docs: Phase 2 capture side — REPORT/CONTEXT/README for v0.53.x recovery unit
REPORT overwritten (secret-free recovery unit: design, what shipped, golden deploy mechanism, live 9201 validation incl. NO_LEAK grep). CONTEXT dated entry. README: recovery-unit subsection + flagged the stale restic/secondary paths section. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
+17
@@ -13,6 +13,23 @@ Last updated: 2026-06-12 (storage UX polish)
|
||||
> is tracked in `CHANGELOG.md`, `controller/README.md`, and the auto-memory `MEMORY.md`. Live version:
|
||||
> **v0.45.0**.
|
||||
>
|
||||
> **2026-06-13 — v0.53.0/v0.53.1 Phase 2: per-app recovery unit (capture side, SECRET-FREE):**
|
||||
> - Each app's `backups/primary/<app>/` becomes a self-contained recovery unit: `compose/`
|
||||
> (docker-compose.yml + .felhom.yml + **secret-stripped** app.yaml) + db-dumps/ + volume-dumps/ +
|
||||
> `manifest.json` (image pins, secret env-var NAMES, data_key names, checksums, secret_source note).
|
||||
> - **Secret-free by design.** Decided after reading the ACTUAL hub code: hub is zero-knowledge (no app
|
||||
> secrets); app.yaml + key live on the guest rootfs → in the PBS whole-guest snapshot. So the unit
|
||||
> stores no secret/data-key/image; restore recovers secrets from the guest's app.yaml (live/PBS),
|
||||
> regenerates nothing. `data_key` (DeployField.DataKey; AdventureLog SECRET_KEY marked) = fail-closed
|
||||
> restore annotation only.
|
||||
> - Capture needs no decryption (non-secret env is plaintext; excludes secret-named + encrypted keys).
|
||||
> Wired into RunDBDumps AND the periodic RefreshCache (idempotent checksum-skip → no USB thrash).
|
||||
> - **Deploy mechanism resolved:** controller in guest 9201 is golden/bootstrap-managed —
|
||||
> `felhom-controller-bootstrap.service` docker-runs the tag from `/etc/felhom-controller-image`
|
||||
> (gitea anon-pull). Deploy = build+push → anon-pull → update tag file → restart the service.
|
||||
> - **Live-validated (9201):** RomM unit captured (images=3, secrets=3, data_keys=0), secret-leak grep
|
||||
> = NO_LEAK. Next: Phase 2b restore-from-unit recreate + fail-closed gate + AdventureLog readable-data.
|
||||
>
|
||||
> **2026-06-13 — v0.52.0 Phase 1 GATE: deploy-side double-nest fix (catalog) + path-agreement test:**
|
||||
> - The `felhom-data` double-nest lived in the **app-catalog compose templates**
|
||||
> (`${HDD_PATH}/felhom-data/appdata/<app>`), not in `deploy.go`. On a Model-A in-guest drive the mount
|
||||
|
||||
Reference in New Issue
Block a user