feat(ops-agent): baseline-freeze + drift-detect voor max2 /etc/ops-agent #33

Merged
janpeter merged 1 commit from feat/ops-agent-drift-discipline-max2 into master 2026-06-08 14:45:52 +02:00
Owner

Implements step B.3 of the max2 ops-agent ↔ scrum4me-docker convergence design (#31): detection without sync.

Wat dit toevoegt

  • Bevroren baseline van de live /etc/ops-agent config: commands.yml (600 regels) + 7 flow-YAMLs (redeploy_*, system_reboot/shutdown) onder deploy/max2-workflows/ops-agent/baseline/.
  • scripts/check-ops-agent-drift.sh — host-agnostisch (max2 + 154); diff live /etc/ops-agent tegen de baseline. Leest alleen commands.yml + flows/*.yml via allowlist; secrets/baks buiten scope by construction. Op drift: een s4m-queue info naar mac:jp met per-file hunk-counts.
  • systemd/ops-agent-drift.{service,timer} — periodieke drift-check.
  • docs/runbooks/ops-agent-host-config-discipline.md — runbook.

Verificatie

Live gedraaid op max2 -> no drift, exit 0. Baseline matcht de live config exact.

Generated with Claude Code

Implements step B.3 of the max2 ops-agent ↔ scrum4me-docker convergence design (#31): **detection without sync**. ## Wat dit toevoegt - **Bevroren baseline** van de live /etc/ops-agent config: commands.yml (600 regels) + 7 flow-YAMLs (redeploy_*, system_reboot/shutdown) onder deploy/max2-workflows/ops-agent/baseline/. - **scripts/check-ops-agent-drift.sh** — host-agnostisch (max2 + 154); diff live /etc/ops-agent tegen de baseline. Leest alleen commands.yml + flows/*.yml via allowlist; secrets/baks buiten scope by construction. Op drift: een s4m-queue info naar mac:jp met per-file hunk-counts. - **systemd/ops-agent-drift.{service,timer}** — periodieke drift-check. - **docs/runbooks/ops-agent-host-config-discipline.md** — runbook. ## Verificatie Live gedraaid op max2 -> **no drift, exit 0**. Baseline matcht de live config exact. Generated with Claude Code
Implements step 1 of the convergence design (PR #31): version-controlled
baseline + drift visibility, without any auto-writer on the privileged
command-allowlist.

- docs/runbooks/ops-agent-host-config-discipline.md: host-agnostic runbook
  (double-edit discipline, freeze, drift-detect, secrets-exclusion, gates,
  max2<->154 symmetry contract).
- scripts/check-ops-agent-drift.sh: host-agnostic detector. Diffs repo
  baseline vs live /etc/ops-agent (commands.yml + flows/*.yml only; secrets
  excluded by allowlist), reports per-file hunk counts, pushes s4m-queue
  info to mac:jp on drift. exit 0=clean, 1=drift, 2=error.
- deploy/max2-workflows/ops-agent/baseline/: frozen max2 live config
  (79 command keys + 7 flows), byte-identical to live at 2026-06-08.
- deploy/max2-workflows/ops-agent/systemd/ops-agent-drift.{service,timer}:
  daily root-run drift check (SuccessExitStatus=1 so drift != unit failure).

Refs s4m-queue task 9b19ec78.
janpeter merged commit b3d3ed39ad into master 2026-06-08 14:45:52 +02:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
janpeter/scrum4me-docker!33
No description provided.