Refresh Working Leo apply and GCP access gates

This commit is contained in:
twentyOne2x 2026-07-13 03:29:39 +02:00
parent 897ad43561
commit 9b72d77e91
13 changed files with 32 additions and 28 deletions

View file

@ -1,7 +1,7 @@
{
"schema": "teleo.gcpCoryReplayAccessBlocker.v1",
"generated_at_utc": "2026-07-12T20:50:00Z",
"status": "waiting_on_google_password_reauthentication",
"generated_at_utc": "2026-07-13T01:26:30Z",
"status": "waiting_on_google_password_reauthentication_prepared_handoff",
"current_canary": {
"operator_path": "Run DC-01 through DC-06 through the real adapter-free GCP GatewayRunner against teleo_clone_cory_20260712t1940z, require strict 6/6 plus exact count consistency, then delete the clone and run-owned files.",
"expected_result": "Six truthful replies, every printed canonical count equal to 1837/4145/4916/4670/26, unchanged clone fingerprint, unchanged GCP service/profile, no Telegram send, no DB write, and zero generated clone/run resources remaining.",
@ -14,12 +14,14 @@
},
"config_readback": {
"privileged_account": "billy@livingip.xyz",
"local_gcloud": "refresh requires interactive Google password verification",
"keychain_password": "present; intentionally non-retrievable and insufficient for OAuth",
"local_gcloud": "account billy@livingip.xyz and project teleo-501523 are configured; OAuth is stale_or_unavailable",
"current_local_egress": "99.35.221.133",
"configured_ssh_firewall_source": "176.108.138.1/32",
"gcp_vm_external_ip": "34.65.143.148",
"direct_ssh": "TCP/22 timeout before authentication",
"chrome": "existing tab titled Google Cloud Platform is at the Google password challenge for authuser=5",
"chrome_personal_account": "billyattnmarket@gmail.com is authenticated but lacks resourcemanager.projects.get on teleo-501523",
"chrome_privileged_account": "selected Chrome tab titled Welcome is at the Google password challenge for billy@livingip.xyz; secure password field is focused and accepts typing or paste",
"github_iap_workflow_run": "29208215340",
"github_iap_auth": "invalid_target: teleo-iap-operator Workload Identity provider absent, disabled, or deleted",
"existing_living_ip_github_provider": "authenticates sa-artifact-builder, but that account lacks Compute, IAM, Secret Manager, and Cloud SQL permissions"
@ -30,13 +32,15 @@
"two other valid cached Google identities; neither has Teleo project access",
"merged GitHub OIDC/IAP fixed-operation workflow on main",
"existing living-ip-github WIF provider with sa-artifact-builder",
"authenticated Chrome tab discovery without reading credentials",
"authenticated Chrome console discovery without reading credentials; the personal account lacks Teleo project access",
"dedicated GCP tab sign-out recovery, privileged account email entry, and preparation of a focused pasteable password field using Computer Use",
"Chrome extension route became unstable, so the prepared handoff was verified with Computer Use without AppleScript or foreground-command fallbacks",
"Mullvad status/config readback; configured relay does not restore the allowed office ISP address",
"Tailscale peer/exit-node inventory; no peer offers the allowed office ISP route"
],
"exact_gate": "Google requires the current password for billy@livingip.xyz before Codex can rotate teleo-prod-allow-ssh-current-ip or bootstrap the missing IAP Workload Identity provider and dedicated operator service accounts.",
"why_autonomous_repair_stops": "Passwords and reauthentication credentials are human-only. No current noninteractive principal has the required Compute/IAM permissions, and no existing network route originates from the allowed 176.108.138.1/32 address.",
"clear_CTA": "Unlock the Mac. In Chrome, open the existing tab titled Google Cloud Platform for billy@livingip.xyz, enter the current Google password, click Next, then reply exactly: GCP reauthenticated. Do not send the password to Codex.",
"exact_gate": "Google requires the current password, and any subsequent MFA or consent, for billy@livingip.xyz before Codex can rotate teleo-prod-allow-ssh-current-ip or bootstrap the missing IAP Workload Identity provider and dedicated operator service accounts.",
"why_autonomous_repair_stops": "Raw passwords and MFA are human-only. The device-local Keychain item is deliberately non-retrievable and cannot satisfy OAuth. No current noninteractive principal has the required Compute/IAM permissions, and no existing network route originates from the allowed 176.108.138.1/32 address.",
"clear_CTA": "In the selected Chrome tab titled Welcome, paste or type the current password into the already-focused Enter your password field, click Next, complete any MFA or consent, then tell Codex exactly: GCP reauthenticated. Do not send the password to Codex.",
"next_non_user_action": "Rotate only teleo-prod-allow-ssh-current-ip to 99.35.221.133/32, verify passwordless SSH and service/DB invariants, bootstrap and live-test the dedicated GitHub OIDC/IAP operator, run the hardened six-response replay, retain the result, drop teleo_clone_cory_20260712t1940z, remove all run files, and verify the disabled rollback database remains zero-connection.",
"cleanup_pending": {
"generated_database": "teleo_clone_cory_20260712t1940z",

View file

@ -184,7 +184,7 @@
"sha256": "0a7e419f98711ab11eb7b6e839008d7105e178ec40e864fb37f714bd4bf133e5"
}
],
"generated_at_utc": "2026-07-09T22:57:32.369798+00:00",
"generated_at_utc": "2026-07-13T01:11:51.304177+00:00",
"missing_apply_markers": [],
"missing_rollback_markers": [],
"mode": "retained_artifact_readiness_verify",

View file

@ -1,6 +1,6 @@
# Working Leo Apply Readiness
Generated UTC: `2026-07-09T22:57:32.369798+00:00`
Generated UTC: `2026-07-13T01:11:51.304177+00:00`
Mode: `retained_artifact_readiness_verify`
Ready for separately authorized production apply packet: `True`
Production apply executed: `False`

View file

@ -27,7 +27,7 @@
"rio_strategy_nodes": 2,
"sources": 28
},
"generated_at_utc": "2026-07-10T01:41:16.353240+00:00",
"generated_at_utc": "2026-07-13T01:11:51.485346+00:00",
"mode": "operator_runbook_generation_only",
"operator_environment": {
"operator_commands_run_sql_if_executed": true,

View file

@ -1,6 +1,6 @@
# Working Leo Authorized Apply Runbook
Generated UTC: `2026-07-10T01:41:16.353240+00:00`
Generated UTC: `2026-07-13T01:11:51.485346+00:00`
Mode: `operator_runbook_generation_only`
Status: `ready_not_executed`
Ready for authorized operator: `True`

View file

@ -83,7 +83,7 @@
"rio_strategy_nodes": 2,
"sources": 28
},
"generated_at_utc": "2026-07-10T01:49:46.485415+00:00",
"generated_at_utc": "2026-07-13T01:12:12.535652+00:00",
"mode": "authorized_apply_session_plan_not_executed",
"non_apply_steps_do_not_mutate_db": true,
"output_dir": "docs/reports/leo-working-state-20260709/production-apply-session-artifacts",

View file

@ -1,6 +1,6 @@
# Working Leo Authorized Apply Session Plan
Generated UTC: `2026-07-10T01:49:46.485415+00:00`
Generated UTC: `2026-07-13T01:12:12.535652+00:00`
Mode: `authorized_apply_session_plan_not_executed`
Production apply executed: `False`
All apply steps require authorization: `True`

View file

@ -46,12 +46,12 @@
],
"evidence_paths": {
"direct_claim_score": {
"bytes": 14730,
"bytes": 18108,
"exists": true,
"path": "docs/reports/leo-working-state-20260709/telegram-handler-direct-claim-suite-score-current.json"
},
"preflight": {
"bytes": 12496,
"bytes": 12598,
"exists": true,
"path": "docs/reports/leo-working-state-20260709/working-leo-production-preflight-current.json"
},
@ -77,7 +77,7 @@
}
},
"explicit_operator_authorization_text_template": "I authorize production DB apply for the integrated Working Leo packet set on VPS using deployed commit <DEPLOYED_SHA_READBACK> in this order: mapped-rich-base, cross-surface-anchor, rio-strategy-context, governance-concept-schema, helmer-7powers. Run preflight immediately before each phase, run the authorized apply SQL, run every postflight, run the non-posting direct-claim regression and scorer, capture service and cleanup readbacks, validate the production receipt, and do not post Telegram-visible messages unless separately authorized.",
"generated_at_utc": "2026-07-10T02:32:40.085769+00:00",
"generated_at_utc": "2026-07-13T01:12:12.771226+00:00",
"mode": "production_apply_authorization_packet_not_executed",
"next_non_user_action_after_authorization": [
"Re-read deployed SHA, service state, and production preflight baseline.",
@ -86,7 +86,7 @@
"Capture service readback, cleanup readback, and production receipt.",
"Run the offline production receipt validator and retain the validation artifacts."
],
"packet_generation_git_sha": "3a0c47c83d80a56281461533616397758c111d07",
"packet_generation_git_sha": "bef10341e9cc31f41cb5fbd0a55119f1766e41fd",
"production_apply_authorization_present": false,
"production_apply_executed": false,
"ready_to_request_authorization": true

View file

@ -1,12 +1,12 @@
# Working Leo Production Apply Authorization Packet
Generated UTC: `2026-07-10T02:32:40.085769+00:00`
Generated UTC: `2026-07-13T01:12:12.771226+00:00`
Mode: `production_apply_authorization_packet_not_executed`
Production apply executed: `False`
Production apply authorization present: `False`
Ready to request authorization: `True`
Authorization gate status: `ready_to_request_explicit_authorization`
Packet generation git SHA: `3a0c47c83d80a56281461533616397758c111d07`
Packet generation git SHA: `bef10341e9cc31f41cb5fbd0a55119f1766e41fd`
Authorization commit SHA rule: `Use the fresh deployed SHA read back immediately before apply.`
## Scope

View file

@ -16,7 +16,7 @@
"service_readback": "must_fill_after_post_apply_service_readback",
"telegram_or_handler_regression_paths": "must_fill_after_post_apply_regression_rerun"
},
"generated_at_utc": "2026-07-10T01:46:12.932110+00:00",
"generated_at_utc": "2026-07-13T01:12:12.154253+00:00",
"mode": "receipt_template_not_executed",
"must_fill_after_authorized_apply": [
"explicit_authorization_record",
@ -37,7 +37,7 @@
],
"preflight_artifacts": [
{
"bytes": 12496,
"bytes": 12598,
"exists": true,
"path": "docs/reports/leo-working-state-20260709/working-leo-production-preflight-current.json"
},
@ -80,7 +80,7 @@
"fill_after_authorization": true,
"required_scope": "integrated Working Leo packet set in runbook dependency order"
},
"git_commit_sha": "57bd705079b2cb5f8cdc7a0a734083cf888177ff",
"git_commit_sha": "bef10341e9cc31f41cb5fbd0a55119f1766e41fd",
"known_residual_risks": [
"GCP parity remains separate until access is restored and read-only parity proof is captured.",
"Any Telegram-visible post-apply proof must be separately authorized at action time."

View file

@ -1,6 +1,6 @@
# Working Leo Production Apply Receipt Template
Generated UTC: `2026-07-10T01:46:12.932110+00:00`
Generated UTC: `2026-07-13T01:12:12.154253+00:00`
Mode: `receipt_template_not_executed`
Production apply executed: `False`
Valid production receipt: `False`

View file

@ -1,10 +1,10 @@
{
"applies_production_packet": false,
"claim_ceiling": "This is read-only production preflight evidence. It can prove current row-level readiness or drift before an apply window. It does not authorize production apply and does not prove canonical rows were changed.",
"command_redacted": "docker exec -i teleo-pg psql -U postgres -d teleo -v ON_ERROR_STOP=1 -P pager=off",
"command_redacted": "ssh -i [SSH_KEY] -o BatchMode=yes -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15 root@77.42.65.182 'docker exec -i teleo-pg psql -U postgres -d teleo -v ON_ERROR_STOP=1 -P pager=off'",
"execute_requested": true,
"failures": [],
"generated_at_utc": "2026-07-10T01:42:02.835653+00:00",
"generated_at_utc": "2026-07-13T01:12:11.343559+00:00",
"mode": "live_vps_readonly_preflight",
"mutates_production_db": false,
"passes": 5,
@ -90,5 +90,5 @@
],
"ssh_target": "root@77.42.65.182",
"status": "pass",
"transport": "local-docker"
"transport": "ssh"
}

View file

@ -1,6 +1,6 @@
# Working Leo Production Preflight
Generated UTC: `2026-07-10T01:42:02.835653+00:00`
Generated UTC: `2026-07-13T01:12:11.343559+00:00`
Mode: `live_vps_readonly_preflight`
Status: `pass`
Executed: `True`