Refresh Working Leo apply and GCP access gates
This commit is contained in:
parent
897ad43561
commit
9b72d77e91
13 changed files with 32 additions and 28 deletions
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"schema": "teleo.gcpCoryReplayAccessBlocker.v1",
|
||||
"generated_at_utc": "2026-07-12T20:50:00Z",
|
||||
"status": "waiting_on_google_password_reauthentication",
|
||||
"generated_at_utc": "2026-07-13T01:26:30Z",
|
||||
"status": "waiting_on_google_password_reauthentication_prepared_handoff",
|
||||
"current_canary": {
|
||||
"operator_path": "Run DC-01 through DC-06 through the real adapter-free GCP GatewayRunner against teleo_clone_cory_20260712t1940z, require strict 6/6 plus exact count consistency, then delete the clone and run-owned files.",
|
||||
"expected_result": "Six truthful replies, every printed canonical count equal to 1837/4145/4916/4670/26, unchanged clone fingerprint, unchanged GCP service/profile, no Telegram send, no DB write, and zero generated clone/run resources remaining.",
|
||||
|
|
@ -14,12 +14,14 @@
|
|||
},
|
||||
"config_readback": {
|
||||
"privileged_account": "billy@livingip.xyz",
|
||||
"local_gcloud": "refresh requires interactive Google password verification",
|
||||
"keychain_password": "present; intentionally non-retrievable and insufficient for OAuth",
|
||||
"local_gcloud": "account billy@livingip.xyz and project teleo-501523 are configured; OAuth is stale_or_unavailable",
|
||||
"current_local_egress": "99.35.221.133",
|
||||
"configured_ssh_firewall_source": "176.108.138.1/32",
|
||||
"gcp_vm_external_ip": "34.65.143.148",
|
||||
"direct_ssh": "TCP/22 timeout before authentication",
|
||||
"chrome": "existing tab titled Google Cloud Platform is at the Google password challenge for authuser=5",
|
||||
"chrome_personal_account": "billyattnmarket@gmail.com is authenticated but lacks resourcemanager.projects.get on teleo-501523",
|
||||
"chrome_privileged_account": "selected Chrome tab titled Welcome is at the Google password challenge for billy@livingip.xyz; secure password field is focused and accepts typing or paste",
|
||||
"github_iap_workflow_run": "29208215340",
|
||||
"github_iap_auth": "invalid_target: teleo-iap-operator Workload Identity provider absent, disabled, or deleted",
|
||||
"existing_living_ip_github_provider": "authenticates sa-artifact-builder, but that account lacks Compute, IAM, Secret Manager, and Cloud SQL permissions"
|
||||
|
|
@ -30,13 +32,15 @@
|
|||
"two other valid cached Google identities; neither has Teleo project access",
|
||||
"merged GitHub OIDC/IAP fixed-operation workflow on main",
|
||||
"existing living-ip-github WIF provider with sa-artifact-builder",
|
||||
"authenticated Chrome tab discovery without reading credentials",
|
||||
"authenticated Chrome console discovery without reading credentials; the personal account lacks Teleo project access",
|
||||
"dedicated GCP tab sign-out recovery, privileged account email entry, and preparation of a focused pasteable password field using Computer Use",
|
||||
"Chrome extension route became unstable, so the prepared handoff was verified with Computer Use without AppleScript or foreground-command fallbacks",
|
||||
"Mullvad status/config readback; configured relay does not restore the allowed office ISP address",
|
||||
"Tailscale peer/exit-node inventory; no peer offers the allowed office ISP route"
|
||||
],
|
||||
"exact_gate": "Google requires the current password for billy@livingip.xyz before Codex can rotate teleo-prod-allow-ssh-current-ip or bootstrap the missing IAP Workload Identity provider and dedicated operator service accounts.",
|
||||
"why_autonomous_repair_stops": "Passwords and reauthentication credentials are human-only. No current noninteractive principal has the required Compute/IAM permissions, and no existing network route originates from the allowed 176.108.138.1/32 address.",
|
||||
"clear_CTA": "Unlock the Mac. In Chrome, open the existing tab titled Google Cloud Platform for billy@livingip.xyz, enter the current Google password, click Next, then reply exactly: GCP reauthenticated. Do not send the password to Codex.",
|
||||
"exact_gate": "Google requires the current password, and any subsequent MFA or consent, for billy@livingip.xyz before Codex can rotate teleo-prod-allow-ssh-current-ip or bootstrap the missing IAP Workload Identity provider and dedicated operator service accounts.",
|
||||
"why_autonomous_repair_stops": "Raw passwords and MFA are human-only. The device-local Keychain item is deliberately non-retrievable and cannot satisfy OAuth. No current noninteractive principal has the required Compute/IAM permissions, and no existing network route originates from the allowed 176.108.138.1/32 address.",
|
||||
"clear_CTA": "In the selected Chrome tab titled Welcome, paste or type the current password into the already-focused Enter your password field, click Next, complete any MFA or consent, then tell Codex exactly: GCP reauthenticated. Do not send the password to Codex.",
|
||||
"next_non_user_action": "Rotate only teleo-prod-allow-ssh-current-ip to 99.35.221.133/32, verify passwordless SSH and service/DB invariants, bootstrap and live-test the dedicated GitHub OIDC/IAP operator, run the hardened six-response replay, retain the result, drop teleo_clone_cory_20260712t1940z, remove all run files, and verify the disabled rollback database remains zero-connection.",
|
||||
"cleanup_pending": {
|
||||
"generated_database": "teleo_clone_cory_20260712t1940z",
|
||||
|
|
|
|||
|
|
@ -184,7 +184,7 @@
|
|||
"sha256": "0a7e419f98711ab11eb7b6e839008d7105e178ec40e864fb37f714bd4bf133e5"
|
||||
}
|
||||
],
|
||||
"generated_at_utc": "2026-07-09T22:57:32.369798+00:00",
|
||||
"generated_at_utc": "2026-07-13T01:11:51.304177+00:00",
|
||||
"missing_apply_markers": [],
|
||||
"missing_rollback_markers": [],
|
||||
"mode": "retained_artifact_readiness_verify",
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Working Leo Apply Readiness
|
||||
|
||||
Generated UTC: `2026-07-09T22:57:32.369798+00:00`
|
||||
Generated UTC: `2026-07-13T01:11:51.304177+00:00`
|
||||
Mode: `retained_artifact_readiness_verify`
|
||||
Ready for separately authorized production apply packet: `True`
|
||||
Production apply executed: `False`
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@
|
|||
"rio_strategy_nodes": 2,
|
||||
"sources": 28
|
||||
},
|
||||
"generated_at_utc": "2026-07-10T01:41:16.353240+00:00",
|
||||
"generated_at_utc": "2026-07-13T01:11:51.485346+00:00",
|
||||
"mode": "operator_runbook_generation_only",
|
||||
"operator_environment": {
|
||||
"operator_commands_run_sql_if_executed": true,
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Working Leo Authorized Apply Runbook
|
||||
|
||||
Generated UTC: `2026-07-10T01:41:16.353240+00:00`
|
||||
Generated UTC: `2026-07-13T01:11:51.485346+00:00`
|
||||
Mode: `operator_runbook_generation_only`
|
||||
Status: `ready_not_executed`
|
||||
Ready for authorized operator: `True`
|
||||
|
|
|
|||
|
|
@ -83,7 +83,7 @@
|
|||
"rio_strategy_nodes": 2,
|
||||
"sources": 28
|
||||
},
|
||||
"generated_at_utc": "2026-07-10T01:49:46.485415+00:00",
|
||||
"generated_at_utc": "2026-07-13T01:12:12.535652+00:00",
|
||||
"mode": "authorized_apply_session_plan_not_executed",
|
||||
"non_apply_steps_do_not_mutate_db": true,
|
||||
"output_dir": "docs/reports/leo-working-state-20260709/production-apply-session-artifacts",
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Working Leo Authorized Apply Session Plan
|
||||
|
||||
Generated UTC: `2026-07-10T01:49:46.485415+00:00`
|
||||
Generated UTC: `2026-07-13T01:12:12.535652+00:00`
|
||||
Mode: `authorized_apply_session_plan_not_executed`
|
||||
Production apply executed: `False`
|
||||
All apply steps require authorization: `True`
|
||||
|
|
|
|||
|
|
@ -46,12 +46,12 @@
|
|||
],
|
||||
"evidence_paths": {
|
||||
"direct_claim_score": {
|
||||
"bytes": 14730,
|
||||
"bytes": 18108,
|
||||
"exists": true,
|
||||
"path": "docs/reports/leo-working-state-20260709/telegram-handler-direct-claim-suite-score-current.json"
|
||||
},
|
||||
"preflight": {
|
||||
"bytes": 12496,
|
||||
"bytes": 12598,
|
||||
"exists": true,
|
||||
"path": "docs/reports/leo-working-state-20260709/working-leo-production-preflight-current.json"
|
||||
},
|
||||
|
|
@ -77,7 +77,7 @@
|
|||
}
|
||||
},
|
||||
"explicit_operator_authorization_text_template": "I authorize production DB apply for the integrated Working Leo packet set on VPS using deployed commit <DEPLOYED_SHA_READBACK> in this order: mapped-rich-base, cross-surface-anchor, rio-strategy-context, governance-concept-schema, helmer-7powers. Run preflight immediately before each phase, run the authorized apply SQL, run every postflight, run the non-posting direct-claim regression and scorer, capture service and cleanup readbacks, validate the production receipt, and do not post Telegram-visible messages unless separately authorized.",
|
||||
"generated_at_utc": "2026-07-10T02:32:40.085769+00:00",
|
||||
"generated_at_utc": "2026-07-13T01:12:12.771226+00:00",
|
||||
"mode": "production_apply_authorization_packet_not_executed",
|
||||
"next_non_user_action_after_authorization": [
|
||||
"Re-read deployed SHA, service state, and production preflight baseline.",
|
||||
|
|
@ -86,7 +86,7 @@
|
|||
"Capture service readback, cleanup readback, and production receipt.",
|
||||
"Run the offline production receipt validator and retain the validation artifacts."
|
||||
],
|
||||
"packet_generation_git_sha": "3a0c47c83d80a56281461533616397758c111d07",
|
||||
"packet_generation_git_sha": "bef10341e9cc31f41cb5fbd0a55119f1766e41fd",
|
||||
"production_apply_authorization_present": false,
|
||||
"production_apply_executed": false,
|
||||
"ready_to_request_authorization": true
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
# Working Leo Production Apply Authorization Packet
|
||||
|
||||
Generated UTC: `2026-07-10T02:32:40.085769+00:00`
|
||||
Generated UTC: `2026-07-13T01:12:12.771226+00:00`
|
||||
Mode: `production_apply_authorization_packet_not_executed`
|
||||
Production apply executed: `False`
|
||||
Production apply authorization present: `False`
|
||||
Ready to request authorization: `True`
|
||||
Authorization gate status: `ready_to_request_explicit_authorization`
|
||||
Packet generation git SHA: `3a0c47c83d80a56281461533616397758c111d07`
|
||||
Packet generation git SHA: `bef10341e9cc31f41cb5fbd0a55119f1766e41fd`
|
||||
Authorization commit SHA rule: `Use the fresh deployed SHA read back immediately before apply.`
|
||||
|
||||
## Scope
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@
|
|||
"service_readback": "must_fill_after_post_apply_service_readback",
|
||||
"telegram_or_handler_regression_paths": "must_fill_after_post_apply_regression_rerun"
|
||||
},
|
||||
"generated_at_utc": "2026-07-10T01:46:12.932110+00:00",
|
||||
"generated_at_utc": "2026-07-13T01:12:12.154253+00:00",
|
||||
"mode": "receipt_template_not_executed",
|
||||
"must_fill_after_authorized_apply": [
|
||||
"explicit_authorization_record",
|
||||
|
|
@ -37,7 +37,7 @@
|
|||
],
|
||||
"preflight_artifacts": [
|
||||
{
|
||||
"bytes": 12496,
|
||||
"bytes": 12598,
|
||||
"exists": true,
|
||||
"path": "docs/reports/leo-working-state-20260709/working-leo-production-preflight-current.json"
|
||||
},
|
||||
|
|
@ -80,7 +80,7 @@
|
|||
"fill_after_authorization": true,
|
||||
"required_scope": "integrated Working Leo packet set in runbook dependency order"
|
||||
},
|
||||
"git_commit_sha": "57bd705079b2cb5f8cdc7a0a734083cf888177ff",
|
||||
"git_commit_sha": "bef10341e9cc31f41cb5fbd0a55119f1766e41fd",
|
||||
"known_residual_risks": [
|
||||
"GCP parity remains separate until access is restored and read-only parity proof is captured.",
|
||||
"Any Telegram-visible post-apply proof must be separately authorized at action time."
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Working Leo Production Apply Receipt Template
|
||||
|
||||
Generated UTC: `2026-07-10T01:46:12.932110+00:00`
|
||||
Generated UTC: `2026-07-13T01:12:12.154253+00:00`
|
||||
Mode: `receipt_template_not_executed`
|
||||
Production apply executed: `False`
|
||||
Valid production receipt: `False`
|
||||
|
|
|
|||
|
|
@ -1,10 +1,10 @@
|
|||
{
|
||||
"applies_production_packet": false,
|
||||
"claim_ceiling": "This is read-only production preflight evidence. It can prove current row-level readiness or drift before an apply window. It does not authorize production apply and does not prove canonical rows were changed.",
|
||||
"command_redacted": "docker exec -i teleo-pg psql -U postgres -d teleo -v ON_ERROR_STOP=1 -P pager=off",
|
||||
"command_redacted": "ssh -i [SSH_KEY] -o BatchMode=yes -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15 root@77.42.65.182 'docker exec -i teleo-pg psql -U postgres -d teleo -v ON_ERROR_STOP=1 -P pager=off'",
|
||||
"execute_requested": true,
|
||||
"failures": [],
|
||||
"generated_at_utc": "2026-07-10T01:42:02.835653+00:00",
|
||||
"generated_at_utc": "2026-07-13T01:12:11.343559+00:00",
|
||||
"mode": "live_vps_readonly_preflight",
|
||||
"mutates_production_db": false,
|
||||
"passes": 5,
|
||||
|
|
@ -90,5 +90,5 @@
|
|||
],
|
||||
"ssh_target": "root@77.42.65.182",
|
||||
"status": "pass",
|
||||
"transport": "local-docker"
|
||||
"transport": "ssh"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Working Leo Production Preflight
|
||||
|
||||
Generated UTC: `2026-07-10T01:42:02.835653+00:00`
|
||||
Generated UTC: `2026-07-13T01:12:11.343559+00:00`
|
||||
Mode: `live_vps_readonly_preflight`
|
||||
Status: `pass`
|
||||
Executed: `True`
|
||||
|
|
|
|||
Loading…
Reference in a new issue