|
C4 DONE: document the NetBox sandbox loop; add the upstream-write guard it exposed
C4 (Stage 2 close-out) -- the sandbox loop is now documented in two places, no rationale duplicated: docs/dc-dc-netbox-buildout-scope.md section 8 (design: why a sandbox, the fidelity check + its 2026-07-14 hardening, the write-guard table, the WAF trap, C2 preconditions) and runbooks/dc-dc-phase1-office1-standup.md Step 10b (the dump->seed->apply->verify->gated-write sequence, two-host/two-token separation). Drafted by a subagent, corrected against this session's own fixes before placement. The guard C4 exposed: roles-aggregates-import.py and dc-dc-prefixes-import.py had NO hostname gate -- until today the WAF 403 was the only thing stopping an accidental --commit to the apex, and the UA fix removed that accidental safety. Both now gate a non-sandbox --commit behind --yes-write-upstream (SANDBOX_HOSTS allowlist), matching d115-office-carve.py -- so all three write-capable importers behave identically. This is defence-in-depth with the whole-plan preflights (which prevent a half-write). Tests: prefixes-import 86->91 (refused without the flag + writes nothing; allowed with it; sandbox host needs no flag). roles-aggregates 20->24. GAUNTLET ALL GREEN (58). Stage 2: C1/C3/C4 DONE. C2 (production write) is the only item left -- gated, with preconditions now documented (re-verify sandbox under the hardened check, run from office1-netbox, --yes-write-upstream, approve each mutation). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
|---|
|
|
| docs/changelog-20260714-c4-sandbox-loop-and-upstream-guard.md 0 → 100644 |
|---|
| docs/dc-dc-deployment-workflow.md |
|---|
| docs/dc-dc-netbox-buildout-scope.md |
|---|
| docs/session-ledger.md |
|---|
| netbox/dc-dc-prefixes-import.py |
|---|
| netbox/roles-aggregates-import.py |
|---|
| runbooks/dc-dc-phase1-office1-standup.md |
|---|
| tests/dc-dc-prefixes-import/test_logic.py |
|---|
| tests/roles-aggregates-import/run-tests.sh |
|---|