docs: DRC token auth note + confirmed infra inventory (tim-postgres host, Neon migration)#190
Conversation
Static x-gadgetlab-token header gated in the DRC Prepare Input node; Event Router is the sole sender; value lives only in n8n (never committed). Last rotated 2026-07-06, old token retired. Health-check pings are exempt via the Route Health Ping -> Pong branch. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…+ slack manifest - inventory/services.yaml: tim-postgres host unknown -> 100.98.109.40 (m900-homelab, Tailscale), container postgres-tim (postgres:16-alpine), confirmed via docker ps on M900. - inventory/hosts.yaml: confirmed M900 host details. - slack-app-manifest.yaml: add _metadata version + bot_user. - migrations/neon_tim_agent_runs.sql: Neon schema for tim.agent_runs (for the pending managed-Postgres cutover). Ground-truth from live infra investigation; previously uncommitted on a stale copilot branch. No application code included. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
📊 Code Complexity AnalysisSummary:
|
| File | Function | Complexity | Line |
|---|---|---|---|
core/risk_scorer.py |
score_pull_request |
35 | 141 |
autopilot/autopilot.py |
generate_summary |
24 | 195 |
autopilot/staleness_engine.py |
process_stale_prs |
16 | 281 |
autopilot/ai_optimization/performance_monitor.py |
get_benchmark_stats |
15 | 184 |
.github/scripts/weekly_digest.py |
build_blocks |
15 | 38 |
autopilot/recommendation_contract.py |
validate |
14 | 49 |
.github/scripts/metrics_collector.py |
parse_workflow_metrics |
14 | 148 |
.github/scripts/setup_branch_protection.py |
main |
14 | 240 |
.github/scripts/self_healing_system.py |
analyze_failure_patterns |
14 | 256 |
.github/scripts/ai_code_suggestor.py |
_check_import_organization |
14 | 113 |
... and 17 more
Recommendations:
- Break down large functions into smaller, focused units
- Extract complex conditional logic into separate functions
- Use early returns to reduce nesting
🔧 Low Maintainability Files
These files have low maintainability scores and may need refactoring:
| File | Score | Status |
|---|---|---|
.github/scripts/health_dashboard_generator.py |
28.14 | 🔴 |
.github/scripts/workflow_monitor.py |
33.73 | 🔴 |
.github/scripts/ai_code_suggestor.py |
33.76 | 🔴 |
.github/scripts/ai_workflow_optimizer.py |
35.51 | 🔴 |
.github/scripts/performance_benchmark.py |
39.46 | 🔴 |
.github/scripts/self_healing_system.py |
40.27 | 🔴 |
.github/scripts/threshold_monitor.py |
41.13 | 🔴 |
.github/scripts/parallel_code_analyzer_optimized.py |
41.16 | 🔴 |
autopilot/autopilot.py |
42.45 | 🔴 |
autopilot/ai_optimization/anomaly_detector.py |
42.56 | 🔴 |
agents/triage_agent.py |
42.79 | 🔴 |
.github/scripts/refactoring_assistant.py |
43.03 | 🔴 |
autopilot/ai_optimization/intelligent_cache.py |
43.28 | 🔴 |
autopilot/ai_optimization/commit_summarizer.py |
44.05 | 🔴 |
.github/scripts/async_parallel_analyzer.py |
44.47 | 🔴 |
autopilot/ai_optimization/performance_monitor.py |
44.69 | 🔴 |
.github/scripts/badge_generator.py |
45.28 | 🔴 |
.github/scripts/copilot_integration.py |
45.37 | 🔴 |
.github/scripts/distributed_monitoring.py |
45.53 | 🔴 |
.github/scripts/elite_copilot.py |
45.69 | 🔴 |
agents/dependency_agent.py |
45.76 | 🔴 |
.github/scripts/issue_auto_creator.py |
46.39 | 🔴 |
.github/scripts/cost_calculator.py |
46.4 | 🔴 |
.github/scripts/inline_pr_commenter.py |
46.63 | 🔴 |
.github/scripts/complexity_reporter.py |
46.78 | 🔴 |
.github/scripts/pr_triage.py |
47.13 | 🔴 |
core/risk_scorer.py |
48.15 | 🔴 |
autopilot/ai_optimization/nlp_relevance_filter.py |
48.43 | 🔴 |
.github/scripts/pr_inline_commenter.py |
48.47 | 🔴 |
autopilot/staleness_engine.py |
48.73 | 🔴 |
.github/scripts/metrics_collector.py |
48.91 | 🔴 |
.github/scripts/dependency_updater.py |
48.91 | 🔴 |
autopilot/ai_optimization/ml_priority_scorer.py |
49.53 | 🔴 |
.github/scripts/changelog_generator.py |
49.75 | 🔴 |
.github/scripts/parallel_code_analyzer.py |
49.96 | 🔴 |
autopilot/ai_optimization/api_optimizer.py |
50.46 | 🟡 |
agents/security_scan_agent.py |
51.04 | 🟡 |
autopilot/tests/test_recommendation_contract.py |
51.15 | 🟡 |
.github/scripts/workflow_optimizer.py |
51.67 | 🟡 |
.github/scripts/cot_selector.py |
51.73 | 🟡 |
.github/scripts/release_manager.py |
51.92 | 🟡 |
.github/scripts/llm_router.py |
52.35 | 🟡 |
.github/scripts/auto_pr.py |
52.72 | 🟡 |
.github/scripts/notification_manager.py |
53.58 | 🟡 |
.github/scripts/prometheus_exporter.py |
54.96 | 🟡 |
.github/scripts/weekly_digest.py |
55.02 | 🟡 |
core/audit_logger.py |
55.6 | 🟡 |
.github/scripts/gather_context.py |
56.0 | 🟡 |
core/llm_provider.py |
56.32 | 🟡 |
.github/scripts/streaming_results.py |
56.64 | 🟡 |
.github/scripts/setup_branch_protection.py |
57.0 | 🟡 |
.github/scripts/optimized_github_client.py |
58.27 | 🟡 |
agents/orchestrator_agent.py |
59.02 | 🟡 |
agents/code_review_agent.py |
60.45 | 🟡 |
core/github_client.py |
61.96 | 🟡 |
core/message_queue.py |
63.22 | 🟡 |
core/agent_config.py |
63.86 | 🟡 |
core/idempotency.py |
64.45 | 🟡 |
Maintainability Index Guide:
- 🟢 85-100: Excellent maintainability
- 🟡 65-84: Good maintainability
- 🟠 50-64: Moderate maintainability (consider refactoring)
- 🔴 0-49: Poor maintainability (needs refactoring)
🔴 Risk Assessment: HIGH (7.5/10)Analysed 28 files, 114+ / 1932− lines. Security-sensitive paths detected. Test coverage unchanged or improved. Scoring breakdown
|
🔍 Pre-commit Checks🔧 Pre-commit issues were automatically fixed and committed. Please pull the latest changes before pushing again: git pull origin docs/drc-token-and-infra-inventoryPre-commit hooks help maintain code quality and consistency. |
🤖 Elite AI Copilot AnalysisElite AI Copilot Analysis ReportGenerated: 2026-07-06 05:36:39 🎯 Health Score: 100.0/100🚀 Top Recommendations
📊 Detailed InsightsCode Quality Baseline Established
Security Scan Initiated
Repository Structure Analyzed
Performance Baseline Captured
Documentation Structure Good
Powered by Elite AI Copilot v1.0 |
Code Quality Analysis ❌ FAILEDDuration: 0.03s Tool Results
View detailed results{
"timestamp": "2026-07-06 05:36:42",
"elapsed_seconds": 0.03,
"summary": {
"total_issues": 10,
"critical": 0,
"high": 0,
"medium": 0,
"low": 0
},
"tools": {
"pylint": {
"status": "failed",
"output": "",
"errors": "Pylint error: [Errno 2] No such file or directory: 'pylint'"
},
"flake8": {
"status": "failed",
"output": "",
"errors": "Flake8 error: [Errno 2] No such file or directory: 'flake8'"
},
"bandit": {
"status": "failed",
"output": "",
"errors": "Bandit error: [Errno 2] No such file or directory: 'bandit'"
},
"radon_cc": {
"status": "failed",
"output": "",
"errors": "Radon error: [Errno 2] No such file or directory: 'radon'"
},
"radon_mi": {
"status": "failed",
"output": "",
"errors": "Radon MI error: [Errno 2] No such file or directory: 'radon'"
}
},
"passed": false
} |
🔒 Security Scan Results🛡️ Bandit Security Scan
📦 Dependency Vulnerabilities
Vulnerable Dependencies:
Security scans run automatically on every PR. View detailed reports in the Actions tab. |
🤖 DRC Agent AnalysisRecommendation: 🟠 P1 IMPORTANT Summary: Realist Solution 1 (Direct Merge — Minimal Friction) with Solution 2 (Structured Docs-as-Code with Schema Validation) as follow-up Next steps:
Strategic fit: Consulting: high · Product: high · Tech debt: reduces Analysed by GadgetLab DRC Agent (Dreamer → Realist → Critic) · Run |
There was a problem hiding this comment.
Pull request overview
Documentation/config-only PR that captures DRC operational ground-truth (webhook auth note + infra inventory updates) and adds a Neon SQL schema snippet for a pending TIM Postgres migration, plus a small Slack app manifest metadata update.
Changes:
- Documented DRC webhook authentication mechanism and rotation notes in
CLAUDE.md. - Updated infra inventory (
docs/inventory/*.yaml) with confirmedtim-postgres+ M900 homelab details and additional operational notes. - Added
migrations/neon_tim_agent_runs.sqlto recreatetim.agent_runson Neon; updated Slack manifest with_metadataandbot_user.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| slack-app-manifest.yaml | Adds Slack manifest _metadata and bot_user configuration. |
| migrations/neon_tim_agent_runs.sql | New SQL to create tim.agent_runs schema/table/indexes for Neon. |
| docs/inventory/services.yaml | Updates tim-postgres inventory record with confirmed host/container and operational notes. |
| docs/inventory/hosts.yaml | Fills in M900 homelab host details and hosted services/access notes. |
| CLAUDE.md | Adds documentation about DRC webhook authentication and rotation procedure. |
| depends_on: | ||
| - m900-homelab |
| notes: > | ||
| Schema: tim.agent_runs. BROKEN as of 2026-07-02: `postgres-tim` container on | ||
| M900 is Docker-mapped to 127.0.0.1:5432 only (loopback-only, confirmed via `docker ps` | ||
| and `ss -tlnp` on M900) — not bound to the Tailscale interface, 0.0.0.0, or any | ||
| Caddy/Tailscale-Funnel proxy (both confirmed absent). n8n Cloud | ||
| (gadgetlab.app.n8n.cloud) has NO network path to reach this database. The | ||
| `gndQWH8pCjbtieRf` credential's host value only works when queried from a process | ||
| running locally on M900 (e.g. the separate self-hosted n8n instance also on M900, | ||
| proxied at https://m900-homelab.tail8e0dcd.ts.net/n8n). Result: Daily DRC Digest | ||
| (shhwyRRdoEdedYLa) has failed on every run since at least 2026-06-25 (0 successes | ||
| in retained execution history), and any n8n-Cloud workflow querying tim.agent_runs | ||
| will fail identically. Postgres's own pg_hba.conf already allows remote | ||
| password-auth connections (`host all all all scram-sha-256`) — the ONLY blocker is | ||
| the Docker port binding. Fix requires a deliberate decision (not yet made): rebind + | ||
| Tailscale Funnel (exposes DB publicly — real risk), migrate to a managed cloud | ||
| Postgres, or move the querying workflows onto the local M900 n8n instance. See | ||
| obsidian-ai-architect-vault memory project_gadgetlab.md for full diagnosis. | ||
| Second credential yzbjlFaqm3pBpc62 discovered 2026-06-27 — still unconfirmed if | ||
| same host or separate DB. |
| access: | ||
| - method: SSH | ||
| notes: "SSH access not confirmed from current environment" | ||
| notes: "Confirmed working 2026-07-02: `ssh -i ~/.ssh/m900_homelab ai@100.98.109.40`" |
| notes: "Homelab host. Referenced in prior sessions but not directly reachable from cloud shell." | ||
| notes: "Confirmed — node 100.98.109.40, tailnet tail8e0dcd.ts.net" | ||
| - method: browser (Caddy, HTTPS, basic-auth) | ||
| url: "https://m900-homelab.tail8e0dcd.ts.net (grafana/prometheus/n8n/portainer/cadvisor/obsidian paths, user: gadget)" |
| - Sessions expire after ~30–60 min of inactivity; autosave silently fails with 401. Claude cannot re-authenticate — Gadget must log in. | ||
| - Canvas drag-and-drop is unreliable; prefer JavaScript/Pinia store manipulation when automating node placement. | ||
| - "Notify Slack — DRC Result" node uses HTTP Request → Slack Incoming Webhook (no OAuth). Channel: `#drc-recommendations` (gadgetai.slack.com). Webhook secret stored as `SLACK_WEBHOOK_URL` GitHub secret. | ||
| - **DRC webhook auth (`x-gadgetlab-token`):** the DRC Agent Loop's `Prepare Input` node gates all real traffic on a static `x-gadgetlab-token` header; the Event Router's "Forward to Agent Loop" node is the sole legitimate sender. The token value lives **only in n8n** (embedded literals in both nodes — never committed to this public repo, never a GitHub secret). Last rotated **2026-07-06**; the old value is retired (rejected with `Unauthorized`). To rotate: set the same new value in both nodes and publish both. Health-check pings are exempt — the `Route Health Ping` IF node short-circuits them to a `Pong` 200 before the gate, so `n8n-health-check.yml` needs no token. |
Summary
Two documentation/config commits, rescued from ground-truth that had been sitting uncommitted on a stale copilot branch. No application code, no secrets.
docs(claude)— records the DRC webhook auth mechanism inCLAUDE.md: the staticx-gadgetlab-tokenheader gated in the DRCPrepare Inputnode, the Event Router as sole legitimate sender, the token living only in n8n (never committed), last rotated 2026-07-06 with the old value retired, plus the rotation procedure. Notes health-check pings are exempt via theRoute Health Ping → Pongbranch.docs(inventory)— confirmed infra ground-truth from live investigation:docs/inventory/services.yaml:tim-postgreshostunknown→100.98.109.40(m900-homelab, Tailscale), containerpostgres-tim(postgres:16-alpine), verified viadocker pson M900.docs/inventory/hosts.yaml: confirmed M900 host details.slack-app-manifest.yaml: adds_metadataversion +bot_user.migrations/neon_tim_agent_runs.sql: Neon schema fortim.agent_runs, for the pending managed-Postgres cutover.Context
These changes are unrelated to open PR #174 (a narrow changelog-identity fix); they were stray uncommitted work in that branch's checkout. This PR lands the durable, verified pieces on
mainon their own clean branch, leaving PR #174 and the rest of that branch's WIP untouched.Test plan
a45ba72is an ancestor oforigin/main→ PR is exactly these 2 commits🤖 Generated with Claude Code