admin/felhom.eu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c6dd0ed505defd23aa633e282c90157ba101bd62
felhom.eu/REPORT.md
T
admin c6dd0ed505 doc 03 §6/§4/§9 + doc 02: slice 8C implemented — controller de-privileged, slice 8 CLOSED (2026-06-10) 
§6: disk-management endpoints + reframed principle (non-data-destructive
self-serve; data-destructive stays operator-signed; classifier = agent-internal
device inspection). §4: data-bearing-ness is agent-internal, never caller-claimed.
§9: 8C implemented, slice 8 CLOSED. doc 02: EXECUTED banner. Validated live
(data-bearing format refused; de-privileged controller).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 14:06:55 +02:00

2.5 KiB
Raw Blame History

felhom.eu — task reports

Overwrite this file with a summary of the most recent task only (uniform with the other repos; not cumulative). The cumulative hub history lives in hub/CHANGELOG.md.

REPORT — Slice 8C docs: controller de-privileging + disk classifier (slice 8 CLOSED) (2026-06-10)

Type

Documentation update for slice 8C (the implementation is in felhom-agent v0.12.0 + felhom-controller v0.37.0; no hub change). Slice 8 is now CLOSED.

What changed (doc 03 — host-agent)

  • §6 — added the disk-management endpoints (GET /disks, POST /disks/{assign,eject,format}) and reframed the principle: a controller may do non-data-destructive storage setup self-serve (list / assign / eject / format-blank); anything that can lose customer data stays operator-signed (§4), with the classifier (agent-internal device inspection) as the enforcer. The 8C invariant: the agent decides data-bearing-ness by inspecting the device itself, never the caller's claim; a data-bearing format → ClassStorageWipe → gate → pending_signature (signed completion is slice 10). Marked implemented.
  • §4 — added: data-bearing-ness is agent-internal evidence, never the caller's claim (mirrors the agent-internal scratch-provenance rule); destructive completion → slice 10.
  • §9 slice table8C implemented → slice 8 CLOSED: agent v0.12.0 (/disks + classifier gate + mkfs); controller v0.37.0 (~12.3k LOC disk-execution retired, backup.Manager split to app-data, disk mgmt rewired to the agent, container de-privileged). §13 + doc changelog updated.

What changed (doc 02 — controller module map)

  • Added an EXECUTED banner: the map's target state is realized — the disk subsystem is deleted, backup.Manager split, disk mgmt rewired to the agent, the container de-privileged. The in-guest controller is now Docker-only with no disk/Proxmox privileges.

Live validation (cross-repo, on the demo)

A provisioned de-privileged controller v0.37.0 (Privileged=false; mounts only bootstrap + data

  • docker.sock) drove the agent disk API: GET /disks returned data-bearing flags, and a data-bearing format was refused (pending_signature, nothing formatted) — the security centerpiece, proven live. See the agent + controller REPORTs.

Deferred

The operator-signed completion of a data-bearing wipe/format → slice 10. No hub change → no deploy. No secrets committed.

Reference in New Issue View Git Blame Copy Permalink