5.4 KiB
| name | description |
|---|---|
| teleo-gcp-parity-ops | Use for Teleo GCP control-plane inventory, Cloud SQL read-only parity, authenticated Chrome routing, VM/runtime comparison, and exact GCP access gates without collapsing VPS proof into GCP proof. |
Teleo GCP Parity Ops
Working Target
Prove the real GCP resource, database, runtime, and Cory-answer paths separately. Control-plane inventory alone is not database or Leo parity.
Current Verified Inventory
- Project:
teleo-501523(Teleo). - Authenticated Console account: redacted
b***@livingip.xyzviaauthuser=5. - VM:
teleo-prod-1, running ineurope-west6-a. - VM shape: Debian 12,
e2-standard-4, 4 vCPU, 16 GB; OS Login metadata is present. Treat the displayed API scope as metadata, not IAM authorization. - Cloud SQL: exactly one instance,
teleo-pgvector-standby. - Database engine: PostgreSQL
16.14, Enterprise. - Region/zone:
europe-west6/europe-west6-c, single-zone. - Network: private-only
teleo-staging-net; public IP disabled. - Connection name:
teleo-501523:europe-west6:teleo-pgvector-standby. - Cloud SQL Studio loads, but the observed session exposes no enabled existing IAM DB principal and selects built-in password authentication.
- Cloud Logging has guest/platform logs but zero seven-day entries matching
leoclean,hermes,gateway,postgres, orteleo-kb; Ops Agent is not installed. - Read-only serial output is current through
2026-07-10T15:57:54Z. It proves recurring successfulleoclean-cloudsql-memory-sync.servicecycles. The last exactleoclean-gcp-prod-parallel.servicelifecycle event in the retained buffer is a Hermes start on July 9 with no later exact stop/failure. This is not a current PID, process, or deployed-SHA readback.
Read these before refreshing:
docs/reports/leo-working-state-20260709/gcp-cloud-sql-t3-live-readonly-current.jsondocs/reports/leo-working-state-20260709/gcp-cloudsql-studio-parity-gate-current.jsondocs/reports/leo-working-state-20260709/gcp-parallel-delegation-current.jsondocs/reports/leo-working-state-20260709/gcp-leo-runtime-observability-current.json
Browser Rule
Use authenticated Chrome/Computer Use for Console-only facts when CLI auth is
stale. Never use AppleScript, osascript, JXA, open, System Events, or a
focus-stealing fallback. Do not inspect cookies, tokens, saved passwords, or
secret values.
Required Parity Rows
Track each independently:
- control-plane project/VM/Cloud SQL inventory;
- database name, principal, transaction-read-only proof, schema, counts, and selected row identities;
- VM process/service/repo/profile/model/bot configuration;
- no-post
DC-01throughDC-06replies and score; - cleanup and no-mutation readback.
Canonical Restore Rule
The canonical Leo database is VPS Docker Postgres teleo-pg/teleo. The
SQLite pipeline.db to teleo_kb.teleo_restore drill is a separate legacy
pipeline-memory proof and never satisfies canonical Leo parity.
Use:
ops/capture_vps_canonical_postgres_snapshot.pyfor one exported read-only snapshot shared bypg_dumpand the source manifest;ops/postgres_parity_manifest.sqlfor complete row/catalog/role/performance readback;ops/verify_postgres_parity_manifest.py --scope gcp_stagingfor exact parity plus a staging-compute private-connectivity receipt.
The 2026-07-11 local preflight restored all 39 canonical tables and 52,164
rows with zero row-hash, catalog-hash, role, or performance mismatches. That is
local restore proof only. GCP import, private connectivity, and Cory replay are
still unproven.
Cloud SQL Read-Only Query
Only after Studio is already authenticated with an existing principal:
begin transaction read only;
select current_database(), current_user,
current_setting('transaction_read_only');
select count(*) from public.claims;
select count(*) from public.sources;
select count(*) from public.claim_evidence;
select count(*) from public.claim_edges;
select count(*) from kb_stage.kb_proposals;
rollback;
Do not submit a raw password, create a user, change IAM, enable a flag, open browser SSH that creates a key, or mutate infrastructure under this read-only skill.
Exact Current Gate
Database parity is unproven because the privileged gcloud/Console account now
requires password reauthentication, while both planned WIF identities
sa-teleo-readiness and sa-teleo-restore-drill are absent. The only proven
WIF identity is intentionally Artifact Registry-only. The clear CTA is:
Run gcloud auth login billy@livingip.xyz --force, enter the Google password
yourself, and tell Codex: GCP CLI reauthenticated.
Otherwise route the reviewed IAM split to a separately authorized admin window. Once authenticated, create only a generated clone database, import the retained canonical dump, run full parity/private-connectivity/Cory replay, and clean up.
For the narrower read-only Studio route, an operator may instead authenticate
an already-existing database principal and report GCP Studio authenticated;
that permits SQL readback but does not authorize the clone/import replay.
Claim Ceiling
Current proof covers the GCP project, VM, Cloud SQL instance, health, version, private routing surface, and bounded serial unit activity. It does not prove current gateway PID/restarts, deployed SHA, profile, model/auth, Telegram bot identity, selected canonical DB, DB contents, VPS-vs-GCP schema/row parity, safe no-post Cory answers, or cutover.