Wiki Log
[2026-04-22] bootstrap | repository scaffold
Initialized the first wiki.tazlab.net project scaffold.
Created:
- repository-level
AGENTS.mdschema README.mddocs/llm-wiki-pattern.mddocs/tazlab-integration.mdwiki/index.mdwiki/overview.md- raw source directories and wiki content directories
Why it matters:
This establishes the durable structure that future agents can use to ingest sources, maintain knowledge pages, and later integrate the wiki cleanly into the wider TazLab context system.
[2026-04-22] restructure | tazlab-wiki context and seed knowledge pages
Created the dedicated AGENTS.ctx/tazlab-wiki/ context and seeded the first durable TazLab knowledge pages in the wiki repository.
Created or updated:
AGENTS.ctx/tazlab-wiki/CONTEXT.mdAGENTS.ctx/CONTEXT.mdwiki/overview.mdwiki/index.mdwiki/concepts/tazlab-knowledge-layers.mdwiki/topics/tazlab-system-map.mdwiki/topics/tazlab-repository-map.md
Why it matters:
This gives future agents a named context that points to the wiki as an organized knowledge surface, while also providing the first durable pages that explain the overall TazLab structure and where different kinds of information belong.
[2026-04-22] restructure | repository hubs and cross-cutting architecture pages
Expanded the wiki from seed pages into a first-pass navigable knowledge base with repository hub pages and cross-cutting architecture topics.
Created or updated:
wiki/entities/agents-ctx.mdwiki/entities/tazpod.mdwiki/entities/ephemeral-castle.mdwiki/entities/tazlab-k8s.mdwiki/entities/mnemosyne-mcp-server.mdwiki/entities/blog-src.mdwiki/entities/wiki-tazlab-net.mdwiki/topics/ephemeral-castle-hetzner-vault-runtime.mdwiki/topics/ephemeral-castle-tailscale-foundation.mdwiki/topics/tazlab-secret-and-identity-flow.mdwiki/topics/tazlab-cluster-delivery-flow.mdwiki/index.mdwiki/overview.mdwiki/topics/tazlab-system-map.mdwiki/topics/tazlab-repository-map.md
Why it matters:
The wiki now describes the main TazLab repositories as first-class hubs, documents the two major ephemeral-castle subdomains called out by the operator, and introduces reusable architecture pages that connect operator environment, infrastructure bootstrap, GitOps, memory, and secret flow into one navigable structure.
[2026-04-22] ingest | blog narratives and CRISP program structure
Added first source-summary coverage from the blog layer and connected it to the wiki’s architecture pages, while also introducing a CRISP program-map page to explain the design tree behind current TazLab work.
Created or updated:
wiki/sources/blog-zero-credentials-on-disk.mdwiki/sources/blog-tailscale-secure-backbone.mdwiki/sources/blog-lushycorp-vault-security-architecture.mdwiki/sources/blog-terraforming-the-cloud-vault-hetzner.mdwiki/sources/blog-recursive-memory-compact-context.mdwiki/topics/tazlab-crisp-program-map.mdwiki/entities/blog-src.mdwiki/entities/agents-ctx.mdwiki/entities/tazpod.mdwiki/entities/ephemeral-castle.mdwiki/index.md
Why it matters:
The wiki now contains not only structural pages about the ecosystem, but also provenance-rich summaries of key published articles and an explicit map of the CRISP initiative tree, which makes the documentation layer more useful for both historical understanding and future agent onboarding.
[2026-04-22] restructure | flux dag and cluster layer detail
Added a code-aligned Flux DAG page for the active tazlab-k8s cluster and wired the existing cluster/secret/system pages to it so future agents can see the actual dependency order and installed workloads in one place.
Created or updated:
wiki/topics/tazlab-flux-dag.mdwiki/topics/tazlab-cluster-delivery-flow.mdwiki/topics/tazlab-system-map.mdwiki/topics/tazlab-secret-and-identity-flow.mdwiki/entities/tazlab-k8s.mdwiki/index.mdwiki/overview.md
Why it matters:
The wiki now explains the cluster as an executable Flux graph, not just as a conceptual architecture. That makes it much easier to answer operational questions about which layer depends on which, what gets installed where, and where the secret, auth, database, and application surfaces actually appear.
[2026-04-22] restructure | tazlab-k8s granularity and technology trunk split
Expanded the TazLab operational trunk into dedicated tazlab-k8s layer pages and created a separate technology/reference trunk for the software stack used to run TazLab.
Created or updated:
wiki/topics/tazlab-k8s-layers.mdwiki/topics/tazlab-k8s-operators.mdwiki/topics/tazlab-k8s-configs.mdwiki/topics/tazlab-k8s-instances.mdwiki/topics/tazlab-k8s-auth.mdwiki/topics/tazlab-k8s-apps.mdwiki/topics/tazlab-infrastructure-tech-stack.mdwiki/topics/tazlab-flux-dag-troubleshooting.mdwiki/entities/proxmox.mdwiki/entities/talos-linux.mdwiki/entities/tailscale.mdwiki/entities/metallb.mdwiki/entities/longhorn.mdwiki/entities/terraform.mdwiki/entities/kubernetes.mdwiki/entities/sops.mdwiki/entities/hashicorp-vault.mdwiki/entities/operator-terminal-tooling.mdwiki/sources/research-proxmox-and-talos-iac.mdwiki/sources/research-tailscale-and-networking.mdwiki/sources/research-talos-storage-and-persistence.mdwiki/sources/research-kubernetes-core-models.mdwiki/sources/research-kubernetes-secrets-and-sops.mdwiki/sources/research-terminal-tooling.md
Why it matters:
The wiki now reflects the way the operator actually thinks about the system: one trunk for TazLab itself and a second trunk for the supporting technologies and external research that explain how the system is built and debugged.
[2026-04-22] lint | broken research links in network entities
Fixed entity references in wiki/entities/metallb.md and wiki/entities/talos-linux.md so they point at the existing wiki/sources/research-tailscale-and-networking.md summary instead of a non-existent page.
Why it matters:
This removes dead links from the technology trunk and keeps the source graph consistent for future navigation.
[2026-04-22] restructure | secret model corrected to Infisical
Updated the wiki’s secret-management pages so the current TazLab state is described as Infisical-backed GitOps delivery, with SOPS demoted to research-only status and the LushyCorp/Vault path called out as the transition track.
Created or updated:
wiki/entities/infisical.mdwiki/entities/sops.mdwiki/entities/hashicorp-vault.mdwiki/entities/tazlab-k8s.mdwiki/topics/tazlab-secret-and-identity-flow.mdwiki/topics/tazlab-infrastructure-tech-stack.mdwiki/sources/research-kubernetes-secrets-and-sops.mdwiki/index.md
Why it matters:
This prevents the wiki from teaching an outdated secret flow and keeps the current operational model aligned with the live cluster and infrastructure context.
[2026-04-22] restructure | deep Ephemeral Castle documentation sweep
Added a deeper code-backed documentation set for ephemeral-castle, including a repository map, bootstrap pipeline, Proxmox/Talos foundation page, a Tailscale foundation expansion, and an analysis note for current topology drift.
Created or updated:
wiki/entities/ephemeral-castle.mdwiki/topics/ephemeral-castle-repository-map.mdwiki/topics/ephemeral-castle-cluster-bootstrap.mdwiki/topics/ephemeral-castle-proxmox-talos-foundation.mdwiki/topics/ephemeral-castle-tailscale-foundation.mdwiki/topics/tazlab-cluster-delivery-flow.mdwiki/topics/tazlab-system-map.mdwiki/analyses/ephemeral-castle-topology-drift.mdwiki/index.md
Why it matters:
This turns ephemeral-castle from a shallow hub into a navigable, code-aligned documentation surface that explains the actual bootstrap pipeline, module boundaries, and the current live topology without hiding doc drift.
[2026-04-23] restructure | wiki homepage draft
Added wiki/homepage.md as the public-facing entry point for the rendered wiki and linked it from wiki/index.md so future publication work has a clear landing page distinct from the internal index.
Why it matters:
This gives the eventual Hugo publication layer a dedicated front door without changing the canonical internal wiki directory structure.
[2026-04-23] restructure | Hugo publication adapter
Added the first publish/ adapter for the wiki, including Hugo mounts, minimal site templates, and the rendered-homepage wiring needed for local preview with hugo server.
Created or updated:
publish/hugo.tomlpublish/layouts/_default/baseof.htmlpublish/layouts/_default/list.htmlpublish/layouts/_default/single.htmlpublish/layouts/index.htmlwiki/homepage.mdwiki/overview.mdREADME.md
Why it matters:
This turns the wiki from a content-only repository into a site that can be previewed locally and later wired into the same deployment chain used by the blog, without restructuring the source wiki tree.
[2026-04-23] restructure | PaperMod theme adoption
Installed PaperMod as a Git submodule under publish/themes/ and switched the Hugo adapter to use the theme directly, keeping only the homepage override needed to preserve homepage.md as the public landing page.
Created or updated:
.gitmodulespublish/themes/PaperModpublish/hugo.tomlpublish/layouts/index.html
Why it matters:
This aligns the wiki publication path with the blog’s theme-management model while keeping the adapter minimal and easier to maintain than a hand-rolled full layout stack.
[2026-04-23] restructure | PaperMod visual refinement
Adjusted the wiki presentation layer so PaperMod behaves like a documentation site instead of a generic blog: stronger link contrast, fixed light theme, cleaner section cards, a more serious homepage, and no duplicate listing appended under the main wiki index.
Created or updated:
publish/hugo.tomlpublish/assets/css/extended/wiki.csspublish/layouts/index.htmlpublish/layouts/_default/list.html
Why it matters:
This makes the rendered wiki materially easier to scan and navigate, fixes low-visibility links, and gives the public surface a more professional documentation-oriented visual language.
[2026-04-23] restructure | wiki image publication pipeline
Added the container build and GitHub Actions publication path for the wiki, mirroring the blog’s delivery pattern while building from the publish/ adapter and publishing to the dedicated tazzo/tazlab-wiki image stream.
Created or updated:
Dockerfile.dockerignore.github/workflows/publish.yml
Why it matters:
This gives the wiki a production-ready image publication lane that matches the existing blog deployment model and keeps the Docker Hub credential contract aligned on the same GitHub Actions secret name used by the blog.
[2026-04-23] fix | wiki Docker build git metadata
Disabled enableGitInfo in publish/hugo.toml so the containerized Hugo build no longer tries to read .git metadata that is not copied into the wiki image build context.
Created or updated:
publish/hugo.toml
Why it matters:
This removes the failed to load Git data buildx failure in GitHub Actions and lets the wiki image publish from the Docker build path without bundling the repository history into the image.
[2026-04-23] restructure | deep Ephemeral Castle documentation expansion
Performed a comprehensive documentation sweep of the ephemeral-castle repository, creating a modular and granular manual for future agents.
Created or updated:
wiki/entities/ephemeral-castle.md(Hub centralizzato)wiki/topics/ephemeral-castle-architecture.mdwiki/topics/ephemeral-castle-terragrunt-layers.mdwiki/topics/ephemeral-castle-rebirth-protocol.mdwiki/topics/ephemeral-castle-vault-runtime-architecture.mdwiki/topics/ephemeral-castle-vault-bootstrap-and-restore.mdwiki/topics/ephemeral-castle-tailnet-security.mdwiki/topics/ephemeral-castle-tailscale-bridge.mdwiki/operations/ephemeral-castle-commands.mdwiki/index.md
Why it matters:
This provides a complete technical operational context for agents, allowing them to understand the Terragrunt layer model, the Vault runtime lifecycle on Hetzner, and the Tailscale mesh security without having to reverse-engineer the entire codebase or read obsolete documents.
[2026-04-23] restructure | deep TazLab K8s documentation sweep
Performed a comprehensive documentation sweep of the tazlab-k8s GitOps repository, detailing the layering pattern, image automation, and secret delivery model.
Created or updated:
wiki/entities/tazlab-k8s.md(Hub centralizzato)wiki/topics/tazlab-k8s-structure.mdwiki/topics/tazlab-k8s-image-automation.mdwiki/topics/tazlab-k8s-secrets-mapping.mdwiki/topics/tazlab-k8s-ingress-and-auth.mdwiki/topics/tazlab-k8s-monitoring.mdwiki/index.md
Why it matters:
This ensures that any agent working on the cluster has a clear understanding of the GitOps workflow, how to safely add new applications, and how secrets are injected without exposing them in manifests.
[2026-04-23] restructure | deep TazPod documentation sweep
Completed the operational manual by documenting the tazpod operator environment, its container architecture, and the sensitive vault-unseal mechanism.
Created or updated:
wiki/entities/tazpod.md(Hub centralizzato)wiki/topics/tazpod-architecture.mdwiki/topics/tazpod-vault-mechanism.mdwiki/operations/tazpod-cli-reference.mdwiki/index.md
Why it matters:
This provides the final piece of the onboarding puzzle for new agents, explaining how to maintain their own secrets, recover the environment from S3, and use the TazPod toolchain to interact with the rest of the TazLab infrastructure.
[2026-04-23] restructure | deep TazLab K8s GitOps manual expansion
Completed the GitOps manual by documenting the Flux DAG, repository structure, operator inventory, and cold-start logic.
Created or updated:
wiki/topics/tazlab-k8s-flux-dag.mdwiki/topics/tazlab-k8s-repository-mapping.mdwiki/topics/tazlab-k8s-operators-inventory.mdwiki/topics/tazlab-k8s-bootstrap-logic.mdwiki/topics/tazlab-k8s-conventions.mdwiki/index.md
Why it matters:
This provides a detailed technical reference for the cluster’s desired state, allowing future agents to navigate the GitOps dependency graph, troubleshoot reconciliation issues, and correctly add or modify infrastructure operators and application manifests.
[2026-04-23] restructure | deep TazPod manual expansion
Completed the operator documentation by secluding the tazpod repository into granular topics covering image layering, the RAM-only security model, and nomadic recovery workflows.
Created or updated:
wiki/topics/tazpod-image-hierarchy.mdwiki/topics/tazpod-vault-security.mdwiki/topics/tazpod-nomadic-recovery-flow.mdwiki/topics/tazpod-provisioning-and-dotfiles.mdwiki/topics/tazpod-sync-daemon.mdwiki/index.md
Why it matters:
This provides a definitive technical manual for the operator environment, ensuring that any future agent understands how to recover from scratch, how secrets are protected in memory, and how the containerized toolchain is provisioned and kept in sync with S3.
[2026-04-25] refine | high-definition TazPod manual revision
Reworked the canonical tazpod pages to align them with the actual Go command dispatch, vault paths, S3 contract, Docker layer chain, and .bashrc provisioning logic instead of relying on older generalized summaries.
Created or updated:
wiki/topics/tazpod-architecture.mdwiki/topics/tazpod-image-hierarchy.mdwiki/topics/tazpod-vault-security.mdwiki/topics/tazpod-nomadic-workflow.mdwiki/topics/tazpod-provisioning-and-dotfiles.mdwiki/topics/tazpod-sync-daemon.mdwiki/operations/tazpod-cli-reference.mdwiki/entities/tazpod.mdwiki/index.md
Why it matters:
The tazpod section now explains the actual runtime contract, command dispatch, persistence boundaries, cryptographic model, and operator recovery flow with enough fidelity that an agent can reason directly from the wiki before opening the code.
[2026-04-25] restructure | tailnet startup and verification path
Documented the non-interactive Tailscale startup flow and the verified peer reachability checks in both the Ephemeral Castle provider context and the wiki runbook/security pages.
Created or updated:
AGENTS.ctx/ephemeral-castle/CONTEXT.mdwiki/operations/ephemeral-castle-commands.mdwiki/topics/ephemeral-castle-tailnet-security.md
Why it matters:
This preserves the working tailnet join path that avoids an interactive login prompt, and it gives future operators a single documented entrypoint plus concrete ping targets for vault and cluster reachability.
[2026-04-26] ingest | Vault API access contract
Documented the Hetzner Vault API access pattern in wiki/topics/tazlab-secret-and-identity-flow.md and wiki/topics/ephemeral-castle-vault-runtime-architecture.md: Vault is reachable over Tailscale at https://lushycorp-api.ts.tazlab.net:8200, but helper tooling still authenticates with a Vault token, with the current canonical operator token sourced from ~/secrets/lushycorp-vault/admin-token.txt. This matters because the migration helper needs a durable, explicit contract and should not assume network access alone is sufficient.
[2026-04-26] ingest | Infisical source-side bootstrap contract
Updated wiki/topics/tazlab-k8s-secrets-mapping.md to record the current Infisical bootstrap inputs for tazlab-secrets: ~/secrets/infisical-client-id and ~/secrets/infisical-client-secret, with the source scope inherited from the ephemeral-castle live/env.hcl contract. This matters because the one-key migration helper needs a concrete source-auth contract as well as a destination-auth contract.
[2026-04-26] ingest | Infisical source-folder derivation
Clarified in wiki/topics/tazlab-k8s-secrets-mapping.md that the migration helper should infer the Infisical source folder from the existing bundle mapping table instead of asking the operator for an extra runtime argument. This matters because the helper contract stays minimal while still remaining deterministic.
[2026-04-27] query | Vault cluster-side reachability contract
Updated wiki/topics/ephemeral-castle-tailscale-bridge.md, wiki/topics/tazlab-secret-and-identity-flow.md, and wiki/topics/ephemeral-castle-vault-runtime-architecture.md after live verification from the cluster and the dedicated Tailscale tool session. The verified result is that cluster pods can already reach the Vault tailnet IP through the Talos node bridge, and HTTPS works when the request uses explicit SNI/host mapping, but workload DNS for lushycorp-api.ts.tazlab.net is not yet wired by the bridge alone. This matters because the Vault migration track is blocked not on raw pod-to-tailnet egress, but on the remaining cluster DNS / hostname contract required by ESO.
[2026-04-27] query | Vault native Tailscale hostname direction
Refined wiki/topics/ephemeral-castle-vault-runtime-architecture.md and wiki/topics/tazlab-secret-and-identity-flow.md with the code-verified distinction between the native Tailscale host identity lushycorp-vm.ts.tazlab.net and the custom runtime alias lushycorp-api.ts.tazlab.net. This matters because the preferred future architecture is to converge the Vault API/TLS contract onto the Tailscale-owned hostname rather than keep carrying custom DNS glue around a non-native alias.
Updated wiki/topics/ephemeral-castle-tailscale-bridge.md too so the bridge page now makes the same distinction explicitly and does not imply that the custom Vault alias is part of the Tailscale-owned naming surface.
[2026-04-28] query | Vault destroy/create matrix and bootstrap-anchor gap
Updated wiki/topics/ephemeral-castle-vault-bootstrap-and-restore.md, wiki/topics/ephemeral-castle-vault-runtime-architecture.md, wiki/topics/ephemeral-castle-hetzner-vault-runtime.md, and wiki/operations/ephemeral-castle-commands.md after the live Phase-1 validation pass for 09-vault-k8s-integration-prep. The durable findings are that the old C2 matrix still governs current behavior, T0 + H0 + S1 is an intentional hard-fail state, create-time validation depends on a live operator-side Tailscale session, and the runtime classifies TazPod state from ~/secrets/lushycorp-vault/ rather than from /workspace/.tazpod/vault/vault.tar.aes directly. This matters because the missing operator-side canonical bootstrap files, not a broken matrix, are what currently block a deterministic destroy/create completion.
[2026-04-28] query | Encrypted vault archive content check
Extended wiki/topics/ephemeral-castle-vault-bootstrap-and-restore.md after a direct decrypted inspection of /workspace/.tazpod/vault/vault.tar.aes. The verified result is that the current encrypted archive predates the April C1/C2 Vault work and contains zero lushycorp-vault/* entries, so the bootstrap-anchor gap is not caused by a bad unlock/materialization step; the active encrypted archive itself never captured the canonical Vault bootstrap set.
[2026-04-28] query | Missing tazpod save/push after Vault Phase B
Extended wiki/topics/ephemeral-castle-vault-bootstrap-and-restore.md again after a code audit of the Vault runtime role and tazpod vault implementation. The verified result is that the runtime does write canonical Vault artifacts into ~/secrets/lushycorp-vault/ during Phase B, but nowhere in the C1/C2 flow does it run tazpod save plus tazpod push vault. This matters because it identifies the real root cause: the operator-side RAM secrets were updated, but the encrypted archive backing future unlocks was never refreshed.
[2026-04-28] query | Vault persistence remediation and runtime re-stabilization
Updated wiki/topics/ephemeral-castle-vault-bootstrap-and-restore.md and wiki/topics/ephemeral-castle-vault-runtime-architecture.md after the runtime persistence fix and live recovery pass. The durable result is that the runtime flow now asserts the RAM vault is really mounted and runs tazpod save / tazpod push vault from /workspace, while the live environment was repaired so the encrypted operator archive again contains the full lushycorp-vault/* canonical set and the remote snapshot lineage was reinitialized under 61e17cbf-f522-4825-9bfe-444373173650. The same pass also surfaced two residual tazpod UX bugs: save can look successful when the RAM mount is absent, and push is cwd-sensitive if called outside the workspace root.
[2026-04-29] detail | mnemosyne-mcp-server debts
Created a dedicated debt detail page for mnemosyne-mcp-server documenting all known code-level gaps found during the Section 4 wiki-archivist survey review.
Created or updated:
wiki/details/mnemosyne-mcp-debts-detail.md— TD-002, async ingestion error swallowing, unreachable temporal filters, unbounded dedup cache, missing graceful shutdown, no HTTP auth, root path serving MCP traffic, Python tool gapswiki/entities/mnemosyne-mcp-server.md— added Known Issues / Technical Debt section linking to the new detail pagewiki/index.md— added Details section
Why it matters:
This anchors the wiki’s technical debt documentation model: instead of burying known issues in generic architecture pages, each area gets a dedicated debt detail page that cross-references the canonical TD register in memory, the AGENTS.ctx context, and the specific source code paths. Agents navigating the wiki can immediately see what is broken or risky in an area without reading the full implementation.
[2026-04-29] detail | mnemosyne-mcp-server section completed
Completed Section 4 of the wiki-archivist survey plan: created all 5 remaining missing pages and updated the entity hub following the standard Level 1 template.
Created or updated:
wiki/topics/mnemosyne-database-schema.md— NEW: database schema, pgvector queries, dimension auto-detectionwiki/details/mnemosyne-ingest-memory-detail.md— NEW: exact ingestion pipeline with code pathswiki/details/mnemosyne-retrieve-memories-detail.md— NEW: semantic search flow and temporal filter gapwiki/details/mnemosyne-deployment-detail.md— NEW: Docker, CI/CD, Flux automation, cluster manifestswiki/details/mnemosyne-python-tools-detail.md— NEW: chronicler.py, gather_sessions.pywiki/entities/mnemosyne-mcp-server.md— UPDATED: added repository structure, quick facts, canonical starting pageswiki/index.md— UPDATED: added Knowledge Systems topic section and 4 new detail entries
Why it matters:
Section 4 was previously marked “Completed” in the survey state but only 6 of 11 planned pages existed. The 5 missing pages included the database schema topic and 4 Level 3 detail pages. The entity hub also lacked standard Level 1 sections. This pass closes all gaps and fixes broken cross-links from the existing topic pages to the newly created details.
[2026-04-29] detail | tazlab-k8s Flux section (Section 3 — Flux scope)
Created and updated pages for the Flux/GitOps scope of Section 3 in the wiki-archivist survey plan.
Created:
details/tazlab-k8s-flux-kustomizations-detail.md— All 12 Flux Kustomizations with exact spec, wait policy, dependencies, timeout, health checksdetails/tazlab-k8s-image-automation-detail.md— 4 image automation pipelines (blog, wiki, mcp, openclaw) with tag patterns and commit strategy
Updated:
entities/tazlab-k8s.md— Full Level 1 hub: repository structure, quick facts, canonical starting pages, relationshipstopics/tazlab-k8s-flux-dag.md— Corrected wait policy truth table, added apps-openclaw, fixed misleading “wait: false from Level 3 onwards” statement, added health checks sectiontopics/tazlab-k8s-operators-inventory.md— Added missing operators (dex, OAuth2 Proxy, cloudflare-ddns, pgadmin, homepage, metrics-server), namespace inventory tablewiki/index.md— Added 2 new detail entries
Why it matters:
The existing flux-dag page had drifted from the actual Kustomization manifests: it incorrectly stated that all Level 3+ Kustomizations use wait: false (in reality, only infrastructure-instances does; apps-openclaw and infrastructure-auth use wait: true). The operators inventory was missing 5 controllers and had no namespace inventory. Both are now aligned with the code.
[2026-04-29] detail | tazlab-k8s Section 3 completed
Completed the remaining operator/app detail pages, reference pages, and Level 4 docs for tazlab-k8s.
Created:
details/tazlab-k8s-cert-manager-detail.md— ClusterIssuers, certificate lifecycle, Cloudflare DNS01details/tazlab-k8s-traefik-detail.md— HelmRelease, LoadBalancer, middlewares, ingress classdetails/tazlab-k8s-external-secrets-detail.md— All ExternalSecrets inventory, templatesdetails/tazlab-k8s-tazlab-db-detail.md— PostgresCluster, databases, init SQL, S3 backupdetails/tazlab-k8s-dex-oauth2-detail.md— Dex OIDC, OAuth2 Proxy, ForwardAuth middlewaredetails/tazlab-k8s-hugo-blog-detail.md— Deployment, redirect ingress, certificate, image automationdetails/tazlab-k8s-hugo-wiki-detail.md— Wiki deployment, TLS, delivery chaindetails/tazlab-k8s-monitoring-detail.md— kube-prometheus-stack, Grafana PostgreSQL backend, dashboardsdetails/tazlab-k8s-openclaw-detail.md— AI agent, network policy, PVCs, TD-019references/tazlab-k8s/flux-kustomization-example.md— Annotated Kustomization YAMLreferences/tazlab-k8s/image-policy-example.md— Full ImagePolicy pipeline examplereferences/tazlab-k8s/external-secret-example.md— Three ExternalSecret variantsreferences/tazlab-k8s/kustomize-layering.md— Base/cluster overlay pattern
Updated:
wiki/index.md— Added 13 new detail + reference entries
Total: 13 new pages created, 3 existing pages updated, all cross-linked correctly.
[2026-04-29] detail | tazpod Section 1 completed
Completed Section 1 (tazpod) of the wiki-archivist survey plan: 9 Level 3 details, 7 Level 4 references, updated hub and 3 topic/operation pages.
Created:
details/tazpod-smart-entry-detail.md— Flow diagram, branch conditions, code pathsdetails/tazpod-vault-lifecycle-detail.md— unlock/lock/save/push/pull, AWS bridge, SetupIdentitydetails/tazpod-sync-daemon-detail.md— 5-min cycle, SIGTERM, log path, failure modeldetails/tazpod-container-lifecycle-detail.md— Docker flags, state machine, MTU issuedetails/tazpod-dotfiles-detail.md— bashrc, tmux, symlinks, OpenCode seedingdetails/tazpod-config-detail.md— All Config struct fields with defaultsdetails/tazpod-crypto-detail.md— AES-256-GCM, PBKDF2, output formatdetails/tazpod-s3-detail.md— S3 client, vault object contract, cwd sensitivitydetails/tazpod-ci-detail.md— Build matrix, conditional Docker pipelinereferences/tazpod/config-yaml-example.md,dockerfile-*(4),bashrc-full.md,taskfile-yml.mdentities/tazpod.md— Full hub with repo structure, quick facts, canonical pages, TD table
Updated:
operations/tazpod-cli-reference.md— Added missing commands, flag tables, exit codestopics/tazpod-sync-daemon.md— Added 5-min interval, SIGTERM, log pathtopics/tazpod-vault-security.md— Added TD-022, TD-021 referencestopics/tazpod-architecture.md— Added links to all new detail pageswiki/index.md— Added 16 new entries + new References subsection
Total: 16 new pages (9 detail + 7 reference), 5 existing pages updated.
[2026-04-29] detail | tailscale Section 7 completed
Completed Section 7 (tailscale networking) of the wiki-archivist survey plan: 4 Level 2 topics, 5 Level 3 details, 3 Level 4 references, updated hub and 2 existing pages.
Created:
entities/tailscale.md— Full hub: network segments, vault hostname evolution, quick facts, known issuestopics/tailscale-iac-management.md— Terraform provider, OAuth client model, ACL as codetopics/tailscale-operator-connectivity.md— Userspace daemon, auth key minting, restart after containertopics/tailscale-cluster-integration.md— Talos System Extension, raw IP vs DNS gaptopics/tailscale-vault-contract.md— Vault hostname evolution, MagicDNS convergence, TD-020details/tailscale-terraform-root-detail.md— Resource inventory, variables, outputsdetails/tailscale-acl-policy-detail.md— Tag ownership, ACL diagram, SSH accessdetails/tailscale-oauth-client-detail.md— Key minting flow, fallback, key propertiesdetails/tailscale-talos-bridge-detail.md— System Extension config, AuthKey injectiondetails/tailscale-magicdns-detail.md— Naming contracts, custom alias pitfallsreferences/tailscale/acl-json.md— Current ACL policyreferences/tailscale/terraform-main-tf.md— Terraform root modulereferences/tailscale/start-sh.md— Operator daemon start script
Updated:
topics/ephemeral-castle-tailnet-security.md— Replaced stale hostnamelushycorp-vm-ts-tazlab-net-3with currentlushycorp-vault, added vault hostname note, links to new pagestopics/ephemeral-castle-tailscale-bridge.md— Updated verification with current FQDN and tailnet IP, corrected custom alias explanationwiki/index.md— Added Tailscale Networking section, 5 new details, 3 references
[2026-04-29] detail | blog-src Section 5 completed
Completed Section 5 (blog-src) of the wiki-archivist survey plan: 4 Level 2 topics, 3 Level 3 details, updated hub.
Created:
entities/blog-src.md— Full hub: repo structure, quick facts, canonical pagestopics/blog-publication-pipeline.md— Multi-step GitOps publication chaintopics/blog-content-structure.md— Article organization, front matter, bilingual modeltopics/blog-comments-system.md— Cusdis Cloud, bilingual threads, future self-hostedtopics/blog-theme-management.md— Blowfish versioning, pinning, config sectionsdetails/blog-post-workflow-detail.md— 5-phase writing workflow, prompt files, image processingdetails/blog-hugo-config-detail.md— Site, language, theme configuration referencedetails/blog-ci-detail.md— GitHub Actions pipeline, tag strategy, delivery chain
[2026-04-29] detail | ephemeral-castle Section 2 completed
Completed Section 2 (ephemeral-castle + vault) of the wiki-archivist survey plan: 8 Level 3 details, 5 Level 4 references, updated hub and 2 existing pages.
Created:
entities/ephemeral-castle.md— Full hub: repo structure, quick facts, canonical pages, TD tabledetails/ephemeral-castle-create-destroy-detail.md— 6-stage create pipeline, destroy process, preflight checksdetails/ephemeral-castle-ansible-vault-detail.md— Classification, guards, execution, post-convergencedetails/ephemeral-castle-terraform-modules-detail.md— 6 modules, build orderdetails/ephemeral-castle-terragrunt-layers-detail.md— Dependency chain, env.hcl, secret injectiondetails/ephemeral-castle-vault-ansible-scripts-detail.md— phase-a-bootstrap, unseal, backup, restoredetails/ephemeral-castle-vault-systemd-detail.md— 5 systemd units, Quadlet TD-016details/ephemeral-castle-golden-image-detail.md— Builder pipeline, v1-v4 historydetails/ephemeral-castle-proxmox-cluster-detail.md— create/destroy/nuclear-wipe/stress-testreferences/ephemeral-castle/vault-hcl-template.mdreferences/ephemeral-castle/create-sh-stages.mdreferences/ephemeral-castle/ansible-inventory.mdreferences/ephemeral-castle/env-hcl.mdreferences/ephemeral-castle/vault-certs-fetch.md
Updated:
topics/ephemeral-castle-vault-runtime-architecture.md— Added TD links and detail page referencesoperations/ephemeral-castle-commands.md— Added Ansible playbooks, golden-image build, corrected ping targetswiki/index.md— Added 8 new details, 5 references
Total: 15 new pages, 2 existing pages updated. Section 2 fully completed.
[2026-04-29] detail | agents-ctx Section 6 + cross-cutting Section 8 completed
Final two sections completed. Created 22 pages total.
Section 6 (agents-ctx):
entities/agents-ctx.md— Full hub with context registry and canonical pages- 5 Level 2 topics: context-system, memory-system, crisp-methodology, pi-council, wiki-archivist
- 3 Level 3 details: archive-flow, crisp-workflow, memory-files
Section 8 (cross-cutting + blog ingestion):
concepts/zero-trust-architecture.md— Security model across all layersconcepts/nomadic-operator.md— Portable operator identitytopics/tazlab-operating-model.md— Repository roles in daily work- 7 blog source ingestion pages: ephemeral-castle-vision, tazpod-rising, tazpod-v2-ram-vault, bootstrap-from-zero, phoenix-protocol, immutable-handover, terragrunt-pivot
Total survey complete: 8 sections, all pages created and cross-linked.
[2026-04-30] query | Transport root cause confirmed, TUN mode adopted, split playbooks, timing improvement
Updated wiki pages after the TazPod hostnet+TUN runtime confirmed that the remaining Hetzner Vault create pipeline failures were caused by the old Docker userspace-networking + tailscale nc transport path, not by Vault/Ansible logic. The full create cycle now runs in ~344s (down from ~1200s).
Updated:
topics/tailscale-operator-connectivity.md— Added Host Network + TUN Mode section documenting--network host,--cap-add NET_ADMIN,/dev/net/tun,tazpod-tailscale-up,TAILSCALE_SOCKETauto-detection,render-tailscale-inventory.shTUN auto-detection, and the performance improvement.operations/ephemeral-castle-commands.md— Replaced monolithicvault-s3-backup-recovery.ymlwith 3 split playbooks (install/converge/post), added new phase log patterns (*-60-vault-runtime-install.log,*-70-vault-runtime-converge.log,*-80-vault-runtime-post.log), updated preflight to note that hostnet+TUN mode runs Tailscale natively viatazpod-tailscale-up, added 344s timing table.entities/ephemeral-castle.md— Added TD-024 (Closed) to Known Issues, updated vault tailnet IP to 100.82.13.87, updated create.sh description to “8-stage provisioning pipeline (~344s)”, added playbook names to ansible entry.wiki/index.md— Updated tailscale-operator-connectivity description to reflect both modes.
Why it matters: The transport-layer root cause is now confirmed and resolved. The wiki should teach future operators that the old userspace path is deprecated and that hostnet+TUN is the default, faster, and more reliable runtime mode.
[2026-05-02] update | tazpod v0.3.21 — vault auto-lock, vault CLI, KUBECONFIG
Updated:
entities/tazpod.md— version 0.3.18 → 0.3.21, added TD-027 to Known Issuestopics/tazpod-image-hierarchy.md— added vault CLI and KUBECONFIG ENV to k8s layerdetails/tazpod-dotfiles-detail.md— replaced staletazpod()wrapper, addedvault_maybe_locktrap section with reference counting, added auto-load on shell startdetails/tazpod-vault-lifecycle-detail.md— added auto-lock on last shell exit section, TD-027 regression analysiswiki/log.md— this entry
Why it matters: The vault auto-lock regression had two cumulative root causes going back months. Documenting the trap + reference counting fix and the multi-shell behavior ensures operators understand how the vault lifecycle works and why it only locks on the last exit.
[2026-05-03] update | tazpod v0.3.22 — final marker-file vault auto-lock
Updated:
entities/tazpod.md— version 0.3.21 → 0.3.22, TD-027 summary corrected to marker-file final fixdetails/tazpod-dotfiles-detail.md— replaced stalepgreptrap with final marker-file implementation in/tmp/.tazpod-shells/details/tazpod-vault-lifecycle-detail.md— updated auto-lock section to final v0.3.22 design and historywiki/log.md— append entry
Why it matters:
The earlier pgrep-based shell counting was not resistant enough to real operator behavior (background subshells, orphaned docker exec sessions, repeated container rebuild tests). The final marker-file approach is simpler to reason about, survives stale-process cleanup, and matches the desired rule: first exit of multiple shells does nothing, last exit locks the vault.
[2026-05-05] update | CRISP 07-tailscale-operator-deployment split → wiki alignment
Updated wiki to reflect the CRISP project split of 07-tailscale-operator-deployment into two subprojects:
10-operator-dns-resolution— Tailscale Kubernetes Operator bootstrap + MagicDNS resolution (magellanic-gondola.ts.net) for cluster pods, via DNSConfig + CoreDNS forwarding. Hard prerequisite for09-vault-k8s-integration-prepPhase 2.20-tailscale-service-exposure— Postgres tailnet exposure, admin dashboard migration. Deferred until after Vault migration (09/10).
Updated:
entities/tailscale.md— Addedk8s_operatorOAuth client (tagtag:k8s-operator, scopedevices), Tailscale Kubernetes Operator section, updated Quick Factstopics/tailscale-cluster-integration.md— Updated Connectivity Model with DNS resolution path diagram, documented CoreDNS hostNetwork constraint and Operator DNS solutiontopics/tazlab-k8s-operators-inventory.md— Added Tailscale Operator as #14 with HelmRelease details, addedtailscalenamespace to inventoryentities/tazlab-k8s.md— Addedtailscale/to operators/core/, configs/, and DNSConfig to bridge/ in directory treetopics/tazlab-crisp-program-map.md— Updated30-hetzner-vault-consumerssection with 07 split and child project descriptionstopics/tailscale-vault-contract.md— Split cluster pod path into current (IP-only with CoreDNS constraint) and planned (Operator DNS resolution)wiki/log.md— this entry
Why it matters:
The 07 split mirrors a real architectural decision (MagicDNS resolution via Operator DNS + CoreDNS forwarding, avoiding hostNetwork and Talos machine config changes). The wiki must reflect the planned state so future agents and operators understand the DNS architecture before crisp-build executes the plan.
[2026-05-07] update | antigravity plugin removed
Removed all antigravity (opencode-antigravity-auth@beta) references from the wiki after the plugin was purged from the TazPod runtime and image due to ToS violation risk.
Updated:
details/tazpod-dotfiles-detail.md— removed antigravity.json seed and npm install steps from OpenCode auto-seeding sectionreferences/tazpod/bashrc-full.md— replaced the antigravity opencode.json/antigravity.json block with standard model configtopics/tazpod-provisioning-and-dotfiles.md— removed antigravity seed steps, added removal notewiki/log.md— this entry
Why it matters:
The antigravity plugin was removed from both the current runtime and the tazpod .bashrc provisioning so it will not reappear on next container restart. The wiki must reflect the current provisioning state to avoid teaching operators about a removed component.
[2026-05-08] ingest | Tailscale Operator DNS, create.sh hardening, Infisical EU endpoint
Updated pages with findings from the 10-operator-dns-resolution build session (8 destroy/create cycles).
Created/Updated:
topics/tailscale-cluster-integration.md— Replaced “Planned” DNS path with deployed solution: hostNetwork CoreDNS relay DaemonSet (port 5353), static hosts mapping for Vault, note about DNSConfig limitation (operator-proxy names only)topics/ephemeral-castle-rebirth-protocol.md— Added ghcr pull secret section, CoreDNS MagicDNS patch section, storage parallelization note, TD-026 auth race, documented log locationstopics/tazlab-k8s-operators-inventory.md— Tailscale Operator updated from “Planned” to “Deployed 2026-05-08” with 3-layer Flux DAG detailstopics/tazlab-k8s-secrets-mapping.md— Added Infisical EU endpoint (eu.infisical.com), project slug, secrets pathwiki/log.md— this entry
Why it matters: The cluster bootstrap process was hardened against ghcr.io anonymous rate limits, CoreDNS inlineManifest overwrites, and sequential layer bottlenecks. The Tailscale Operator DNS path was corrected after discovering DNSConfig only resolves operator-managed proxy names. The Infisical EU endpoint was discovered (setup.sh and ESO were configured with the wrong region endpoint). Auth race against Dex documented as TD-026.
[2026-05-09] review | tailscale + tazlab-k8s post Tailscale Operator deployment
Review pass after Tailscale Operator deployment (2026-05-08). Updated stale wiki pages to reflect live cluster state.
Updated:
entities/tailscale.md— K8s Operator da Planned a Deployed,k8s_operatorOAuth aggiornato, Quick Facts correttitopics/tazlab-k8s-flux-dag.md— 12→15 Kustomizations, aggiunto ramo Tailscale (3-layer DAG), livelli rinumerati (da 4 a 5)details/tazlab-k8s-flux-kustomizations-detail.md— inventory da 12 a 15, DAG diagram con ramo Tailscale, 3 nuove schede (infrastructure-tailscale, operators-tailscale, tailscale-dns), wait table aggiornatatopics/tailscale-vault-contract.md— sezione “planned: DNS resolution” → “deployed 2026-05-08: DNS relay”details/tailscale-magicdns-detail.md— gap risolto dal DNS relay, documentato flusso pod DNS e limitazione DNSConfigAGENTS.ctx/crisp/CONTEXT.md— registry:10-operator-dns-resolutionda Draft a Completed
Why it matters: La wiki diceva ancora “Planned”/“Draft”/“12 Kustomizations” mentre il Tailscale Operator è deployato su cluster dal 2026-05-08 con 3 nuove Kustomization e DNS relay funzionante. Il review allinea la documentazione alla realtà del codice.
[2026-05-15] restructure | new Hermes Agent section
Created the Hermes Agent section for the new Proxmox LXC deployment (ephemeral-castle/hermes/). Hermes was implemented after the last wiki survey (2026-04-29) and had no wiki coverage.
Created:
entities/hermes.md— Entity hub with repo structure, quick facts, canonical pages, relationshipstopics/hermes-lxc-deployment.md— Level 2 topic: architecture, design decisions, iteration history, storage model, lifecycle timing
Updated:
entities/ephemeral-castle.md— Addedhermes/to repository structure, added hermes relationshipwiki/index.md— Added hermes entity entry and new “AI Agent Services” topic section
[2026-05-15] update | Hermes Agent — Pet vs Cattle persistence pattern
Updated wiki to reflect the final persistence architecture: CT 999 (pet) owns the 10G volume, CT 105 (cattle) mounts it via API. Replaced backup/restore references with the Pet vs Cattle pattern.
Pages updated:
entities/hermes.md— Full rewrite with Pet vs Cattle architecture, both CT IDs, research assets referencestopics/hermes-lxc-deployment.md— Full rewrite: new lifecycle timings (137s), research history, API call references
[2026-05-16] detail | tazpod code structure page
Created a new Level 3 detail page documenting the tazpod Go source code structure after a full source read pass.
Created:
details/tazpod-code-structure-detail.md— Package tree, file-by-file function inventory (all 8 files), dispatch table, key call chains (up,smartEntry,unlock,save+push), cross-file dependencies, 10 code-encoded architectural decisions, known issues table
Updated:
entities/tazpod.md— Added Code Structure Detail to CLI & Container Lifecycle canonical pagestopics/tazpod-architecture.md— Added child link to Code Structure Detailwiki/index.md— Added new detail entrywiki/log.md— this entry
Why it matters: The wiki had 9 Level 3 detail pages and 7 Level 4 reference pages for tazpod covering lifecycle, vault, config, crypto, S3, CI, smart entry, and dotfiles, but no page documented the actual Go code structure itself — how main.go dispatches, how the 8 files relate, what the internal packages contain, and what the full call chains look like. This page fills that gap as the definitive code-navigation map.
[2026-05-20] forge | tazpod
Forged the TazPod Development & Hardening context.
Created:
wiki/contexts/tazpod-context.md— Pre-built operational context file.
Updated:
wiki/contexts/INDEX.md— Added the new context to the catalog index.wiki/log.md— this entry.
Why it matters:
This establishes the tazpod development and hardening context as a self-contained brief, indexing all relevant wiki pages, memory items, open technical debts, and CRISP project dependencies to make it immediately operational for execution.
[2026-05-20] update | tazpod v0.3.30 — Antigravity CLI and persistence
Updated:
entities/tazpod.md— Current version bump to 0.3.30.details/tazpod-dotfiles-detail.md— Added.antigravityand.antigravityclito the persistent symlinks table.wiki/log.md— this entry.
Why it matters:
TazPod was updated to v0.3.30 by adding the Antigravity CLI to the AI Docker layer (Dockerfile.ai) and extending .bashrc bootstrap script to mount .antigravity (settings/extensions) and .antigravitycli (trusted workspace registrations) folders persistently under /workspace/.tazpod/. This ensures the AI agent state is preserved across container restarts.
[2026-05-20] update | tazpod vault S3 history design
Updated wiki pages with the tazpod-vault-s3-history CRISP project design: S3 history key structure, content-hash skip logic, retention policy (N=50), TD-022 fix (vaultFilePath dual-path), pull –index, and list vault-history.
Updated:
details/tazpod-s3-detail.md— added History Copies section, new S3 Methods table, fixed TD-022 section, updated Vault Object Contractdetails/tazpod-vault-lifecycle-detail.md— updated push/pull/save sections with content-hash, –index, history/retentiondetails/tazpod-sync-daemon-detail.md— added note that history is manual-only, daemon does not produce history
Why it matters: Documents the full design for the upcoming feature, including the content-hash skip trick (hash plaintext before encryption to avoid salt/nonce noise) and the dual-path resolution that works from both container and host.
[2026-05-20] forge | lushycorp-vault
Forged the LushyCorp Vault Runtime operational context.
Created:
wiki/contexts/lushycorp-vault-context.md— Pre-built operational context for Hetzner Vault runtime.
Updated:
wiki/contexts/INDEX.md— Added the new context to the catalog index.wiki/log.md— this entry.
Why it matters: This establishes the LushyCorp Vault runtime context as a self-contained brief, indexing all relevant wiki pages (vault architecture, bootstrap & restore, create/destroy lifecycle, Tailscale contract), memory items (chronicle entries for Phase 1/2, TD-016/020/021/022), and CRISP project dependencies (09-vault-k8s-integration-prep, 15-tailscale-operator-hardening, 10-operator-dns-resolution) to make it immediately operational for execution.
[2026-05-21] update | wiki allineamento Vault — 09 Phase 2
Updated 4 pages and the index after verifying prerequisites for 09-vault-k8s-integration-prep Phase 2:
Updated:
wiki/topics/tailscale-vault-contract.md— rimosse sezioni obsolete (relay DaemonSet, IP-only path). Aggiunta architettura ExternalName egress proxy, CoreDNS Disable&Replace, Migration Direction con Phase 1 ✅ / Phase 2 🔄 / Phase 3.wiki/details/tailscale-magicdns-detail.md— sostituita sezione relay DaemonSet con ExternalName + DNSConfig (architettura corrente). Aggiunto CoreDNS Hardening su Talos, nota “Previous Approach (decommissioned)”.wiki/entities/hashicorp-vault.md— reso operativo: tabella stato layer, CRISP projects table, link a tutti i topic correlati.wiki/topics/ephemeral-castle-hetzner-vault-runtime.md— “converging toward” → “converged” (Phase 1 completata).
Added to index:
entities/hashicorp-vault.md— mancante dalla sezione Entities.
Why it matters: the wiki now riflette l’architettura corrente (ExternalName egress proxy, CoreDNS Disable&Replace) invece del relay DaemonSet obsoleto, e documenta lo stato Phase 2 appena sbloccato.
[2026-05-28] update | Bootstrap engine restructured — CoreDNS user-managed, Vault-native secrets, one-shot cluster
Updated 2 wiki pages to reflect the bootstrap restructuring (2026-05-28):
Updated:
entities/ephemeral-castle.md— Updated repo structure description (engine layer now includes CoreDNS + vault secrets + direct file tokens), added TD-028/029/030 to Known Issues.topics/ephemeral-castle-rebirth-protocol.md— Full rewrite of the bootstrap flow: Talos patches baked into proxmox-talos module, engine layer details (CoreDNS, vault secrets, github/tailscale tokens), bootstrap deadlock avoidance table, PGO sync step, final convergence timing.
Key content added:
- CRITICAL LESSON documented:
machine.certSANs≠cluster.apiServer.certSANs. Wrong path triggers trustd PKI regeneration causing cluster deadlock. - Bootstrap deadlock table with 6 fix scenarios.
- Bootstrap order: platform → engine (CoreDNS+vault+secrets) → networking+gitops → storage → PGO sync → Grafana.
Why it matters: The wiki now describes the actual one-shot bootstrap process that requires zero manual intervention, replacing the old process that had circular dependencies and manual secret creation steps.
[2026-05-28] update | Tailscale DNS container fixes — stateful filtering, auto-start, update-hosts
Updated 3 wiki pages to reflect the Tailscale DNS fixes in the TazPod container (2026-05-27→2026-05-28):
Root cause documented: Tailscale v1.66+ stateful filtering drops UDP DNS from Docker bridge interfaces to MagicDNS (100.100.100.100). Fix: --stateful-filtering=false, --accept-dns=false, update-hosts.sh.
Updated:
references/tailscale/start-sh.md— Full rewrite aligned with actualstart.sh: stale process cleanup,--stateful-filtering=false,--accept-dns=false,update-hosts.shcall. Added changelog table.topics/tailscale-operator-connectivity.md— Removed “no auto-start mechanism” statement. Added DNS root cause section, auto-start via.bashrc,update-hosts.shreference. Updated TUN mode section with all DNS flags.details/tazpod-dotfiles-detail.md— Corrected Tailscale Auto-Start section with actualif/elselogic: first shell launchesstart.sh, second shells runupdate-hosts.sh. Added DNS fix chain note.
Why it matters: The wiki now correctly documents the current Tailscale DNS architecture inside the TazPod container instead of the outdated userspace-only, no-auto-start state. Operators and agents can understand the stateful filtering root cause, the fix chain, and the auto-start behavior from the wiki without reading the scripts.
[2026-05-22] update | wiki Vault migration completata — Infisical come legacy
Updated 3 pages to reflect completion of Vault migration and Infisical retirement:
Updated:
wiki/topics/tazlab-k8s-secrets-mapping.md— riscritta: tabella con Vault paths reali, two-store model (Vault primary, Infisical legacy). Rimossa sezione bootstrap Infisical.wiki/entities/infisical.md— riscritta: da “current backend” a “superseded by Vault, legacy fallback”. Aggiunta sezione decommission timeline.wiki/details/tazlab-k8s-external-secrets-detail.md— aggiornata: tabella with two stores (Vault primary, Infisical legacy).wiki/entities/hashicorp-vault.md— consumer migration → Completed.
Why it matters: future agents reading the wiki will now see Vault as the primary backend, not Infisical.
[2026-05-24] lint | Infisical/Zero-SOPS stale references pulite su 23 pagine
Trigger: Allineamento wiki a codice dopo sessione CRISP project 15 e ricerca Vault Agent Injector.
Contesto: 23 pagine wiki ancora citavano Infisical come backend attivo. Ricerche agent sui repo live hanno confermato:
env.hclnon ha piú variabili Infisical (ora usaget_env()da~/secrets/)secrets-fetchermodule non usa Infisical (legge solo env vars)- Terragrunt layers non creano piú provider Infisical
- ClusterSecretStore
tazlab-secretsha credenziali vuote — nessun ExternalSecret lo referenzia - SOPS/age non sono mai stati in uso nel codice attuale
Pagine corrette (lista completa in appendix):
Why it matters: Future agent che legge wiki vede Vault come backend attivo. Informazioni allineate al codice live.
Pages Updated
entities/hashicorp-vault.md— CRISP status 10/12 Completed, 22 ExternalSecrets, Tailscale Operator exposure completata, Vault Agent Injector futureentities/tazlab-k8s.md— backend da “Infisical (→ Vault)” a “Vault”entities/ephemeral-castle.md— layer 1 da “Infisical” a “bootstrap credentials (~/secrets/)”entities/infisical.md— da “superseded in progress” a “decommissioned”topics/tazlab-secret-and-identity-flow.md— riscritta: layered model Level 1/2/3, Vault backend, Infisical legacy, future Agent Injectortopics/tazlab-k8s-bootstrap-logic.md— Infisical → Vaulttopics/tazlab-k8s-ingress-and-auth.md— Infisical → Vault per wildcard TLStopics/tazlab-k8s-operators-inventory.md— ClusterSecretStore e Tailscale OAuth source da Infisical a Vaulttopics/tazlab-k8s-configs.md— “Infisical-backed” → “Vault via ExternalSecret”topics/ephemeral-castle-architecture.md— Infisical → env vars da ~/secrets/topics/ephemeral-castle-repository-map.md— Infisical-backed → bootstrap ~/secrets/topics/ephemeral-castle-proxmox-talos-foundation.md— Infisical → ~/secrets/topics/ephemeral-castle-cluster-bootstrap.md— Infisical → operator env varstopics/tazlab-infrastructure-tech-stack.md— Infisical → Vaultdetails/tazlab-k8s-external-secrets-detail.md— tabelle “Infisical Key” → “Vault Path”. Aggiunte voci: Tailscale, Grafana, AWS backrest. Aggiunto future Agent Injector.details/tazlab-k8s-cert-manager-detail.md— Infisical → Vault pathdetails/tazlab-k8s-dex-oauth2-detail.md— Infisical → Vaultdetails/tazlab-k8s-hugo-wiki-detail.md— Infisical → Vaultdetails/tazlab-k8s-openclaw-detail.md— Infisical → Vaultdetails/ephemeral-castle-terragrunt-layers-detail.md— Infisical → operator env vars, ClusterSecretStore → Vaultdetails/ephemeral-castle-terraform-modules-detail.md— Infisical → operator environmentreferences/ephemeral-castle/env-hcl.md— riscritta: no Infisical vars, get_env() source tablereferences/tazlab-k8s/external-secret-example.md— name datazlab-secretsatazlab-secrets-vaulthomepage.md— “Infisical transizionale” → “Vault primario”
[2026-05-27] update | Tailscale service exposure + bashrc auto-start
What changed
- Created
wiki/topics/tailscale-service-exposure.md— 6 services migration from MetalLB/Traefik to Tailscale Ingress/LoadBalancer - Updated
wiki/references/tazpod/bashrc-full.md— added tailscale auto-start block with setsid - Updated
wiki/index.md— added tailscale-service-exposure to Tailscale Networking section
Why it matters
Service exposure via Tailscale is now the canonical path for internal services. Documentation was missing the migration details, design decisions (D1-D4), and the correct tailscale startup configuration.
[2026-05-27] review | Full wiki alignment (tailscale area)
What changed
- Updated
wiki/entities/tailscale.md— OAuth scopes updated (services+auth_keys), TD-020 closed, DNSConfig CR story corrected, Service Exposure link added - Updated
wiki/details/tailscale-oauth-client-detail.md— added k8s_operator client with services scope, credential storage for both clients, key minting via tazpod-tailscale-up - Updated
wiki/details/tailscale-acl-policy-detail.md— added tag:k8s, tag:internal-apps, new ACL rules for service exposure, fixed “planned” labels to active - Updated
wiki/topics/tailscale-iac-management.md— added k8s_operator OAuth client definition with services scope
Pages OK
- entities/tailscale.md — now reflects current state (TD-020 closed, OAuth scopes, exposure)
- details/tailscale-oauth-client-detail.md — both clients documented, correct scopes
- details/tailscale-acl-policy-detail.md — all tags and rules current
- topics/tailscale-iac-management.md — k8s_operator added
- topics/tailscale-service-exposure.md — newly created (this batch)
Pages with stale info (fixed)
- entities/tailscale.md: OAuth scope “devices” → “devices, auth_keys, services”
- entities/tailscale.md: TD-020 open → closed (replaced with TD-025)
- details/tailscale-acl-policy-detail.md: missing tag:k8s-operator, tag:k8s, tag:internal-apps
- details/tailscale-acl-policy-detail.md: “planned” labels on active rules
- topics/tailscale-iac-management.md: missing k8s_operator client
Cross-area findings
- wiki/docs/ directory missing archivist-procedure.md (referenced by AGENTS.ctx/wiki/CONTEXT.md but file lives in AGENTS.ctx/wiki/docs/)
[2026-05-27] update | Tailscale TUN fix + .bashrc auto-start
references/tailscale/start-sh.md: updated daemon start with TUN auto-detect (kernel-native when/dev/net/tunavailable, userspace fallback otherwise)references/tazpod/bashrc-full.md: replaced old blockingtazpod-tailscale-upcall with non-blockingtools/tailscale/start.shviasetsid, singleton socket check, visible rocket messagedetails/tazpod-dotfiles-detail.md: added Tailscale Auto-Start section with code block and timing notesentities/tazpod.md: bumped current version from 0.3.30 → 0.3.35entities/tailscale.md: updated operator daemon description to referencetools/tailscale/start.shwith TUN detection
[2026-05-29] update | ProxyGroup kube-apiserver + Vault DB engine
Updated:
entities/hashicorp-vault.md— added Database Engine, JWT auth, ProxyGroup, VM route acceptance, container detailstopics/tailscale-service-exposure.md— added ProxyGroup section, VIP routing note, –accept-routes requirement
Context: Replaced LoadBalancer Service with ProxyGroup for K8s API server exposure. Enabled Vault Database Secret Engine for PostgreSQL dynamic credentials. Configured Vault JWT auth with jwks_url. SSH key injected via Hetzner rescue mode. All 5 Mnemosyne memories saved.
[2026-05-29] update | Cross-check CRISP plan vs wiki — fixes applied
Cross-checked the CRISP plan for 10-vault-agent-injector-phase1 against the wiki. Found and fixed:
- Cilium assumption removed (cluster uses Flannel, confirmed by wiki)
- CoreDNS IP corrected from old relay
10.96.0.101to current DNSConfig architecture - Flux DAG dependsOn corrected to
infrastructure-tailscale-dns(DNS readiness before injector) - PLAN Stages 1-3 marked as completed (work done in session)
- Wiki entities updated:
tazlab-k8s.md(K8s version, CNI),ephemeral-castle.md(K8s version, CNI, oidc-reviewer, JWKS endpoint)
[2026-05-29] update | Stage 4-5 completed — Vault Agent Injector + Grafana migration
Updated:
entities/hashicorp-vault.md— add Vault Agent Injector status, Grafana migration, known bugstopics/tailscale-service-exposure.md— already updated in earlier session
Key events:
- Vault Agent Injector deployed (chart 0.32.0, injector-only, JWT auth via ProxyGroup)
- vault-k8s bug #660 workaround (auth-config-path annotation)
- Grafana migrated to dynamic Vault credentials (GF_DATABASE_USER__FILE / __PASSWORD)
- ExternalSecret tazlab-db-pguser-grafana removed
- Sidecar disabled via agent-pre-populate-only (read-only FS on Talos)
- All credentials verified working
[2026-05-29] update | Vault Agent Injector Pattern documentation + Followup completion
Created:
topics/vault-agent-injector-pattern.md— standard annotation set, Talos-specific requirements, bug #660 workaround, troubleshooting
Updated:
entities/hashicorp-vault.md— add Injector Pattern reference
Context: Completion of 11-vault-agent-injector-phase1-followup project.
[2026-06-01] update | Vault JWT auth fix, monitoring sbloccato, vault-k8s-config Ansible playbook
What changed
- Vault JWT bound_issuer corretto: Aggiornato da singolo issuer a concatenazione multi-issuer richiesta da Talos:
"https://lushycorp-k8s.magellanic-gondola.ts.net:6443,https://kubernetes.default.svc.cluster.local" - Vault database engine: Password
tazlab-adminaggiornata dopo destroy+create (PGO genera nuova password) - grafana-sa ServiceAccount: Creata e aggiunta come manifest Flux in
tazlab-k8s/infrastructure/operators/monitoring/grafana-sa.yaml - Monitoring stack: kube-prometheus-stack v61.3.1 installato e funzionante (Grafana 3/3, Prometheus 2/2, kube-state-metrics, node-exporter)
- Vault K8s config migrata in Ansible: Creato playbook
vault-k8s-config.yml(stagek8s_config) che configura JWT auth + database engine viakubectl execsul podvault-configurator. Sostituisce shell inline increate.sh - TD-034: Aggiornato a “In progress” con nota sulla risoluzione parziale
Pages created
ephemeral-castle/runtimes/lushycorp-vault/hetzner/ansible/vault-k8s-config.ymlephemeral-castle/runtimes/.../roles/vault-runtime/tasks/k8s-config.ymltazlab-k8s/infrastructure/operators/monitoring/grafana-sa.yaml
Why it matters:
Il cluster è pienamente operativo dopo destroy+create con monitoring attivo. Config Vault in Ansible idempotente. grafana-sa gestita da Flux. Prossimo destroy+create applica tutto automaticamente.
[2026-06-01] update | One Shot Cluster raggiunto — 14m 15s full ciclo
What changed
- One Shot Cluster: Quarto ciclo destroy+create (full da zero) completato in 14m 15s senza interventi manuali.
- Fix finali: VAULT_ANSIBLE_DIR usa SCRIPT_DIR, Ansible retry loop (until/retries=30/delay=10) su database config per gestire finestra password PGO post-restore.
- Stato: Flux 19/19, VSO 10/10, Grafana 3/3, DB 4/4.
Pages updated
ephemeral-castle/clusters/tazlab-k8s/proxmox/create.sh— path fix + PGO wait miglioratoephemeral-castle/.../roles/vault-runtime/tasks/k8s-config.yml— retry loop su database config
Why it matters:
Cluster completamente automatizzato. Prossimi cicli destroy+create non richiedono interventi.
[2026-06-05] forge | ephemeral-castle context
What changed
Created a pre-built operational context for the full ephemeral-castle infrastructure layer.
Pages created
wiki/contexts/ephemeral-castle-context.md— Full context: scope, wiki reading list, memory/debts/CRISP references, repo structure, execution hints, known pitfalls, open questions
Pages updated
wiki/contexts/INDEX.md— Added ephemeral-castle entry to context library index
Why it matters:
Provides a self-contained working brief for any agent working on the infrastructure layer (Proxmox, Talos, Terragrunt, Vault runtime, Tailscale, Hermes) without requiring preliminary research across wiki, memory, and CRISP.
[2026-06-07] cycle | 9th destroy+create — terragrunt cache fix, one-shot terragrunt phase
What changed
5th destroy+create cycle after Ansible→Terraform migration. Terragrunt part now fully one-shot (secrets → vault-jwt → engine → platform → parallel layers). Flux convergence needs manual post-steps for database + monitoring.
Bugs fixed
- Terragrunt
-reconfiguremancante → engine falliva dopo cache cleanup - Namespace engine mancanti (tailscale, external-secrets, tazlab-db)
- Dex namespace in operator wrong dir (VSO bloccato)
- Create.sh exit code mascherato da
echo "EXIT_...:$?" - Core kustomization riferiva operator dir eliminate (dex, tazlab-db)
Still manual (post-Flux)
- Privilege enforcement (ALTER ROLE) per DB password sync
- vault-db-config apply con password aggiornata
- VSO VaultDynamicSecret reconcile forzato
Why it matters
Terraform/Terragrunt phase ora one-shot anche dopo cache cleanup. 9 interventi manuali → 2 interventi manuali.
[2026-06-07] milestone | First true one-shot destroy+create (9th cycle)
What happened
Ansible->Terraform migration completed. Cycle 9 achieved first one-shot cluster bootstrap: create.sh exit code 0, zero manual interventions, 83 pods in 8m30s.
Key discoveries
- Post-Flux is redundant: vault-db-config applied before platform (persistent Vault layer), passwords sourced from secrets-fetcher (same root for engine and vault-db), VSO auto-reconciles VaultDynamicSecret. No ALTER ROLE, no VDS annotation, no smoke test needed.
- VSO reconciliation: VSO reconciles grafana-dynamic-creds within minutes without any annotation trigger. With vault-db-config applied before VSO starts, the refresh is fast enough.
- kubectl wait pod master: kubectl wait for=condition=Ready pod -l role=master fails IMMEDIATELY if no pod matches the label. Must poll for pod existence first.
- Terragrunt cache cleanup: extra_arguments init_reconfigure + disable_dependency_optimization = true required to survive cache cleanup.
Result
Total time: 8m30s. All 21 Flux kustomizations, Blog, Wiki, Grafana, Prometheus, DB, Mnemosyne, pgAdmin fully operational.