sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/.claude/commands/check-access.md
sjat 384b94e34b feat(access): add /check-access verifier command (ADR-021, dormant) 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-09 17:45:24 +02:00

2.3 KiB
Raw Permalink Blame History

Operational-access verification (ADR-021)

Probe every documented way in to a service or host from ubongo and report which paths are live. Reads the target's access__* data (and host baseline), so the verifier and ACCESS.md can never disagree. Argument: a service/role name or a host (e.g. /check-access photoprism, /check-access docker01).

Prerequisites (this is forward-looking — ADR-021 dependencies)

This skill cannot run until these exist; if any is missing, say so and stop — do not improvise around it:

  • ubongo reachable on the mesh and the LAN (it runs the probes).
  • The target host/service is deployed (staging or production inventory).
  • roles/<name>/ carries access__* data (services) / the host baseline applies.
  • Vault unlocked (rbw unlocked) for any token-authenticated API probe.

Process

Phase 0 — resolve the target

Resolve the argument to a host or a service role + its host. Load the access__* data (service) or the host-baseline + break-glass record (host). State what you will probe.

Phase 1 — probe each declared path

Path Probe Green =
wt0 mesh SSH connect over the mesh, run true reachable + key works
LAN SSH from ubongo connect via the LAN address, run true reachable + key works
exec + compose docker compose -p <project> ps; exec true in each access__containers entry stack up, exec works
logs query Loki for access__log.loki_labels, expect recent lines logs flowing
admin API curl access__api.health_path with the token from access__api.auth.vault_ref 2xx
break-glass reachability of the Proxmox/provider console endpoint only console host reachable

Break-glass is never exercised — firing a serial console is invasive; confirm the fallback exists, do not drive it.

Phase 2 — report

Emit a pass/fail table. For any red path, name it and the likely cause (e.g. "API token in vault stale", "Alloy not shipping", "base__firewall_control_addr unset → no ssh-from-control rule"). Verdict line: e.g. "3/4 paths green; admin API red".

Notes

  • Read-only and non-destructive — probes confirm reachability, they do not change state.
  • This is the access analogue of /verify-service (ADR-017): designed now, runs when the control node + hosts exist.