AI-Cognitive-Leap/agnes-the-ai-analyst
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
agnes-the-ai-analyst/docs/superpowers/plans
History
Vojtech 0bbbf3e40b
feat(tls): corporate-CA HTTPS with URL-driven rotation, on-VM CSR gen, self-signed fallback (#51) 
Replaces the implicit Let's Encrypt flow with a general corporate-CA HTTPS path:

- Caddy switches to cert-file mode (`tls /certs/fullchain.pem /certs/privkey.pem`) with HSTS + TLS 1.2/1.3 floor
- New `docker-compose.tls.yml` overlay closes host `:8000` when Caddy fronts (no TLS bypass)
- New `scripts/tls-fetch.sh` — generic URL fetcher for `sm://`, `gs://`, `https://`, `file://` with redirect refusal + PEM validation
- New `scripts/grpn/agnes-tls-rotate.sh` — daily rotation, self-signed fallback against same key (zero key churn), on-VM RSA-2048 + CSR auto-gen, atomic swap, SIGUSR1 reload
- `scripts/grpn/agnes-auto-upgrade.sh` becomes cert-aware (auto-enables tls overlay when certs present)
- Compose profile `production` renamed to `tls` (aligns with DEPLOYMENT.md and infra startup)

Pairs with FoundryAI/agnes-the-ai-analyst-infra#27 (merged) which wires per-VM `local.vm_tls`, writes `TLS_*` env vars into `.env`, auto-creates Secret Manager containers for `sm://` privkey URLs, and installs `agnes-tls-rotate.{service,timer}` for daily polling.

Includes hardening + docs follow-ups from code review:
- `TLS_CSR_SUBJECT` env-var parametrisation applied to both CSR and self-signed cert paths
- curl `--max-redirs 0 --proto '=https'` + post-fetch PEM validation in `tls-fetch.sh`
- `ulimit -c 0` + array-form `COMPOSE_FILES` (POSIX-safe, bash 3.2 compatible)
- TLS section added to `config/.env.template`
- Historical-note headers in `docs/superpowers/{plans,specs}/2026-04-09-*.md` flagging the profile rename
2026-04-25 19:51:25 +00:00
..
2026-03-27-01-duckdb-state-layer.md chore: clean stale docs — rewrite architecture.md, remove old plans 2026-04-09 09:06:13 +02:00
2026-03-27-02-complete-system.md fix: remove dead PRAGMA enable_wal code 2026-04-09 06:59:57 +02:00
2026-04-08-final-integration-fixes.md chore: clean repo for public release — fix references, remove drafts 2026-04-08 19:27:25 +02:00
2026-04-08-production-hardening.md fix: remove dead PRAGMA enable_wal code 2026-04-09 06:59:57 +02:00
2026-04-08-security-hardening.md chore: clean repo for public release — fix references, remove drafts 2026-04-08 19:27:25 +02:00
2026-04-09-dead-code-cleanup.md User management + PAT + CLI distribution + HTML auth redirect (#9 #10 #11 #12) (#28) 2026-04-22 14:24:28 +02:00
2026-04-09-deployment-readiness.md feat(tls): corporate-CA HTTPS with URL-driven rotation, on-VM CSR gen, self-signed fallback (#51) 2026-04-25 19:51:25 +00:00
2026-04-09-final-polish.md User management + PAT + CLI distribution + HTML auth redirect (#9 #10 #11 #12) (#28) 2026-04-22 14:24:28 +02:00
2026-04-09-security-fixes.md User management + PAT + CLI distribution + HTML auth redirect (#9 #10 #11 #12) (#28) 2026-04-22 14:24:28 +02:00
2026-04-10-analyst-bootstrap.md docs: add implementation plans for porting internal features 2026-04-10 19:08:55 +02:00
2026-04-10-business-metrics.md docs: add implementation plans for porting internal features 2026-04-10 19:08:55 +02:00
2026-04-10-metadata-writer.md docs: add implementation plans for porting internal features 2026-04-10 19:08:55 +02:00
2026-04-11-remote-query.md docs: add remote query implementation plan (5 tasks) 2026-04-11 11:02:04 +02:00
2026-04-12-comprehensive-test-suite.md docs: add comprehensive test suite implementation plan (8 tasks, 6 parallel blocks) 2026-04-12 10:44:08 +02:00
2026-04-21-deployment-log.md docs: workflow-driven VM recreate for startup-script propagation 2026-04-21 20:24:31 +02:00
2026-04-21-hackathon-dry-run.md User management + PAT + CLI distribution + HTML auth redirect (#9 #10 #11 #12) (#28) 2026-04-22 14:24:28 +02:00
2026-04-21-issues-14-and-10.md User management + PAT + CLI distribution + HTML auth redirect (#9 #10 #11 #12) (#28) 2026-04-22 14:24:28 +02:00
2026-04-21-multi-customer-deployment.md docs: multi-customer deployment spec + implementation plan 2026-04-21 15:25:17 +02:00
2026-04-21-user-mgmt-pat-cli.md User management + PAT + CLI distribution + HTML auth redirect (#9 #10 #11 #12) (#28) 2026-04-22 14:24:28 +02:00
2026-04-22-cloudflare-access-auth.md User management + PAT + CLI distribution + HTML auth redirect (#9 #10 #11 #12) (#28) 2026-04-22 14:24:28 +02:00
2026-04-22-grpn-deploy-learnings.md User management + PAT + CLI distribution + HTML auth redirect (#9 #10 #11 #12) (#28) 2026-04-22 14:24:28 +02:00