From 384b94e34b93f4f5f23ac49aff3e83ec7227d672 Mon Sep 17 00:00:00 2001 From: sjat Date: Tue, 9 Jun 2026 17:45:24 +0200 Subject: [PATCH] feat(access): add /check-access verifier command (ADR-021, dormant) Co-Authored-By: Claude Sonnet 4.6 --- .claude/commands/check-access.md | 49 ++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .claude/commands/check-access.md diff --git a/.claude/commands/check-access.md b/.claude/commands/check-access.md new file mode 100644 index 0000000..92f93f6 --- /dev/null +++ b/.claude/commands/check-access.md @@ -0,0 +1,49 @@ +Operational-access verification (ADR-021) + +Probe every documented way in to a service or host from `ubongo` and report which paths +are live. Reads the target's `access__*` data (and host baseline), so the verifier and +`ACCESS.md` can never disagree. Argument: a service/role name or a host +(e.g. `/check-access photoprism`, `/check-access docker01`). + +## Prerequisites (this is forward-looking — ADR-021 dependencies) + +This skill cannot run until these exist; if any is missing, say so and stop — do not +improvise around it: + +- `ubongo` reachable on the mesh **and** the LAN (it runs the probes). +- The target host/service is deployed (staging or production inventory). +- `roles//` carries `access__*` data (services) / the host baseline applies. +- Vault unlocked (`rbw unlocked`) for any token-authenticated API probe. + +## Process + +### Phase 0 — resolve the target + +Resolve the argument to a host or a service role + its host. Load the `access__*` data +(service) or the host-baseline + break-glass record (host). State what you will probe. + +### Phase 1 — probe each declared path + +| Path | Probe | Green = | +|---|---|---| +| `wt0` mesh SSH | connect over the mesh, run `true` | reachable + key works | +| LAN SSH from `ubongo` | connect via the LAN address, run `true` | reachable + key works | +| exec + compose | `docker compose -p ps`; exec `true` in each `access__containers` entry | stack up, exec works | +| logs | query Loki for `access__log.loki_labels`, expect recent lines | logs flowing | +| admin API | `curl` `access__api.health_path` with the token from `access__api.auth.vault_ref` | 2xx | +| break-glass | reachability of the Proxmox/provider console endpoint **only** | console host reachable | + +Break-glass is **never exercised** — firing a serial console is invasive; confirm the +fallback exists, do not drive it. + +### Phase 2 — report + +Emit a pass/fail table. For any red path, name it and the likely cause (e.g. "API token +in vault stale", "Alloy not shipping", "`base__firewall_control_addr` unset → no +`ssh-from-control` rule"). Verdict line: e.g. "3/4 paths green; admin API red". + +## Notes + +- Read-only and non-destructive — probes confirm reachability, they do not change state. +- This is the access analogue of `/verify-service` (ADR-017): designed now, runs when the + control node + hosts exist.