14 KiB
| name | description |
|---|---|
| teleo-gcp-parity-ops | Use for passwordless Teleo GCP VM access, private Cloud SQL canonical parity, GCP Leo runtime readback, m3taversal no-send replay, rollback, and cleanup without collapsing VPS proof into GCP proof. |
Teleo GCP Parity Ops
Working Target
Restore a copy of the VPS canonical Leo database to GCP, prove exact schema, row, role membership, ownership, ACL, extension, performance, and private-connectivity parity, then run the real GCP Leo read/reasoning path without Telegram sends or DB mutation.
The required tier is T3: a live private GCP staging restore, readback, reasoning, compute attestation, and cleanup receipt. Local restore proof or an access-gate report does not satisfy this tier.
Operator Paths
The direct alias was passwordless and live-verified on 2026-07-14:
ssh teleo-gcp-staging
It uses ~/.ssh/google_compute_engine for the configured operator,
disables password and keyboard-interactive authentication, and does not store a
Google password. That is historical proof, not current reachability. The route
remains firewall-source-dependent. On
2026-07-15, both direct SSH and the private TCP route timed out; verify
ssh -o BatchMode=yes teleo-gcp-staging true before a long run and fail closed
if it does not return successfully.
The intended secondary path is .github/workflows/gcp-iap-operator.yml, using
short-lived GitHub OIDC, IAP, OS Login, and fixed reviewed operations. It is
merged but not bootstrapped: the current 2026-07-15 check still lacks the
reviewed operator WIF/IAP authority. Provider teleo-iap-operator is absent,
disabled, or deleted (invalid_target), and the available artifact identity is intentionally not
a Cloud SQL/Compute operator. Do not call this path working until a live status run passes
with the intended operator identity.
Historically verified and intended target; reverify before any new lifecycle:
- project
teleo-501523; - VM
teleo-prod-1ineurope-west6-a; - Cloud SQL
teleo-pgvector-standby, PostgreSQL 16.14; - private endpoint
10.61.0.3:5432, public IP disabled, TLS required; - restore identity
sa-teleo-restore-drill@teleo-501523.iam.gserviceaccount.com; - service
leoclean-gcp-prod-parallel.service.
Direct libpq connections must use sslmode=verify-full, a reviewed DNS name
covered by the server certificate, and a private regular CA file. The private
IP is hostaddr, not the certificate identity. Never downgrade to
sslmode=require or accept an arbitrary *.iam.gserviceaccount.com identity.
Never print the Cloud SQL or Google password. On the VM, use the attached service account and Secret Manager through reviewed wrappers or a short-lived environment variable, then unset it.
Two Different Databases
- Canonical collective knowledge remains VPS PostgreSQL database
teleo, withpublic.*andkb_stage.*tables. Persistent Cloud SQL databaseteleo_canonicalis a staging copy and has not been promoted. - Hermes conversation continuity is
state.dbplus session JSONL files. Theleoclean-cloudsql-memory-sync.servicesnapshot path copies this runtime memory; it does not populate or prove canonical claims, sources, evidence, edges, or proposals.
Do not describe a passing Hermes memory sync as canonical KB parity.
Retained Historical Proof - 2026-07-14
- The newest captured VPS database has
39tables and52,167rows, including claims1837, sources4145, claim evidence4670, claim edges4916, and proposals29. - A disposable private-TLS GCP clone restored that snapshot with exact
39/39-table and52,167/52,167-row parity. Rowsets, schema objects, roles, extensions, constraints, and performance checks had zero mismatches. - A real no-send GCP Hermes turn received an ID-free claim challenge, performed
search,show,evidence, andedges, retrieved the expected claim and both source rows, and passed18/18runtime checks plus6/6reasoning outcomes. It did not send Telegram or write the DB. statusand zero-hit search work on a canonical-only clone without the optionalteleo_restoreaudit schema. All read commands emit deterministic retrieval receipts.- The generated clone was deleted. The retained rollback database remains
connection-disabled with zero sessions. The GCP gateway remained PID
148735,NRestarts=0, active/running throughout that bounded experiment. - PR
#144merged the reviewed helper/skill. After deployment, the service survived a controlled restart and is active/running at PID304036, start time2026-07-14 10:40:17 UTC. Live post-restartstatusandsearchreturned Cloud SQL retrieval receipts with unchanged canonical counts. - A live regression showed the old wrapper could time out its stronger status probe and fall through to a different local tool. Supported GCP KB commands now route directly to Cloud SQL and fail closed on errors; two behavioral tests enforce that invariant.
- Persistent GCP
teleo_canonicalremains the older staging copy measured at52,164rows and26proposals. It has not been promoted or cut over.
That historical clone predates the expanded ownership/ACL and independently authenticated receipt contract. It remains useful historical row/schema proof, but it is not current T3 proof under this skill.
Open Least-Privilege Candidates
PR #148, Scope GCP Leo runtime to least-privilege Cloud SQL access, is open as
of the 2026-07-15 skill-pack reconciliation. Draft PR #162, Harden GCP Leo runtime least-privilege proof, is its current hardening successor. They propose
scoped runtime roles, secret access, fail-closed Cloud SQL behavior, deployment
rollback, and positive plus negative permission checks. Those branch files and
proposed live outcomes are candidate evidence only. Before using them, run:
gh pr view 148 --json state,mergedAt,mergeCommit,headRefName,url
gh pr view 162 --json state,mergedAt,mergeCommit,headRefName,url
Until a successor is merged and its runtime receipt passes, use only paths present on
canonical main, keep persistent GCP classified as staging, do not promote it,
and do not infer least-privilege cutover from a branch or dry run.
Primary retained proof:
docs/reports/leo-working-state-20260709/gcp-db-first-working-leo-20260714.mddocs/reports/leo-working-state-20260709/gcp-db-first-restore-current.jsondocs/reports/leo-working-state-20260709/gcp-db-first-parity-current.jsondocs/reports/leo-working-state-20260709/gcp-db-first-blind-claim-current.jsondocs/reports/leo-working-state-20260709/gcp-db-first-cleanup-current.jsondocs/reports/leo-working-state-20260709/gcp-db-first-live-deploy-restart-current.json
Required Parity Rows
Track these independently:
- control-plane project, VM, Cloud SQL, private-IP, and TLS identity;
- canonical database schema, counts, row hashes, constraints, indexes, functions, extensions, exact roles and memberships, owners, normalized schema/relation/column/function/type ACLs, and performance;
- GCP service PID/restarts plus live profile and tool hashes;
DC-01throughDC-06DB-read readiness;- real no-send model replies, strict score, and exact count consistency;
- no-mutation fingerprints, child/profile cleanup, clone deletion, and rollback disposition.
Canonical Restore And Replay
Use:
ops/capture_vps_canonical_postgres_snapshot.pyfor a single source dump and manifest, with a required retained--authorization-refand v2 provenance receipt binding the exported snapshot identity plus dump/manifest hashes; it requires identical healthy structured source-service states before/after (active/running, positive PID, nonnegative restart count);ops/restore_gcp_generated_postgres_snapshot.py restore --executefor a receipt-bound private-TLS restore into a boundedteleo_clone_*database; pass the exact capture--source-receipt, and require its live Cloud SQL control-plane check to prove public IP disabled before clone creation; it requires the exact restore service account plus--ssl-server-nameand--ssl-root-certfor certificate-authenticatedverify-fullTLS; it writestarget-manifest.jsonl,restore-receipt.json, and the generatedgcp-private-connectivity.jsonunder/var/lib/teleo-gcp-restore-runs/<restore-run-id>/;ops/restore_gcp_generated_postgres_snapshot.py cleanup --executefor exact clone cleanup with live-service and rollback readback;ops/postgres_parity_manifest.sqlfor row/catalog/role/performance readback;ops/verify_postgres_parity_manifest.py --scope gcp_stagingfor exact parity, always retaining the canonical output namegcp-parity.json;scripts/run_gcp_generated_db_direct_claim_suite.pyfor the adapter-free, read-only, no-send six-response replay against a generatedteleo_clone_*.scripts/run_gcp_generated_db_blind_claim_canary.pyfor the bounded ID-free claim challenge, source receipt, reasoning, no-write, and cleanup proof.ops/attest_gcp_reasoning_compute.pyon the replay VM after blind reasoning and before cleanup, binding the reasoning receipt SHA-256 to live GCE metadata inreasoning-compute-attestation.json;- a second authorized source capture after cleanup, followed by
ops/verify_vps_canonical_snapshot_delta.py, to retain the explicit post-snapshot VPS delta insource-delta-receipt.json; ops/verify_gcp_canonical_lifecycle.pyafter cleanup to bind the exact source, current source, source delta, restore,gcp_stagingparity, ID-free reasoning, reasoning-compute attestation, and cleanup receipts into one fail-closed preparation verdict. Caller-writable JSON can never emit T3 from this API; even an internally valid bundle returnsprepared_external_attestation_required,current_tier=T2, andaccepted_by_this_api=false. Pass--max-postflight-age-seconds 900and--max-lifecycle-age-seconds 3600; the latter bounds both cleanup-to-verdict age and restore-to-postflight span.
With TARGET_DB, RESTORE_RUN_ID, and PRIVATE_RUN_DIR set as shown in the
runbook, run the replay-host attestation after the blind receipt passes and
before the receipt-bound cleanup:
sudo python3 ops/attest_gcp_reasoning_compute.py \
--reasoning-receipt "${PRIVATE_RUN_DIR}/blind-reasoning-receipt.json" \
--restore-run-id "$RESTORE_RUN_ID" \
--target-db "$TARGET_DB" \
--project teleo-501523 \
--expected-compute-instance teleo-prod-1 \
--expected-compute-zone europe-west6-a \
--expected-private-network projects/teleo-501523/global/networks/teleo-staging-net \
--expected-restore-service-account sa-teleo-restore-drill@teleo-501523.iam.gserviceaccount.com \
--output "${PRIVATE_RUN_DIR}/reasoning-compute-attestation.json"
The replay must use the Hermes virtualenv, not system Python:
/home/teleo/.hermes/hermes-agent/venv/bin/python \
scripts/run_gcp_generated_db_direct_claim_suite.py ...
The lifecycle is not complete until the generated clone, temporary profile,
children, transient upload/bundle directories, and any temporary client are
absent. Preserve the private receipt run directory and every useful lifecycle
input, supporting receipt, and verifier output; do not treat that evidence as
transient cleanup. The canonical restore streams through pg_restore and
creates no GCS import object.
The current snapshot and restore commands intentionally use --no-owner and
--no-acl/--no-privileges. The expanded manifest therefore fails GCP parity
until a separately reviewed Cloud-SQL-compatible authorization replay restores
the captured owner/grant semantics. Do not bypass this by dropping the new
manifest rows or by running the Docker/superuser gate bootstrap blindly on
shared Cloud SQL.
Static inspection or a dry run is insufficient for these helpers: verify a new capture against the live VPS and run the focused tests. A current T3 claim also requires a separate independently authenticated provider/platform receipt that the bundle author cannot mint.
Safety And Claim Ceiling
- Do not send Telegram messages from the GCP parity lane.
- Do not apply, approve, or stage KB changes during read/reasoning replay.
- Do not restart the live GCP gateway for tool-file synchronization unless a separate restart window is explicitly requested.
- Do not call control-plane inventory, memory sync, route readiness, or a nominal scorer pass full m3taversal parity.
The strongest claim emitted by the repository lifecycle verifier is T2 structural consistency. Exact DB parity plus real no-send model replies with truthful counts and cleanup still requires independent T3 attestation. Neither proves Telegram delivery, GCP canonical mutation, ongoing replication, or production cutover.
Current Access And Next Action
As of 2026-07-15, direct SSH and private TCP timed out, local gcloud for
billy@livingip.xyz requires reauthentication, and the intended operator
WIF/IAP authority is unavailable. The artifact-builder WIF identity must not be
expanded or mistaken for database-operator access. Current retained T2/source
and local restore proof does not satisfy the required T3 lifecycle.
The next action after an authorized operator route is restored is: newest
authorized VPS capture -> disposable private teleo_clone_* restore ->
generated private-connectivity receipt -> gcp-parity.json -> no-send
m3taversal blind reasoning -> live GCE reasoning attestation -> receipt-bound
clone cleanup -> postflight VPS capture/delta -> eight-receipt lifecycle verdict
within the 900/3600-second freshness bounds. Do not promote
teleo_canonical, expose Cloud SQL publicly, send Telegram, or mutate canonical
knowledge.