MSG-41 ·
llmmsg-srvVENUSINF-5: public cdw URL (cdw-t.pensanta.com) - native venus cdw deploy + Caddy edge w/ human-auth, replacing Tailscale-only :9704
- Ref
MSG-41(#1069)- Project
llmmsg-srv- Status
- done
- Priority
- high
- Type
- task
- Assigned
- pm-llmmsgsrv-cc
- Created by
- wi-cli-whey
- Created
- 2026-06-14T14:30:34.382Z
- Updated
- 2026-06-14T20:47:26.523Z
- Closed
- 2026-06-14T20:47:26.523Z
Questions
No questions.
Event log
-
Elazar directives: hostname=cdw.pensanta.com (bare, NOT cdw-t). GTK retired, cdw sole client. Architecture (nw-venus driving edge, coder-chatduo native venus deploy): deploy chat-duo-web natively on venus (co-locate w/ venus hub it polls; fast-proxy-to-whey ruled out, whey:9704 localhost-only + re-couples to whey) -> nw-venus wires venus Caddy cdw.pensanta.com -> local port + human-auth + systemd unit + TLS. SECURITY GATE (pm flagged, Elazar deciding via bin-whey): current :9704 is Tailscale-only = implicit access control; bare public hostname removes that -> MUST sit behind auth (basic-auth at edge) or whole chat history leaks to internet. DO NOT expose publicly until Elazar confirms (b) auth layer. Prep staged, public flip held.
-
Elazar rollout constraints (via bin-whey): (1) ADDITIVE/gradual - cdw.pensanta.com is added alongside; existing Tailscale URL 100.85.255.54:9704 (whey cdw) STAYS LIVE in parallel during cutover, do NOT flip/retire until new hostname verified live (parallel-run pattern, mirrors hub migration). (2) AUTH GATE = REQUIRED until Elazar explicitly says no (re-asked, unanswered) - hold public flip on it. Whey cdw = rollback throughout.
-
Design constraint (coder-chatduo): cdw AGENT was hardcoded to single elazar identity; two cdw polling venus hub as elazar steal each other's /unread cursor -> no two-prod-elazar simultaneously. FIX shipped v0.7.9 (121831d): LLMMSG_AGENT env-overridable. ROLLOUT MODEL (confirmed): parallel at SERVICE level only; whey cdw=live prod elazar untouched, venus cdw staged under identity cdw-venus-stage (role=spectator) verifying plumbing (TLS/routing/auth/UI/loopback-hub) NOT feed. ATOMIC CUTOVER (after Elazar auth-OK + go): venus cdw flips LLMMSG_AGENT->elazar +restart, whey cdw stopped SAME turn = exactly-one-elazar. FEED-correctness verified AT cutover (Elazar confirms real feed at cdw.pensanta.com). ROLLBACK=restart whey cdw (kept installed+ready). venus cdw env: loopback 127.0.0.1:9703, NO HUB_URL/bearer (loopback bypasses edge), port 127.0.0.1:9704. nw-venus: staged Caddy vhost (not imported, no ACME), systemd unit, DNS A determined-not-published; one-step flip=add basic_auth+publish DNS+import vhost+reload.
-
Status: Elazar auth gate=YES (basic_auth at edge w/ his own creds, no rotation; creds DM-only, NOT recorded here). nw-venus STAGED-AND-HOLDING: Caddy vhost written to staged file (not imported, no ACME), systemd unit drafted (cdw-venus-stage, loopback:9704), basic_auth re-hashed to Elazar's specified creds (replacing nw-venus's auto-generated one). BLOCKERS: (1) venus can't fetch GitHub - coder-chatduo transferring v0.7.9 (LLMMSG_AGENT override) via /rtshared; (2) DNS: cdw.pensanta.com on Hostinger (ns dns-parking.com), A->100.85.255.54 whey-TS currently; public flip needs A->91.99.136.171 venus-public via Hostinger panel - nw-venus has no Hostinger creds, surfaced to Elazar via bin-whey (he changes it OR shares access). Additive-safe: fallback URL is raw IP http://100.85.255.54:9704, unaffected by hostname A-record. Gates A(local)->B(edge-live under stage id)->C(atomic cutover to elazar id, whey stopped same turn).
-
GATE A GREEN (staged-and-holding): venus chat-duo-web.service v0.7.9 (md5 match whey) running, NOT enabled=staging; loopback 127.0.0.1:9704 -> 200 + /api/version 0.7.9, hub=loopback 127.0.0.1:9703, agent=cdw-venus-stage, spectator absent from roster (no pollution); Caddy vhost+basic_auth(Elazar cred) staged non-imported; DNS not repointed. SEQUENCING RULING: B-before-C (do not collapse) - Gate B publishes+verifies TLS/routing/basic_auth under cdw-venus-stage identity (Elazar feed stays on whey raw-IP throughout); Gate C = atomic LLMMSG_AGENT->elazar +restart + whey-stop same turn, only after B verified + Elazar go; rollback=restart whey. Now blocked SOLELY on Elazar Hostinger DNS access (A->91.99.136.171) to fire Gate B.
-
Gate A hub-leg CORRECTION: coder-chatduo's 'loopback bypasses bearer' was WRONG (owned) - venus hub enforces bearer on loopback too. cdw served HTTP (curl 200) but its hub register/poll was unauthorized (clients=0). FIX (no cdw code change, no hub change): cdw already injects bearer when LLMMSG_HUB_BEARER set -> nw-venus adds LLMMSG_HUB_BEARER to venus cdw unit + HUB_URL=127.0.0.1:9703, restart -> re-verify Gate A hub leg (register/poll authed, clients>0). Hub-auth decision=bearer-everywhere (see MSG-42). B-before-C unchanged; still blocked on Elazar Hostinger DNS for Gate B.
-
Phase 1 staging dispatched to nw-venus (relay from Elazar via bin-whey 17:21): cdw-t.pensanta.com placeholder vhost -> real chat-duo-web backend (reverse_proxy 127.0.0.1:9704, stage identity, Gate A green) + basic_auth w/ Elazar's exact creds (bcrypt, no self-gen, no log/commit). DNS A-record cdw.pensanta.com -> 91.99.136.171 (venus) is sole remaining external gate; ACME blocked until Elazar flips Hostinger (whey-confirmed: SNI cdw.pensanta.com -> 91.99.136.171:443 TLS handshake fails, A-record still -> whey 100.85.255.54). Staging is DNS-independent; serves instantly on flip. Interim Elazar URL: http://cdw.pensanta.com:9704 over tailscale (whey, live). Parallel-run: tailscale :9704 stays live + untouched.
-
Phase-1 staging DONE (nw-venus, falsifiable). cdw-t.pensanta.com FULLY LIVE: public-trusted ACME cert (curl no -k), basic_auth enforcing (401 no-creds / 200 Elazar-creds, bcrypt.checkpw=True against Elazar's own pw), backend GET /api/version authed -> chat-duo-web 0.7.9 clients=0 on 127.0.0.1:9704 (stage identity cdw-venus-stage, bearer green), hub-t still 401 post graceful-reload (config validated, live Caddyfile backed up /tmp), tailscale :9704 untouched. bare cdw.pensanta.com PREPPED-NOT-ARMED: full vhost block authored+COMMENTED in /etc/caddy/Caddyfile; enable needs (1) Hostinger A-record cdw.pensanta.com -> 91.99.136.171 TTL300 [GATED on Hostinger DNS API key, with Elazar, bin-whey pulling], (2) uncomment + caddy reload -> ACME ~10-30s -> public. Gate C (identity cdw-venus-stage->elazar + stop whey cdw) separate, on Elazar explicit go. Relayed live-now status to Elazar via bin-whey.
-
bare cdw.pensanta.com ENABLED + LIVE (Elazar flipped Hostinger DNS -> 91.99.136.171, bin-whey relayed GO; nw-venus uncommented prepped vhost + graceful reload). Falsifiable: LE cert issued Jun14->Sep12 2026 (curl no -k), auth 401 no-creds / 200 Elazar-creds (same bcrypt = his own pw), backend authed /api/version -> 0.7.9 + / 200 text/html, hub-t unaffected (401), rollback backup /tmp, tailscale :9704 untouched. BOTH cdw.pensanta.com + cdw-t.pensanta.com serve chat-duo-web behind Elazar login. Gate B DONE. ONLY Gate C remains (atomic identity flip cdw-venus-stage->elazar + coder-chatduo stops whey cdw, single-cursor-per-identity -> must be same-turn), PARKED on Elazar explicit go - NOT pre-fired. VENUSINF-5 functionally delivered; Gate C is optional polish.
-
Gate C FIRED + GREEN (server-side). Sequence: coder-chatduo stopped whey cdw (down 17:43:41, clean SIGTERM, left enabled for 1-cmd rollback) -> nw-venus restarted venus cdw with LLMMSG_AGENT=elazar-the-user-human-llmmsg-srv. Falsifiable: (a) startup log agent=elazar + hub 127.0.0.1:9703 bearer + authed register, elazar present in /roster (spectator-hidden worry didn't bite); (b) DECISIVE curl /send as elazar -> {ok:true,recipients:[nw-venus-cc]} NO not_registered - confirms spectator role does NOT block send (coder-chatduo pre-ruled-out via hub.mjs:1171 roster-existence-only gate; not_registered earlier was the stage IDENTITY); (c) single-cursor clean, only venus holds elazar. Both https://cdw.pensanta.com + cdw-t.pensanta.com serve chat-duo-web behind Elazar login as real elazar identity. Tailscale :9704 (whey) collapsed - inherent to Gate C single-elazar, Elazar-authorized, venus now sole cdw = intended end state. PENDING final acceptance: Elazar live send from tablet browser (bin-whey relaying). coder-chatduo holding whey-cdw disable until live-send confirm.
-
VENUSINF-5 COMPLETE - acceptance pass. Elazar's live send from tablet at https://cdw.pensanta.com landed in bin-whey inbox: posted to aro:kpi-n-optimization, sender=elazar-the-user-human-llmmsg-srv (real identity), NO not_registered. Browser send clean, Gate C green end-to-end. FINAL STATE: bare https://cdw.pensanta.com + https://cdw-t.pensanta.com both serve chat-duo-web 0.7.9 behind Elazar's basic_auth (his own bcrypt creds, no rotation), public LE certs, venus-native (127.0.0.1:9704 reverse-proxied via Caddy edge, bearer-injected to loopback venus hub), browser identity = real elazar-the-user-human-llmmsg-srv (spectator role, sends fine). whey cdw stopped (tailscale :9704 collapsed = intended Gate C single-elazar end state, Elazar-authorized). venus = sole cdw. Three-gate cutover (A stage / B publish+verify / C atomic identity-flip) executed clean, zero feed contamination, rollback path preserved throughout (whey unit left enabled until finalize-disable). Owners: nw-venus (Caddy/edge/identity), coder-chatduo (cdw server + whey stop).
-
Finalize confirmed (coder-chatduo): whey chat-duo-web.service disabled + inactive (wants-symlink removed, no boot auto-start). venus sole cdw at https://cdw.pensanta.com under real elazar identity. All actuators parked. MSG-41 fully closed all sides.