Clarify root GitHub credential ownership
This commit is contained in:
root
parent
6a4e289edc
commit
547a9d00fa
@ -260,6 +260,17 @@ Verification recorded on 2026-05-27:
|
||||
|
||||
For write operations, create a separate repo-scoped token and store it in a new root-only token file. Do not reuse this read-focused token for broad automation unless the required scope is explicitly reviewed first.
|
||||
|
||||
## GitHub credential ownership
|
||||
|
||||
Root Git operations already have GitHub push credentials through the root Git credential store. Root is the operator account for both:
|
||||
|
||||
- `https://github.com/saravanakumardb/learning_ai_devops_tools.git`
|
||||
- `https://github.com/umadev0931/uma_hostinger_hermes_vm.git`
|
||||
|
||||
Uma does not need a separate `/home/uma/.git-credentials` file for the current workflow because repo maintenance and pushes are performed from root. Do not copy root GitHub credentials into Uma's home directory unless there is a concrete need for Uma-user GitHub pushes.
|
||||
|
||||
Remaining audit item: confirm in GitHub that the root token is fine-grained or otherwise limited to the intended repos and permissions. Do not print the token while checking this.
|
||||
|
||||
## Telegram topics and session handling
|
||||
|
||||
Root and Uma currently use the standard Telegram gateway session handling. Do not enable or change topic/session behavior without a concrete routing need.
|
||||
|
||||
@ -9,12 +9,13 @@
|
||||
## Completion Status
|
||||
|
||||
- **Overall checklist completion:** ~68% (`122/179` checked after the 2026-05-27 Gitea/Hermes Git smoke test).
|
||||
- **Credential-independent setup:** materially further along; remaining blockers are mostly provider/search credentials, GitHub automation token, Uma backup design, and policy decisions.
|
||||
- **Credential-independent setup:** materially further along; remaining blockers are mostly provider/search credentials, GitHub token scope audit, Uma backup design, and policy decisions.
|
||||
- vijay: percentage is based on literal Markdown checklist boxes, including nested sub-items. It intentionally counts credential-dependent future work as incomplete.
|
||||
|
||||
## Remaining Unchecked Item Classification
|
||||
|
||||
- **Needs credentials/API keys:** fallback provider setup, web search/extract backend, GitHub automation token, Browserbase/Browser Use, and provider fallback tests.
|
||||
- **Needs credentials/API keys:** fallback provider setup, web search/extract backend, Browserbase/Browser Use, and provider fallback tests.
|
||||
- **Needs credential audit:** GitHub push credentials already exist for root Git operations, including root-managed pushes to Uma's GitHub repo; least-privilege scope still needs to be verified from GitHub.
|
||||
- **Needs explicit policy decision:** Cloudflare Access/basic-auth public fallback, model-routing tiers, local browser automation, vision/image provider choice, `security.redact_secrets`, `privacy.redact_pii`, and credential rotation.
|
||||
- **Needs Uma backup design:** Uma/Bheem currently has a clean VM wrapper repo, but not a root-style sanitized Hermes persistent backup/restore workflow.
|
||||
- **Needs manual UX validation:** dashboard feature-by-feature checks, Telegram approval prompt flow, and Telegram media/file delivery.
|
||||
@ -63,7 +64,8 @@ Observed on 2026-05-26:
|
||||
- last status: ok
|
||||
- Config version: `24` after `hermes doctor --fix` migration on 2026-05-27; root and Uma both verified at config v24
|
||||
- Telegram credentials are present
|
||||
- Most optional provider/API keys are not configured, including OpenRouter, Google/Gemini, Anthropic, Firecrawl/Tavily/Exa, Browserbase/Browser Use, GitHub token, FAL, and ElevenLabs
|
||||
- Most optional provider/API keys are not configured, including OpenRouter, Google/Gemini, Anthropic, Firecrawl/Tavily/Exa, Browserbase/Browser Use, FAL, and ElevenLabs
|
||||
- GitHub push credentials are configured for root Git operations through the root credential store; root also performs Uma repo pushes because root has access to `https://github.com/umadev0931/uma_hostinger_hermes_vm`
|
||||
- `hermes doctor --fix` completed on 2026-05-27; it migrated config v23 → v24 and left only manual provider/API-key setup as the main optional follow-up
|
||||
- User preference: do **not** expose the Hermes dashboard publicly
|
||||
|
||||
@ -234,7 +236,7 @@ A healthy ByteLyst Hermes setup should be:
|
||||
- [ ] Browserbase/Browser Use
|
||||
- [ ] Configure GitHub/Gitea automation credentials with least privilege.
|
||||
- vijay: root local Gitea read-only Git path is configured with `/root/.local/bin/gitea-git` plus `GIT_ASKPASS`; the token remains in `/root/.gitea_npm_token_home` and was not printed. Verified direct Git and Hermes one-shot read access to `http://localhost:3300/bytelyst/learning_ai_common_plat.git`.
|
||||
- vijay: still unchecked because GitHub automation credentials are separate and have not been provisioned.
|
||||
- vijay: GitHub push credentials are already configured for root Git operations through `/root/.git-credentials`; root performs pushes for both root and Uma tracking repos. Still unchecked until GitHub token repo/scope permissions are audited as least-privilege.
|
||||
- [ ] Add vision/image capability if screenshots, diagrams, or UI reviews are common.
|
||||
- [x] Validate the active Telegram toolset includes the capabilities ByteLyst expects:
|
||||
- vijay: `hermes doctor --fix` reported browser, clarify, code_execution, cronjob, terminal, delegation, file, memory, messaging, session_search, skills, todo, tts, vision, video, and related toolsets available; web remains blocked by missing search backend API key.
|
||||
@ -411,7 +413,7 @@ A healthy ByteLyst Hermes setup should be:
|
||||
- vijay: documented restore drill and restored root backup into `/tmp/hermes-restore-test-root`.
|
||||
- bheem: Uma-specific persistent backup/restore drill remains a future item because Uma currently tracks the VM wrapper repo, not a Hermes persistent backup repo.
|
||||
- [ ] Add Gitea/GitHub least-privilege automation credential path.
|
||||
- vijay: Gitea path is complete for root via `/root/.local/bin/gitea-git`; GitHub path remains pending, so this combined item stays unchecked.
|
||||
- vijay: Gitea path is complete for root via `/root/.local/bin/gitea-git`; GitHub push path exists in root's credential store and is used for root-managed pushes, including Uma repo updates. Least-privilege scope verification remains pending, so this combined item stays unchecked.
|
||||
|
||||
### Medium-Term — This Month
|
||||
|
||||
@ -488,7 +490,7 @@ This roadmap is complete when:
|
||||
- vijay: installed `/root/.local/bin/gitea-git-askpass` and `/root/.local/bin/gitea-git` so Hermes/Git can authenticate to local Gitea without embedding tokens in remotes or Git config.
|
||||
- vijay: verified direct Git read operation: `gitea-git ls-remote http://localhost:3300/bytelyst/learning_ai_common_plat.git HEAD` returned HEAD `59c4638f85be...`.
|
||||
- vijay: verified the same read-only operation through Hermes one-shot; Hermes reported success and only the truncated HEAD hash.
|
||||
- vijay: documented the exact safe token flow in `docs/hermes-operations.md`; GitHub automation token remains a separate future credential item.
|
||||
- vijay: documented the exact safe token flow in `docs/hermes-operations.md`; corrected GitHub status to show credentials already exist for root-managed pushes, with least-privilege scope audit still pending.
|
||||
|
||||
## Notes For Future Transcript Pass
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user