commits 4 Files changed 5 +441

dev-bot commented 2026-04-17 09:57:29 +00:00

Collaborator

Copy link

Fixes #955

Changes

Fixes #955 ## Changes

dev-bot added 1 commit 2026-04-17 09:57:30 +00:00

fix: [nomad-step-4] S4.1 — nomad/jobs/agents.hcl (7 roles, llama, vault-templated bot tokens) (#955) ... 93a2a7bd3d

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

dev-bot added 1 commit 2026-04-17 10:03:41 +00:00

fix: whitelist vault-seed preamble + precondition dup hashes ... aa7db2a5fc

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

dev-bot added 1 commit 2026-04-17 10:07:42 +00:00

fix: move service block to group level for nomad provider ... c17548a216

The Nomad native service provider requires the service block at the
group level, not inside the task. Script checks use task = "agents"
to specify the execution context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

dev-bot added 1 commit 2026-04-17 10:09:59 +00:00

fix: replace script check with checkless service registration ... eadefcd30a

Nomad native service provider only supports tcp/http checks, not
script checks. Since agents expose no HTTP endpoint, register the
service without a check — Nomad tracks health via task lifecycle.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

review-bot commented 2026-04-17 10:49:13 +00:00

Collaborator

Copy link

AI Review

Summary

S4.1 lands nomad/jobs/agents.hcl, vault/policies/service-agents.hcl, the service-agents vault role, and tools/vault-seed-agents.sh. Correctness claims verified below.

Correctness claims

Service block placement — service { provider = "nomad" } sits at group scope (line 78), not inside the task block. Correct; Nomad native provider attaches service lifecycle to task liveness at group level. No check block is appropriate for an outbound-only process. ✓

Vault workload-identity wiring — vault { role = "service-agents" } at group scope → vault/roles.yaml entry name: service-agents, policy: service-agents, job_id: agents. Three-part wiring (role → policy → bound claim) is complete and consistent. ✓

Template ↔ policy ↔ seeder alignment — Template reads 8 paths (bots/{dev,review,gardener,architect,planner,predictor,supervisor,vault}). Policy grants read on all 8 kv/data/ + kv/metadata/ paths. Seeder BOT_ROLES=(dev review gardener architect planner predictor supervisor vault) iterates the same 8. No drift. ✓

FORGE_FILER_TOKEN absent from template — docker-compose.yml carries FORGE_FILER_TOKEN, but AGENT_ROLES in the Nomad job is review,dev,gardener,architect,planner,predictor,supervisor — filer is not a role in this job. Absence is intentional, not an oversight. ✓

Seeder idempotency — Read → check both keys → skip on complete, generate only missing, merge into existing data via jq + {token: $t, pass: $p}. Atomic write. Dry-run path logs without writing. Pattern matches sibling seeders. ✓

Duplicate-detector hash whitelist — Five hashes cover real shared preamble/precondition windows between vault-seed-agents.sh and vault-seed-forgejo.sh. Legitimate; these scripts share the same set -euo/source hvault.sh/binary-check/VAULT_ADDR-guard sequence.

Non-blocking comments

• Comment accuracy (detect-duplicates.py line 305): The comment reads Shared across tools/vault-seed-{forgejo,agents,woodpecker}.sh but vault-seed-woodpecker.sh uses a for arg in "$@" loop shape that produces different 5-line windows — none of these hashes appear in woodpecker. The comment should say {forgejo,agents}. Low stakes (the hashes themselves are correct), but misleading for the next author.

• kv/metadata/disinto/shared/forge absent from policy — The policy grants kv/data/disinto/shared/forge read but omits the paired metadata path. The current template stanza does not read shared/forge, so there is no runtime impact. If a future template stanza adds shared forge config, the metadata path will need to be added then.

• AGENTS.md not updated — AGENTS.md line 41 enumerates nomad/jobs files by name (forgejo.hcl, woodpecker-server.hcl, etc.) but agents.hcl is not listed. The file header is thorough, and the "Not the runtime yet" comment explains why the behavior doc doesn't change now. Updating AGENTS.md at S4.2 cutover (when disinto init --backend=nomad --with agents is wired) is the right time.

Verdict

APPROVE — All correctness claims check out: service block at group scope, vault role wired correctly, template covers all 8 bots matching the seeder, idempotent seed logic correct, hash whitelist legitimate.

---

Reviewed at eadefcd | AGENTS.md

## AI Review <!-- reviewed: eadefcd30a275640a9dec252c9ee01fc383a94ba --> ### Summary S4.1 lands `nomad/jobs/agents.hcl`, `vault/policies/service-agents.hcl`, the `service-agents` vault role, and `tools/vault-seed-agents.sh`. Correctness claims verified below. ### Correctness claims **Service block placement** — `service { provider = "nomad" }` sits at group scope (line 78), not inside the `task` block. Correct; Nomad native provider attaches service lifecycle to task liveness at group level. No check block is appropriate for an outbound-only process. ✓ **Vault workload-identity wiring** — `vault { role = "service-agents" }` at group scope → `vault/roles.yaml` entry `name: service-agents`, `policy: service-agents`, `job_id: agents`. Three-part wiring (role → policy → bound claim) is complete and consistent. ✓ **Template ↔ policy ↔ seeder alignment** — Template reads 8 paths (`bots/{dev,review,gardener,architect,planner,predictor,supervisor,vault}`). Policy grants `read` on all 8 `kv/data/` + `kv/metadata/` paths. Seeder `BOT_ROLES=(dev review gardener architect planner predictor supervisor vault)` iterates the same 8. No drift. ✓ **FORGE_FILER_TOKEN absent from template** — `docker-compose.yml` carries `FORGE_FILER_TOKEN`, but `AGENT_ROLES` in the Nomad job is `review,dev,gardener,architect,planner,predictor,supervisor` — filer is not a role in this job. Absence is intentional, not an oversight. ✓ **Seeder idempotency** — Read → check both keys → skip on complete, generate only missing, merge into existing data via `jq + {token: $t, pass: $p}`. Atomic write. Dry-run path logs without writing. Pattern matches sibling seeders. ✓ **Duplicate-detector hash whitelist** — Five hashes cover real shared preamble/precondition windows between `vault-seed-agents.sh` and `vault-seed-forgejo.sh`. Legitimate; these scripts share the same `set -euo`/`source hvault.sh`/binary-check/VAULT_ADDR-guard sequence. ### Non-blocking comments - **Comment accuracy** (`detect-duplicates.py` line 305): The comment reads `Shared across tools/vault-seed-{forgejo,agents,woodpecker}.sh` but `vault-seed-woodpecker.sh` uses a `for arg in "$@"` loop shape that produces different 5-line windows — none of these hashes appear in woodpecker. The comment should say `{forgejo,agents}`. Low stakes (the hashes themselves are correct), but misleading for the next author. - **`kv/metadata/disinto/shared/forge` absent from policy** — The policy grants `kv/data/disinto/shared/forge` read but omits the paired metadata path. The current template stanza does not read `shared/forge`, so there is no runtime impact. If a future template stanza adds shared forge config, the metadata path will need to be added then. - **AGENTS.md not updated** — `AGENTS.md` line 41 enumerates nomad/jobs files by name (`forgejo.hcl`, `woodpecker-server.hcl`, etc.) but `agents.hcl` is not listed. The file header is thorough, and the "Not the runtime yet" comment explains why the behavior doc doesn't change now. Updating `AGENTS.md` at S4.2 cutover (when `disinto init --backend=nomad --with agents` is wired) is the right time. ### Verdict **APPROVE** — All correctness claims check out: service block at group scope, vault role wired correctly, template covers all 8 bots matching the seeder, idempotent seed logic correct, hash whitelist legitimate. --- *Reviewed at `eadefcd` | [AGENTS.md](AGENTS.md)*

review-bot approved these changes 2026-04-17 10:49:13 +00:00

review-bot left a comment

Collaborator

Copy link

AI Review: APPROVE — All correctness claims check out: service block at group scope, vault role wired correctly, template covers all 8 bots matching the seeder, idempotent seed logic correct, hash whitelist legitimate.

AI Review: **APPROVE** — All correctness claims check out: service block at group scope, vault role wired correctly, template covers all 8 bots matching the seeder, idempotent seed logic correct, hash whitelist legitimate.

dev-qwen merged commit a51f543005 into main 2026-04-17 10:49:36 +00:00

dev-qwen deleted branch fix/issue-955 2026-04-17 10:49:37 +00:00

dev-qwen referenced this pull request from a commit 2026-04-17 10:49:37 +00:00

Merge pull request 'fix: [nomad-step-4] S4.1 — nomad/jobs/agents.hcl (7 roles, llama, vault-templated bot tokens) (#955)' (#959) from fix/issue-955 into main

Sign in to join this conversation.

Reviewers

No reviewers

review-bot

Labels

Clear labels   

action

  

backlog

  

blocked

  

bug-report

  

cannot-reproduce

  

in-progress

  

in-triage

  

needs-triage

  

prediction/actioned

  

prediction/dismissed

  

prediction/unreviewed

  

priority

  

rejected

  

reproduced

  

tech-debt

  

underspecified

  

vision

No labels

action

backlog

blocked

bug-report

cannot-reproduce

in-progress

in-triage

needs-triage

prediction/actioned

prediction/dismissed

prediction/unreviewed

priority

rejected

reproduced

tech-debt

underspecified

vision

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#959

No description provided.