docs(vault): first-proof runbook for the spawn->provision chain #103

Merged

clawdie merged 1 commit from docs/vault-first-proof-runbook into main

2026-06-20 09:01:11 +02:00

Author	SHA1	Message	Date
Sam & Claude	a368df45e4	docs(vault): first-proof runbook for the spawn->provision chain Some checks failed CI / rust (pull_request) Has been cancelled Details CI / markdown (pull_request) Has been cancelled Details Documents how to prove the spawn -> vault-provision -> .env chain live on osa, honestly surfacing that it isn't CLI-drivable yet: - the chain is wired + unit-tested, but tenant registration is raw-SQLite-only (#101) and jailed spawn is raw-socket-JSON-only (#102) - runbook uses the interim manual path (sqlite insert + raw spawn-agent JSON) - scratch jail + test collection per first-proof policy; bootstrap creds never enter the jail - documents exact resolution: collection name = tenant_id, jail_root must match Continues an osa-agent investigation (verified against origin/main). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-20 08:37:48 +02:00

Author

SHA1

Message

Date

Sam & Claude

a368df45e4

docs(vault): first-proof runbook for the spawn->provision chain

CI / rust (pull_request) Has been cancelled

Details

CI / markdown (pull_request) Has been cancelled

Details

Documents how to prove the spawn -> vault-provision -> .env chain live on osa,
honestly surfacing that it isn't CLI-drivable yet:
- the chain is wired + unit-tested, but tenant registration is raw-SQLite-only
  (#101) and jailed spawn is raw-socket-JSON-only (#102)
- runbook uses the interim manual path (sqlite insert + raw spawn-agent JSON)
- scratch jail + test collection per first-proof policy; bootstrap creds never
  enter the jail
- documents exact resolution: collection name = tenant_id, jail_root must match

Continues an osa-agent investigation (verified against origin/main).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-20 08:37:48 +02:00