Newer
Older
openstack-caracal-ipv4 / docs / handoff-20260705-open-items.md

Handoff -- open items register (2026-07-05 session close)

Supersedes docs/handoff-20260703-open-items.md (kept for history). This is the active handoff. Repo HEAD at close: f28de74 ("clearing queue"). Next-free: D-073, DOCFIX-091, BUNDLEFIX-012. Start every new session by: reading this file + docs/session-ledger.md, then running bash scripts/ledger-scan.sh AND bash scripts/ledger-scan.sh --fences, and reconciling.


0. Current state (as-built)

  • Multi-tenant buildout is functionally complete through the beta tenant acceptance tests.
  • validate.sh D-011 acceptance suite is modular and the gauntlet is ALL GREEN (31 harnesses).
  • Vault decision recorded (D-068 amendment): bundle pins vault 1.8/stable (reactive charm, integration-compatible); the 1.16 operator lineage is RULED OUT (certs interface V0->V1 breaks the 18 vault:certificates relations, Raft-only drops the mysql backend, no upgrade path, BUSL, community-broken with Ceph). "Get off EOL vault 1.8.8" stays OPEN under D-068. Evidence: docs/D-068-vault-1.8-vs-1.16-analysis.md. Live vault is 1.8/stable rev 714 (in-channel current).
  • Session-ledger is fenced (delimited-section convention: machine-derived / main-chat / jumphost / shared), and ledger-scan.sh --fences validates it (4 sections, 0 errors). Stay in your lane.
  • The last jumphost ops-update window (ops-update-20260705) is CLOSED; fleet refreshed to current in-channel revisions; controllers/agents at juju 3.6.25; appendix-B re-baselined.

Minor reconcile item for the next session: the ledger "State facts" bullet still reads "ops-update-20260705 in flight" and "D-068 unruled" -- both stale (window closed; D-068 ruled). It's in the append-only shared section, so append a correction rather than rewrite another stream's line.

1. Immediate (small, well-defined; good first tasks)

  • Batch-3 live validation of the D-011 checks (see the verify-live queue below) -- the main thing standing between here and a clean D-011 acceptance close.
  • offboard v2: --sweep-magnum-orphans mode (orphan per-cluster trustee in the magnum domain); stage-3 app-cred idempotency re-run guard. (Both logged-not-actioned.)
  • DOCFIX candidate: sweep the repo for other -f json ... 2>&1 stderr-merge hazards (DOCFIX-085 class).
  • host_href=None barbican observation (exercised fine in stage 6; probably closeable after a look).

2. Verify-live queue (read-only/gated CHECKs; run on the real cloud before trusting)

  • d011-04 amphora_headroom() field parsing (server show .flavor; hypervisor list --long vcpu/ram). Safe default HOLDs on any parse miss -- confirm the OK path live.
  • d011-04 OCCM LB-name-contains-service-name assumption; agnhost /hostname round-robin behavior.
  • d011-04 sequence: run non-disruptively first (RR + member failover), THEN --include-disruptive once N+1 amphora headroom is confirmed (a cloud at its scheduler ceiling cannot heal its own LBs).
  • d011-05 needs a FOIL (2nd) tenant for the P3 isolation check -- onboard one or set VR_FOIL_APPCRED (acme, the former foil, was offboarded).

3. Operator rulings pending (nothing proceeds without these)

  • D-071 (controller update cadence / patch policy) -- stays PROPOSED; ratification is GATED on the pre-DC-DC controller HA/backup planning session (see section 6). Do NOT ratify without it. Backups are confirmed to exist (juju 3.6 create-backup); the open half is single-controller HA.
  • D-068 item 1 vault modernization -- 1.16 is ruled out; the OPEN question is HOW to get off EOL vault 1.8.8 for production. Candidate paths (none adopted): wait for the OpenStack service charms to gain tls-certificates V1 support, evaluate OpenBao (MPL fork), or explicit EOL risk-acceptance for VR0 with a production remediation deadline. Plus D-068 items 2 (Vault listener TLS for Roosevelt -- vault_url is cleartext http today) and 3 (AppRole secret_id TTL audit + proactive auth health probe).
  • D-050 keystone use-policyd-override=true with no policy zip (FINDING-1) -- and the D-063-adjacent identity:list_trusts="" hardening -- remain PROPOSED/OPEN, not actioned.

4. Open security-ledger rows

  • SEC-001 OPEN -- rotate credentials after the current rebuild completes.
  • SEC-003 OPEN -- assign unseal-key custodians + rehearse the second-person unseal (D-069).
  • SEC-004 OPEN -- flip repo visibility to PRIVATE at v1 close (currently public for web_fetch).

5. The deploy path (the reason for all of the above)

Execute the Roosevelt bare-metal multi-datacenter deployment using the Omega Cloud v1 runbooks as the template; the guiding constraint remains minimizing delta to Roosevelt. D-011 (amended per D-019) acceptance validation is the near-term gate -- confirm all criteria post multi-tenant work, which is what the batch-3 verify-live queue closes out.

6. v1-close / project-completion checklist (execute after D-011 passes)

  • Consolidate the 10 per-phase do-documents into a single docs/v1-deploy-runbook.md; drop the per-phase files; preserve the 10-doc structure in git history via the consolidation commit.
  • Set repo visibility PRIVATE (SEC-004).
  • Hold the pre-DC-DC controller HA/backup planning session -> then rule D-071.
  • Onboarding completion package (operator-ruled 2026-07-06; complete BEFORE closing this deployment test env). A written, tested, and validated end-to-end onboarding workflow: scripts + internal docs + drafted client-facing docs (drafts/living, no final polish needed). Items (H-numbers per docs/tenant-onboarding-contract.md section 6):
    • H1 tenant-assert.sh post-onboard verifier, with harness (also offboard preflight + periodic drift sweep).
    • H2 stage-3 app-cred idempotency re-run guard in tenant-onboard.sh.
    • H3 canary access-proof stage (boot canary + FIP + SSH via tenant keypair + teardown) -- the ruled meaning of "confirm tenant SSH access into their domain" (A1.4 confirmed).
    • H4 keystone-policy-drift.sh (script backlog item 6) wired as a periodic check.
    • H5 no-ad-hoc rule embedded in the onboarding runbook.
    • Horizon manager-role GUI identity probe (contract section 5.3) validated live.
    • Client-facing draft package (intake form, welcome/engagement doc, self-service guide) -- repo location per the structure ruling (pending).
    • Full workflow validated on a live onboarding end-to-end (the d011-05 foil tenant is the natural first candidate).

7. Deferred, with explicit revisit triggers

  • GitBucket SSH (System Settings -> Integrations; bind 0.0.0.0:29418, public git.baldurkeep.com:29418) -- verify the deployment topology (Docker port map vs systemd vs firewall) before declaring it works. v1 uses HTTPS basic auth. Trigger: v2 / DC-DC phase.
  • IPv6 dual-stack integration + NetBox restructure/import -- deferred to DC-DC / v2.
  • Roosevelt hardware sheets needed to resolve the four-NIC collapse path (D-059, parked).
  • SpryLogin / identity platform decision (FreeIPA vs Keycloak vs Authentik).

8. Startup prompt -- NEW MAIN CHAT (claude.ai stream)

You are resuming the Omega Cloud v1 / Baldurkeep project (commercial multi-tenant Charmed OpenStack Caracal 2024.1). You are the main claude.ai chat stream. A parallel Claude Code (jumphost) stream runs concurrently -- coordinate, do not collide.

First, orient (do this before anything else): pull the repo; read docs/handoff-20260705-open-items.md, docs/session-ledger.md, and docs/design-decisions.md; run bash scripts/ledger-scan.sh and bash scripts/ledger-scan.sh --fences; reconcile the ledger narrative against the scan. The repo is authoritative over your memory of it.

Your lane / discipline: you work a sandbox clone via gated copy-paste; the operator (Jesse) runs blocks on the jumphost and pastes output back. Deliver multi-file changes as repo-relative ZIPs (never loose files). Committed files are pure ASCII + LF. In the session-ledger, edit only the main-chat fenced section; the machine-derived block is regenerated by ledger-scan (never hand-typed); the shared section is append-only. When you consume a D-/DOCFIX-/BUNDLEFIX- number, grep for next-free first and coordinate with Code. Harness-first: run test harnesses before executing live; own mistakes plainly and immediately.

Current state: multi-tenant buildout complete through beta acceptance; validate.sh D-011 suite modular, gauntlet ALL GREEN (31). Vault is settled on 1.8/stable (D-068: 1.16 ruled out; EOL is the open item). Reconciliation is done and clean.

Likely next work (confirm with Jesse): batch-3 live validation of the D-011 checks (verify-live queue in the handoff) -> D-011 acceptance close; then project-completion (consolidate do-docs, flip repo private). D-068 EOL-vault modernization research is available when Jesse wants it. Do NOT ratify D-071 or move vault to 1.16 -- both are operator/decision-gated.

Standing meta-instruction from Jesse: before answering, state what you need to know and any assumptions you'd otherwise make. Debate best-practice deviations with sourced rationale.

9. Startup prompt -- CLAUDE CODE (jumphost stream)

You are resuming the Omega Cloud v1 / Baldurkeep project as the Claude Code (jumphost) stream, executing live on the cloud. A parallel main claude.ai chat stream runs concurrently -- coordinate, do not collide.

First, orient: read docs/handoff-20260705-open-items.md, docs/session-ledger.md, and docs/design-decisions.md; run bash scripts/ledger-scan.sh and bash scripts/ledger-scan.sh --fences; reconcile. Repo is authoritative over memory.

Your lane / discipline: in the session-ledger, edit only the jumphost fenced section; the shared section is append-only; do not touch the main-chat section. When you consume a D-/DOCFIX-/BUNDLEFIX- number, record it in its canonical home (design-decisions / changelog) FIRST, then regenerate the machine-derived block by running ledger-scan and pasting its output -- never hand-type numbers. Keep the <!-- SECTION -->/<!-- END --> fences intact; pull before you edit. Committed files ASCII + LF. Gate destructive/irreversible steps individually; verify before mutate.

Current state: last ops-update window (ops-update-20260705) is CLOSED; fleet current in-channel; juju 3.6.25. Vault is 1.8/stable rev 714 (current in-channel).

Hard constraints:

  • Vault stays 1.8/stable. Do NOT move it to 1.16 (D-068: fundamentally different, incompatible charm). In-channel currency only.
  • D-071 stays PROPOSED. Do NOT ratify it -- that is operator authority, gated on the pre-DC-DC controller HA/backup planning session. Controller backups exist (create-backup on 3.6); the open half is single-controller HA.

Likely next work (confirm with Jesse): support batch-3 live validation of the D-011 checks (verify-live queue in the handoff); controller update cadence per D-071 ONCE it is adopted (not yet).