From 14a6c5004b758be7bed3862ee85d68f6fcb7122f Mon Sep 17 00:00:00 2001 From: claude-timemachine Date: Tue, 2 Jun 2026 21:35:56 +0200 Subject: [PATCH] design: lock all pre-implementation decisions - Server-side prune via per-repo operator master key (restic key add at provision time) - Auto-download restic on first run (packwiz-installer-bootstrap pattern) - Nightly prune at 04:00 UTC via in-process time.Ticker - Per-caller provisioning tokens (CLOUD_PROVISIONING_TOKENS_) for audit attribution; NOT shared --- DESIGN.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/DESIGN.md b/DESIGN.md index a9f3f81..38147b7 100644 --- a/DESIGN.md +++ b/DESIGN.md @@ -97,7 +97,7 @@ operator master key"| store The split means a compromised discord-bot can mint new accounts but cannot enumerate, prune, or revoke existing ones. Operator-only ops require shell access on john. Auth model: -- Provisioning listener: shared service token (env `CLOUD_PROVISIONING_KEY`), discord-bot uses same value from its own env +- Provisioning listener: per-caller tokens. cloud-svc reads `CLOUD_PROVISIONING_TOKENS_BOT`, `CLOUD_PROVISIONING_TOKENS_` env vars. Header `Authorization: Bearer `. Logs include matched caller name for audit attribution. - Operator listener: no auth — loopback bind is the boundary, same pattern as `server-manager:127.0.0.1:8080` ## Auth & identity @@ -233,10 +233,11 @@ Operator endpoints are loopback-only and require SSH access to john to reach. No ## Pre-implementation checklist -- [ ] User reviews this design doc -- [x] **Confirmed (2026-06-02): cloud-svc reshapes to control plane, not archived** -- [x] **Confirmed (2026-06-02): two-port split — automc-net for provisioning, loopback for operator** -- [ ] Confirm: server-side prune via operator master password key on each repo -- [ ] Confirm: cloud-sync.jar auto-downloads restic binary vs requires it pre-installed -- [ ] Confirm: nightly prune cadence (default proposal: daily 04:00 UTC) -- [ ] Confirm: shared service token between discord-bot and cloud-svc provisioning port (env var on both) +All locked 2026-06-02: + +- [x] cloud-svc reshapes to control plane, not archived +- [x] Two-port split — automc-net for provisioning, loopback for operator +- [x] Server-side prune via operator master password key on each repo. On `provision`, cloud-svc runs `restic init` then `restic key add` with the operator-master password as a SECOND key. The nightly pruner uses the operator key to open any repo. +- [x] cloud-sync.jar auto-downloads restic binary. Matches `packwiz-installer-bootstrap` pattern. First run hits `https://github.com/restic/restic/releases` for the matching platform binary, caches under `/restic-/`. `--no-download` flag for air-gapped operators. +- [x] Nightly prune at 04:00 UTC. `time.Ticker` inside cloud-svc; no external cron. `--prune-time HH:MM` flag in case operators want a different window. +- [x] Per-caller tokens, NOT shared. cloud-svc reads `CLOUD_PROVISIONING_TOKENS_BOT`, `CLOUD_PROVISIONING_TOKENS_` env vars — one per known caller. Logs include the matched caller name so audit trails show which service made each call. Adding a future caller (e.g., a portal) means a new env var, not a token rotation.