Skip to content

docs: DRC token auth note + confirmed infra inventory (tim-postgres host, Neon migration)#190

Merged
labgadget015-dotcom merged 3 commits into
mainfrom
docs/drc-token-and-infra-inventory
Jul 6, 2026
Merged

docs: DRC token auth note + confirmed infra inventory (tim-postgres host, Neon migration)#190
labgadget015-dotcom merged 3 commits into
mainfrom
docs/drc-token-and-infra-inventory

Conversation

@labgadget015-dotcom

Copy link
Copy Markdown
Owner

Summary

Two documentation/config commits, rescued from ground-truth that had been sitting uncommitted on a stale copilot branch. No application code, no secrets.

  • docs(claude) — records the DRC webhook auth mechanism in CLAUDE.md: the static x-gadgetlab-token header gated in the DRC Prepare Input node, the Event Router as sole legitimate sender, the token living only in n8n (never committed), last rotated 2026-07-06 with the old value retired, plus the rotation procedure. Notes health-check pings are exempt via the Route Health Ping → Pong branch.
  • docs(inventory) — confirmed infra ground-truth from live investigation:
    • docs/inventory/services.yaml: tim-postgres host unknown100.98.109.40 (m900-homelab, Tailscale), container postgres-tim (postgres:16-alpine), verified via docker ps on M900.
    • docs/inventory/hosts.yaml: confirmed M900 host details.
    • slack-app-manifest.yaml: adds _metadata version + bot_user.
    • migrations/neon_tim_agent_runs.sql: Neon schema for tim.agent_runs, for the pending managed-Postgres cutover.

Context

These changes are unrelated to open PR #174 (a narrow changelog-identity fix); they were stray uncommitted work in that branch's checkout. This PR lands the durable, verified pieces on main on their own clean branch, leaving PR #174 and the rest of that branch's WIP untouched.

Test plan

  • Docs/config only — no code paths affected
  • No secret values included (repo is public; token value stays in n8n)
  • Base a45ba72 is an ancestor of origin/main → PR is exactly these 2 commits

🤖 Generated with Claude Code

labgadget015-dotcom and others added 2 commits July 6, 2026 05:31
Static x-gadgetlab-token header gated in the DRC Prepare Input node;
Event Router is the sole sender; value lives only in n8n (never
committed). Last rotated 2026-07-06, old token retired. Health-check
pings are exempt via the Route Health Ping -> Pong branch.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…+ slack manifest

- inventory/services.yaml: tim-postgres host unknown -> 100.98.109.40
  (m900-homelab, Tailscale), container postgres-tim (postgres:16-alpine),
  confirmed via docker ps on M900.
- inventory/hosts.yaml: confirmed M900 host details.
- slack-app-manifest.yaml: add _metadata version + bot_user.
- migrations/neon_tim_agent_runs.sql: Neon schema for tim.agent_runs
  (for the pending managed-Postgres cutover).

Ground-truth from live infra investigation; previously uncommitted
on a stale copilot branch. No application code included.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 6, 2026 05:36
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

📊 Code Complexity Analysis

Summary:

  • Total Functions Analyzed: 807
  • Average Complexity: 3.51
  • High Complexity Functions: 27
  • Low Maintainability Files: 58

⚠️ High Complexity Functions

These functions exceed the complexity threshold and should be refactored:

File Function Complexity Line
core/risk_scorer.py score_pull_request 35 141
autopilot/autopilot.py generate_summary 24 195
autopilot/staleness_engine.py process_stale_prs 16 281
autopilot/ai_optimization/performance_monitor.py get_benchmark_stats 15 184
.github/scripts/weekly_digest.py build_blocks 15 38
autopilot/recommendation_contract.py validate 14 49
.github/scripts/metrics_collector.py parse_workflow_metrics 14 148
.github/scripts/setup_branch_protection.py main 14 240
.github/scripts/self_healing_system.py analyze_failure_patterns 14 256
.github/scripts/ai_code_suggestor.py _check_import_organization 14 113

... and 17 more

Recommendations:

  • Break down large functions into smaller, focused units
  • Extract complex conditional logic into separate functions
  • Use early returns to reduce nesting

🔧 Low Maintainability Files

These files have low maintainability scores and may need refactoring:

File Score Status
.github/scripts/health_dashboard_generator.py 28.14 🔴
.github/scripts/workflow_monitor.py 33.73 🔴
.github/scripts/ai_code_suggestor.py 33.76 🔴
.github/scripts/ai_workflow_optimizer.py 35.51 🔴
.github/scripts/performance_benchmark.py 39.46 🔴
.github/scripts/self_healing_system.py 40.27 🔴
.github/scripts/threshold_monitor.py 41.13 🔴
.github/scripts/parallel_code_analyzer_optimized.py 41.16 🔴
autopilot/autopilot.py 42.45 🔴
autopilot/ai_optimization/anomaly_detector.py 42.56 🔴
agents/triage_agent.py 42.79 🔴
.github/scripts/refactoring_assistant.py 43.03 🔴
autopilot/ai_optimization/intelligent_cache.py 43.28 🔴
autopilot/ai_optimization/commit_summarizer.py 44.05 🔴
.github/scripts/async_parallel_analyzer.py 44.47 🔴
autopilot/ai_optimization/performance_monitor.py 44.69 🔴
.github/scripts/badge_generator.py 45.28 🔴
.github/scripts/copilot_integration.py 45.37 🔴
.github/scripts/distributed_monitoring.py 45.53 🔴
.github/scripts/elite_copilot.py 45.69 🔴
agents/dependency_agent.py 45.76 🔴
.github/scripts/issue_auto_creator.py 46.39 🔴
.github/scripts/cost_calculator.py 46.4 🔴
.github/scripts/inline_pr_commenter.py 46.63 🔴
.github/scripts/complexity_reporter.py 46.78 🔴
.github/scripts/pr_triage.py 47.13 🔴
core/risk_scorer.py 48.15 🔴
autopilot/ai_optimization/nlp_relevance_filter.py 48.43 🔴
.github/scripts/pr_inline_commenter.py 48.47 🔴
autopilot/staleness_engine.py 48.73 🔴
.github/scripts/metrics_collector.py 48.91 🔴
.github/scripts/dependency_updater.py 48.91 🔴
autopilot/ai_optimization/ml_priority_scorer.py 49.53 🔴
.github/scripts/changelog_generator.py 49.75 🔴
.github/scripts/parallel_code_analyzer.py 49.96 🔴
autopilot/ai_optimization/api_optimizer.py 50.46 🟡
agents/security_scan_agent.py 51.04 🟡
autopilot/tests/test_recommendation_contract.py 51.15 🟡
.github/scripts/workflow_optimizer.py 51.67 🟡
.github/scripts/cot_selector.py 51.73 🟡
.github/scripts/release_manager.py 51.92 🟡
.github/scripts/llm_router.py 52.35 🟡
.github/scripts/auto_pr.py 52.72 🟡
.github/scripts/notification_manager.py 53.58 🟡
.github/scripts/prometheus_exporter.py 54.96 🟡
.github/scripts/weekly_digest.py 55.02 🟡
core/audit_logger.py 55.6 🟡
.github/scripts/gather_context.py 56.0 🟡
core/llm_provider.py 56.32 🟡
.github/scripts/streaming_results.py 56.64 🟡
.github/scripts/setup_branch_protection.py 57.0 🟡
.github/scripts/optimized_github_client.py 58.27 🟡
agents/orchestrator_agent.py 59.02 🟡
agents/code_review_agent.py 60.45 🟡
core/github_client.py 61.96 🟡
core/message_queue.py 63.22 🟡
core/agent_config.py 63.86 🟡
core/idempotency.py 64.45 🟡

Maintainability Index Guide:

  • 🟢 85-100: Excellent maintainability
  • 🟡 65-84: Good maintainability
  • 🟠 50-64: Moderate maintainability (consider refactoring)
  • 🔴 0-49: Poor maintainability (needs refactoring)

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🔴 Risk Assessment: HIGH (7.5/10)

Analysed 28 files, 114+ / 1932− lines. Security-sensitive paths detected. Test coverage unchanged or improved.

Scoring breakdown

Factor Score
Change volume — 2046 lines changed +2.0
Files touched — 28 files +1.0
Sensitive paths — 2 security-relevant files +3.0
Risky extensions — 7 config/script files +1.5

⚠️ Security-sensitive paths modified

  • .github/workflows/pre-commit-ci.yml
  • .github/workflows/security_scan.yml

Auto-merge blocked. Manual review required.

@github-actions github-actions Bot added the documentation Improvements or additions to documentation label Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🔍 Pre-commit Checks

🔧 Pre-commit issues were automatically fixed and committed.

Please pull the latest changes before pushing again:

git pull origin docs/drc-token-and-infra-inventory

Pre-commit hooks help maintain code quality and consistency.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🤖 Elite AI Copilot Analysis

Elite AI Copilot Analysis Report

Generated: 2026-07-06 05:36:39
Session ID: copilot_1783316199
Repository: .

🎯 Health Score: 100.0/100

🚀 Top Recommendations

  1. ✅ Repository is in excellent shape - continue current practices

📊 Detailed Insights

Code Quality Baseline Established

  • Category: code_quality
  • Severity: info
  • Description: Repository code quality metrics captured
  • Suggested Action: Continue monitoring for regressions
  • Confidence: 90%

Security Scan Initiated

  • Category: security
  • Severity: info
  • Description: No critical vulnerabilities detected in initial scan
  • Suggested Action: Enable continuous security monitoring
  • Confidence: 85%

Repository Structure Analyzed

  • Category: architecture
  • Severity: info
  • Description: Well-organized modular structure detected
  • Suggested Action: Maintain separation of concerns
  • Confidence: 80%

Performance Baseline Captured

  • Category: performance
  • Severity: info
  • Description: Repository performance metrics recorded
  • Suggested Action: Monitor for performance regressions
  • Confidence: 75%

Documentation Structure Good

  • Category: documentation
  • Severity: info
  • Description: Comprehensive documentation files present
  • Suggested Action: Keep documentation in sync with code changes
  • Confidence: 90%

Powered by Elite AI Copilot v1.0

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Code Quality Analysis ❌ FAILED

Duration: 0.03s
Total Issues: 10

Tool Results

  • pylint: ❌
  • flake8: ❌
  • bandit: ❌
  • radon_cc: ❌
  • radon_mi: ❌
View detailed results
{
  "timestamp": "2026-07-06 05:36:42",
  "elapsed_seconds": 0.03,
  "summary": {
    "total_issues": 10,
    "critical": 0,
    "high": 0,
    "medium": 0,
    "low": 0
  },
  "tools": {
    "pylint": {
      "status": "failed",
      "output": "",
      "errors": "Pylint error: [Errno 2] No such file or directory: 'pylint'"
    },
    "flake8": {
      "status": "failed",
      "output": "",
      "errors": "Flake8 error: [Errno 2] No such file or directory: 'flake8'"
    },
    "bandit": {
      "status": "failed",
      "output": "",
      "errors": "Bandit error: [Errno 2] No such file or directory: 'bandit'"
    },
    "radon_cc": {
      "status": "failed",
      "output": "",
      "errors": "Radon error: [Errno 2] No such file or directory: 'radon'"
    },
    "radon_mi": {
      "status": "failed",
      "output": "",
      "errors": "Radon MI error: [Errno 2] No such file or directory: 'radon'"
    }
  },
  "passed": false
}

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🔒 Security Scan Results

🛡️ Bandit Security Scan

  • 🔴 HIGH: 0
  • 🟡 MEDIUM: 9
  • 🟢 LOW: 100

📦 Dependency Vulnerabilities

  • Total vulnerable dependencies: 61

Vulnerable Dependencies:

  • pygithub 2.9.1
  • aiohttp 3.14.1
  • multidict 6.7.1
  • yarl 1.24.2
  • pyyaml 6.0.3
  • ... and 56 more

Security scans run automatically on every PR. View detailed reports in the Actions tab.

@labgadget015-dotcom

Copy link
Copy Markdown
Owner Author

🤖 DRC Agent Analysis

Recommendation: 🟠 P1 IMPORTANT

Summary: Realist Solution 1 (Direct Merge — Minimal Friction) with Solution 2 (Structured Docs-as-Code with Schema Validation) as follow-up

Next steps:

  1. Step 1: Run git merge-base --is-ancestor a45ba72 origin/main to confirm valid ancestry; if it fails, rebase branch onto current main HEAD before opening PR
  2. Step 2: Run git diff origin/main...HEAD -- . | grep -iE 'token|secret|password|key' and confirm zero secret values appear — only rotation metadata
  3. Step 3: Open PR from stale copilot branch to main with title 'docs: DRC webhook token auth notes and confirmed infra inventory' — include explicit PR checklist item requiring reviewer to verify tim-postgres IP against known infrastructure
  4. Step 4: Add single GitHub Actions job that runs python -c "import yaml; yaml.safe_load(open('docs/inventory/services.yaml'))" and same for hosts.yaml — zero new dependencies, catches malformed YAML
  5. Step 5: Merge using merge commit (not squash) to preserve two-commit authorship history per Realist recommendation

Strategic fit: Consulting: high · Product: high · Tech debt: reduces


Analysed by GadgetLab DRC Agent (Dreamer → Realist → Critic) · Run run_1783316169990

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Documentation/config-only PR that captures DRC operational ground-truth (webhook auth note + infra inventory updates) and adds a Neon SQL schema snippet for a pending TIM Postgres migration, plus a small Slack app manifest metadata update.

Changes:

  • Documented DRC webhook authentication mechanism and rotation notes in CLAUDE.md.
  • Updated infra inventory (docs/inventory/*.yaml) with confirmed tim-postgres + M900 homelab details and additional operational notes.
  • Added migrations/neon_tim_agent_runs.sql to recreate tim.agent_runs on Neon; updated Slack manifest with _metadata and bot_user.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
slack-app-manifest.yaml Adds Slack manifest _metadata and bot_user configuration.
migrations/neon_tim_agent_runs.sql New SQL to create tim.agent_runs schema/table/indexes for Neon.
docs/inventory/services.yaml Updates tim-postgres inventory record with confirmed host/container and operational notes.
docs/inventory/hosts.yaml Fills in M900 homelab host details and hosted services/access notes.
CLAUDE.md Adds documentation about DRC webhook authentication and rotation procedure.

Comment on lines +86 to +87
depends_on:
- m900-homelab
Comment on lines +94 to +112
notes: >
Schema: tim.agent_runs. BROKEN as of 2026-07-02: `postgres-tim` container on
M900 is Docker-mapped to 127.0.0.1:5432 only (loopback-only, confirmed via `docker ps`
and `ss -tlnp` on M900) — not bound to the Tailscale interface, 0.0.0.0, or any
Caddy/Tailscale-Funnel proxy (both confirmed absent). n8n Cloud
(gadgetlab.app.n8n.cloud) has NO network path to reach this database. The
`gndQWH8pCjbtieRf` credential's host value only works when queried from a process
running locally on M900 (e.g. the separate self-hosted n8n instance also on M900,
proxied at https://m900-homelab.tail8e0dcd.ts.net/n8n). Result: Daily DRC Digest
(shhwyRRdoEdedYLa) has failed on every run since at least 2026-06-25 (0 successes
in retained execution history), and any n8n-Cloud workflow querying tim.agent_runs
will fail identically. Postgres's own pg_hba.conf already allows remote
password-auth connections (`host all all all scram-sha-256`) — the ONLY blocker is
the Docker port binding. Fix requires a deliberate decision (not yet made): rebind +
Tailscale Funnel (exposes DB publicly — real risk), migrate to a managed cloud
Postgres, or move the querying workflows onto the local M900 n8n instance. See
obsidian-ai-architect-vault memory project_gadgetlab.md for full diagnosis.
Second credential yzbjlFaqm3pBpc62 discovered 2026-06-27 — still unconfirmed if
same host or separate DB.
Comment thread docs/inventory/hosts.yaml
access:
- method: SSH
notes: "SSH access not confirmed from current environment"
notes: "Confirmed working 2026-07-02: `ssh -i ~/.ssh/m900_homelab ai@100.98.109.40`"
Comment thread docs/inventory/hosts.yaml
notes: "Homelab host. Referenced in prior sessions but not directly reachable from cloud shell."
notes: "Confirmed — node 100.98.109.40, tailnet tail8e0dcd.ts.net"
- method: browser (Caddy, HTTPS, basic-auth)
url: "https://m900-homelab.tail8e0dcd.ts.net (grafana/prometheus/n8n/portainer/cadvisor/obsidian paths, user: gadget)"
Comment thread CLAUDE.md
- Sessions expire after ~30–60 min of inactivity; autosave silently fails with 401. Claude cannot re-authenticate — Gadget must log in.
- Canvas drag-and-drop is unreliable; prefer JavaScript/Pinia store manipulation when automating node placement.
- "Notify Slack — DRC Result" node uses HTTP Request → Slack Incoming Webhook (no OAuth). Channel: `#drc-recommendations` (gadgetai.slack.com). Webhook secret stored as `SLACK_WEBHOOK_URL` GitHub secret.
- **DRC webhook auth (`x-gadgetlab-token`):** the DRC Agent Loop's `Prepare Input` node gates all real traffic on a static `x-gadgetlab-token` header; the Event Router's "Forward to Agent Loop" node is the sole legitimate sender. The token value lives **only in n8n** (embedded literals in both nodes — never committed to this public repo, never a GitHub secret). Last rotated **2026-07-06**; the old value is retired (rejected with `Unauthorized`). To rotate: set the same new value in both nodes and publish both. Health-check pings are exempt — the `Route Health Ping` IF node short-circuits them to a `Pong` 200 before the gate, so `n8n-health-check.yml` needs no token.
@labgadget015-dotcom labgadget015-dotcom merged commit 46e776a into main Jul 6, 2026
@labgadget015-dotcom labgadget015-dotcom deleted the docs/drc-token-and-infra-inventory branch July 6, 2026 05:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants