sjat/boma

History

sjat fac438cc92 fix(tags): recognize name: role key; only check roles: in plays Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>		2026-06-06 15:20:09 +02:00
..
capacity-scan.py	Complete capacity-scan.py: usage stub, subprocess glue, main()	2026-06-01 10:30:45 +02:00
check-tags.py	fix(tags): recognize name: role key; only check roles: in plays	2026-06-06 15:20:09 +02:00
check-vault-encrypted.sh	Add core Ansible scaffold, tooling, and pre-commit guards	2026-05-30 14:10:01 +02:00
README.md	Record ADR-012 + STATUS/CLAUDE/scripts docs for capacity tooling	2026-06-01 10:34:38 +02:00
repo-scan.py	repo-scan: cut broken-path-ref + marker false positives	2026-06-05 20:37:40 +02:00
tf_to_inventory.py	Name and propagate the offsite_hosts inventory group (askari)	2026-06-05 18:54:54 +02:00
vault-pass-client.sh	Source vault password from Vaultwarden via rbw; nest vault structure	2026-05-30 18:16:35 +02:00

scripts/

Small helper scripts. Python standard library only — no third-party dependencies (keeps them runnable anywhere without a venv).

tf_to_inventory.py — reads terraform output -json on stdin and writes an Ansible hosts.yml. Invoked by make tf-inventory. Data contract: ADR-009.
vault-pass-client.sh — fetches the master vault password from Vaultwarden via rbw. Wired as vault_password_file (ADR-002).
check-vault-encrypted.sh — pre-commit guard: fails if a vault.yml holds plaintext secrets.
repo-scan.py — Phase-0 deterministic scan for /review-repo (markers, broken refs, unencrypted vaults, inventory).
capacity-scan.py — deterministic capacity facts for /capacity-review: parses the machine-readable tables in docs/hardware/reference.md, computes per-node allocated-vs-physical rollups, and cross-checks workload hostnames against Terraform output / Ansible inventory for drift. Emits JSON. See ADR-012.