design: lock all pre-implementation decisions
- Server-side prune via per-repo operator master key (restic key add at provision time) - Auto-download restic on first run (packwiz-installer-bootstrap pattern) - Nightly prune at 04:00 UTC via in-process time.Ticker - Per-caller provisioning tokens (CLOUD_PROVISIONING_TOKENS_<NAME>) for audit attribution; NOT shared
This commit is contained in:
@@ -97,7 +97,7 @@ operator master key"| store
|
|||||||
The split means a compromised discord-bot can mint new accounts but cannot enumerate, prune, or revoke existing ones. Operator-only ops require shell access on john.
|
The split means a compromised discord-bot can mint new accounts but cannot enumerate, prune, or revoke existing ones. Operator-only ops require shell access on john.
|
||||||
|
|
||||||
Auth model:
|
Auth model:
|
||||||
- Provisioning listener: shared service token (env `CLOUD_PROVISIONING_KEY`), discord-bot uses same value from its own env
|
- Provisioning listener: per-caller tokens. cloud-svc reads `CLOUD_PROVISIONING_TOKENS_BOT`, `CLOUD_PROVISIONING_TOKENS_<NAME>` env vars. Header `Authorization: Bearer <token>`. Logs include matched caller name for audit attribution.
|
||||||
- Operator listener: no auth — loopback bind is the boundary, same pattern as `server-manager:127.0.0.1:8080`
|
- Operator listener: no auth — loopback bind is the boundary, same pattern as `server-manager:127.0.0.1:8080`
|
||||||
|
|
||||||
## Auth & identity
|
## Auth & identity
|
||||||
@@ -233,10 +233,11 @@ Operator endpoints are loopback-only and require SSH access to john to reach. No
|
|||||||
|
|
||||||
## Pre-implementation checklist
|
## Pre-implementation checklist
|
||||||
|
|
||||||
- [ ] User reviews this design doc
|
All locked 2026-06-02:
|
||||||
- [x] **Confirmed (2026-06-02): cloud-svc reshapes to control plane, not archived**
|
|
||||||
- [x] **Confirmed (2026-06-02): two-port split — automc-net for provisioning, loopback for operator**
|
- [x] cloud-svc reshapes to control plane, not archived
|
||||||
- [ ] Confirm: server-side prune via operator master password key on each repo
|
- [x] Two-port split — automc-net for provisioning, loopback for operator
|
||||||
- [ ] Confirm: cloud-sync.jar auto-downloads restic binary vs requires it pre-installed
|
- [x] Server-side prune via operator master password key on each repo. On `provision`, cloud-svc runs `restic init` then `restic key add` with the operator-master password as a SECOND key. The nightly pruner uses the operator key to open any repo.
|
||||||
- [ ] Confirm: nightly prune cadence (default proposal: daily 04:00 UTC)
|
- [x] cloud-sync.jar auto-downloads restic binary. Matches `packwiz-installer-bootstrap` pattern. First run hits `https://github.com/restic/restic/releases` for the matching platform binary, caches under `<jar dir>/restic-<version>/`. `--no-download` flag for air-gapped operators.
|
||||||
- [ ] Confirm: shared service token between discord-bot and cloud-svc provisioning port (env var on both)
|
- [x] Nightly prune at 04:00 UTC. `time.Ticker` inside cloud-svc; no external cron. `--prune-time HH:MM` flag in case operators want a different window.
|
||||||
|
- [x] Per-caller tokens, NOT shared. cloud-svc reads `CLOUD_PROVISIONING_TOKENS_BOT`, `CLOUD_PROVISIONING_TOKENS_<OTHER>` env vars — one per known caller. Logs include the matched caller name so audit trails show which service made each call. Adding a future caller (e.g., a portal) means a new env var, not a token rotation.
|
||||||
|
|||||||
Reference in New Issue
Block a user